VAST Cluster, supports ID mapping on NFSv4.1 clients. ID mapping is a client service that translates numeric UIDs and GIDs to user names and group names. The client sends those user names and group names in the RPC instead of sending UIDs and GIDs. The user names and group names are sent in the format principal@domain, where principal is the principle name of the user or group and domain is a configured domain name.
ID mapping is supported with the client and the cluster being joined to the same Active Directory domain. The VAST NFSv4.1 server validates the domain name in the client RPCs and strips the domain to obtain the user and group principal names. Authorization queries are done using those principal names instead of UIDs and GIDs. For details of the authorization flow, see The VAST Cluster Authorization Flow.
Authorization providers other than Active Directory are not supported with NFSv4.1.
NFSv4.1 ID mapping requires certain configurations on each client host and on the cluster in order that users will be authorized to access files with the correct permissions.
The cluster must be joined to an Active Directory domain.
In the Active Directory configuration, the following settings, which are part of the LDAP configuration, impact the ID mapping behavior:
Domain name. This must be set to the same domain that each client host using ID mapping is joined to. VAST Cluster will use this domain name to validate user and group names declared in NFSv4.1 requests. VAST ClusterVAST will also use this domain to query those user and group names when adding or refreshing user entries in the cluster user database.
There is a cluster-wide limitation such that the cluster can be joined to one domain only. Therefore, if there are any additional providers configured on the cluster, they must use the same domain.
When the cluster joins an AD domain, a principle specifically required for NFSv4.1 ID mapping is are added to the list of ServicePrincipalNames (SPNs). This principal is called nfs@cluster_name.
Under Advanced attribute mappings, user login name and group login name. These fields specify which attributes of the user and group object classes in the joined Active Directory domain store the principal names of users and groups. These attributes are used when the cluster queries AD for principal names that are sent in RPCs with ID mapping. This is done when creating and refreshing user entries in the VAST user data base, which is used for authorizing file access. The default value for each of these fields is sAMAccountname.
For details of how to configure and join Active Directory, see Joining Active Directory (AD).
When configuring ID mapping on a client host to work with VAST Cluster, the following configurations are needed:
Since Kerberos authentication is not supported in VAST Cluster 4.0, clients will mount with the default AUTH_SYS security mode. Depending on the Linux distribution, ID mapping may be disabled by default for all mounts, especially when the default AUTH_SYS security mode is used. Consult the documentation for your Linux distribution for how to enable ID mapping for NFSv4.1.
The client must be joined to the same Active Directory server domain as VAST Cluster.
The joined Active Directory domain must contain user and group entries which provide the mapping between user names and numeric UIDs, define users' group memberships, and provide a mapping between group names and numeric GIDs.
A method for the ID mapping service to use for mapping between principal names and numeric IDs should be installed, such as sssd-tools.
Edit the ID mapping configuration file, /etc/idmapd.conf and set the following:
The domain name should be set to the name of the joined AD domain.
The translation method
... [General] Domain = ad.company.com [Mapping] [Translation] Method = sss ...