VAST Cluster, supports ID mapping on NFSv4.1 clients. ID mapping is a client service that translates numeric UIDs and GIDs to user names and group names. NFSv4.1 clients send those user names and group names in the request, as opposed to NFSv3 clients which send UID numbers and GID numbers. The user names and group names are sent in the format principal@domain, where principal is the principal name of the user or group and domain is a configured domain name. For example: jsmith@somelab.org.
ID mapping is supported with the client and the cluster being joined to the same Active Directory domain. The VAST NFSv4.1 server validates the domain name in the client requests and strips the domain to obtain the user and group principal names. Authorization queries are done using those principal names instead of UIDs and GIDs. For details of the authorization flow, see The VAST Cluster Authorization Flow.
Note
Clients mounting with Kerberos authentication always use ID mapping, and therefore, the configurations described below must be completed correctly to support requests with Kerberos authentication.
Note
External authorization providers other than Active Directory are not supported with NFSv4.1.
NFSv4.1 ID mapping requires certain configurations on each client host and on the cluster in order that users will be authorized to access files with the correct permissions.
-
The cluster must be joined to an Active Directory domain.
-
In the Active Directory configuration, the following settings, which are part of the LDAP configuration, impact the ID mapping behavior:
-
Domain name. This must be set to the same domain that each client host using ID mapping is joined to. VAST Cluster will use this domain name to validate user and group names declared in NFSv4.1 requests. VAST ClusterVAST will also use this domain to query those user and group names when adding or refreshing user entries in the cluster user database.
Important
There is a cluster-wide limitation such that the cluster can be joined to one domain only. Therefore, if there are any additional providers configured on the cluster, they must use the same domain.
-
Under Advanced attribute mappings, user login name and group login name. These fields specify which attributes of the user and group object classes in the joined Active Directory domain store the principal names of users and groups. These attributes are used when the cluster queries AD for principal names that are sent in requests with ID mapping. This is done when creating and refreshing user entries in the VAST user data base, which is used for authorizing file access. Set each of these fields to sAMAccountName (the default if you select AD in the Templates for Advanced Settings field).
-
For details of how to configure and join Active Directory, see Joining Active Directory.
When configuring ID mapping on a client host to work with VAST Cluster, the following configurations are needed:
-
If clients mount with the default AUTH_SYS security mode, ID mapping may be disabled on the client, depending on the Linux distribution, Consult the documentation for your Linux distribution for how to ensure that ID mapping is enabled for NFSv4.1 client mounts, if desired for AUTH_SYS mode.
-
The client must be joined to the same Active Directory domain as VAST Cluster.
-
The joined Active Directory domain must contain user and group entries which provide the mapping between user names and numeric UIDs, define users' group memberships, and provide a mapping between group names and numeric GIDs.
-
A method for the ID mapping service to use for mapping between principal names and numeric IDs should be installed, such as System Security Services Daemon (SSSD).
-
Edit the ID mapping configuration file, /etc/idmapd.conf and set the following:
-
The domain name should be set to the name of the joined AD domain.
-
The translation method
For example:
... [General] Domain = ad.company.com [Mapping] [Translation] Method = sss ...
-
Comments
0 comments
Article is closed for comments.