• Configure a NAS server for multiprotocol file sharing

    PDF

    Configure a NAS server for multiprotocol file sharing

    Overview of configuring NAS servers for multiprotocol file sharing

    Configuring a multiprotocol NAS server in the GUI requires specifying the following information:

    • SP that the NAS server will run on.
    • Pool used to store the NAS server's configuration data, such as anti-virus configurations, NDMP settings, network Interfaces, and IP addresses.
    • IP interfaces that the NAS server will use for outgoing connections to hosts.
    • DNS server IP address and DNS domain for contacting the AD.
    • Credential of an Active Directory (AD) user with privileges for joining the AD.
    • UNIX Directory Service (UDS) information. For NIS, this includes the domain name and the IP address the NIS servers. For LDAP, this includes the IP address of the LDAP servers, baseDN, and authentication information. For local files, this includes the username, password, UID and GID.

    The following table describes the available NAS server configurations for multiprotocol NAS servers:

    Operating Environment
    NAS server function
    Recommended configuration options
    Balanced UNIX and Windows environment; that is, when your system requires a 1:1 mapping of all or most users
    Provide both SMB and NFS access to the same file systems data.
    1. Make sure an NTP server is configured for the system and that DNS is configured for the NAS server.
    2. Do the following in the Create a NAS Server wizard:
      • On the Sharing Protocols tab, select Multiprotocol.
      • Join the NAS server to a Windows AD domain.
      • Configure a UDS (LDAP or NIS), local files, or both local files and a UDS to manage user identities.
      • Configure DNS.
    3. Optionally customize the mappings between Windows user accounts and Unix user accounts by modifying and uploading a user mapping file with advanced naming rules (ntxmap). You should do this when the names of the same users follow different naming rules in Windows and Unix.
    Unix environment with the ability to access file system data through SMB
    Provide NFS access to file system data and optionally provide SMB access to the same file system data for some Windows accounts.
    1. Follow the steps in the Balanced Unix and Windows environment row for creating a NAS server, configuring a Unix directory service or local files, and optionally customizing the mappings between Windows user accounts and Unix user accounts.
    2. On the NAS server properties page for the new NAS server, optionally select Sharing Protocols > Multiprotocol, and then configure a default Unix user account. In addition, All unmapped Windows accounts will be mapped to this user account.
      If you use a default Unix account for SMB users, these users will be mapped to one UID. Therefore, only one user quota will apply to all of these users.
    3. When you create file systems for the NAS server, It is recommended that you specify a file system access policy of Unix.
    Windows environment with the ability to access file system data through NFS
    Provide SMB access to file system data and optionally provide NFS access to the same file system data for some Unix accounts.
    1. Follow the steps in the Balanced Unix and Windows environment row for creating a NAS server and optionally use ntxmap to customize the mappings between Windows user accounts and Unix user accounts.
    2. On the NAS server properties page for the new NAS server, optionally select Sharing Protocols > Multiprotocol, and then configure a default Windows user account. All unmapped Unix accounts will be mapped to this user account.
      If you use a default Windows account for Unix users, these users will be mapped to one SID. Therefore, only one user quota will apply to all of these users.
    3. When you create file systems for the NAS server, It is recommended that you specify a file system access policy of Windows.

    Create a NAS server for multiprotocol file sharing (SMB and NFS)

    Before you begin

    When you create a NAS server that supports multiprotocol file sharing, it must be joined to an Active Directory (AD). This requires that an NTP server is configured on the storage system.

    Obtain the following information:

    • (Optional) Name of the tenant to associate with the NAS server.
    • Name of the pool to store the NAS server's metadata.
    • Storage Processor (SP) on which the NAS server will run.
    • IP address information for the NAS server.
    • VLAN ID, if the switch port supports VLAN tagging. If you associate a tenant with the NAS server, you must choose a VLAN ID.
    • AD information, including the SMB computer name (used to access SMB shares), and either the domain administrator's credentials or the credentials of a user of the domain who has privileges for joining the AD. You can optionally specify the NetBIOS name and organizational unit. The NetBIOS name defaults to the first 15 characters of the SMB server name. The organizational unit defaults to OU=Computers,OU=EMC NAS servers.
    • UNIX Directory Service (UDS) information for NIS, LDAP, or local files. The UDS provides the UNIX UID and GUID for AD users.
      You can configure mappings for some users in the UDS and let the others be mapped through the default account.
    • DNS server and domain information.
    • Replication information (optional).

    It is recommended that you balance the number of NAS servers on both SPs.

    You cannot disable multiprotocol file sharing for a NAS server once a file system is created on that NAS server.
    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the Add icon.
    3. On the General and Interface pages, specify the relevant settings while noting the following:
      • On the General page, the Server name identifies the NAS server. It is not a network name.
      • Optionally select a tenant to associate with the NAS server.
        Once you create a NAS server that has an associated tenant, you cannot change this association.
      • On the Interface page, optionally select a VLAN. If you selected a tenant on the General page, you must select a VLAN. The list of VLANs represent the VLANs associated with the selected tenant.
    4. On the Sharing Protocols page:
      • Select Multiprotocol, and join the NAS server to the AD.
      • Optionally click Advanced to change the default NetBios name and organizational unit.
      • Select whether to enable NFSv3, NFSv4, or both.
      • Optionally enable support for Virtual Volumes (VVols).
      • Optionally click Configure secure NFS to enable secure NFS with Kerberos. When you enable secure NFS, you can choose to authenticate using the Windows Kerberos realm (that is, the Windows domain) configured on the NAS server, or you can configure and use a custom realm.
        It is recommended that you use LDAPS with secure NFS.
    5. On the Unix Directory Service page, configure one of the following directory services:
      • Local files
      • NIS
      • LDAP
      • Local files and NIS or LDAP
      If you configure local files with NIS or LDAP, the system queries the local files first. You can configure LDAP to use anonymous, simple, and Kerberos authentication. You can also configure LDAP with SSL (LDAP Secure) and can enforce the use of a Certificate Authority certificate for authentication.
    6. On the DNS page, configure DNS for the NAS server.
    7. On the Replication page, optionally select a replication mode and Recovery Point Objective (RPO) for the NAS server.

    Configure NAS server sharing protocols and FTP/SFTP support

    1. Access the NAS server sharing protocol options from the Sharing Protocols window in the Create a NAS server wizard.
    2. Perform the following tasks to configure the sharing protocol options:
    Task
    Description
    Enable the NAS server's ability to support multiprotocol file sharing (SMB and NFS shares on the same file system).
    Select Multiprotocol.
    Once you enable multiprotocol file sharing for a NAS server that has associated file systems, you will not be able to disable it.
    Join the NAS server to the Active Directory domain
    1. Select Join to the Active Directory domain.
    2. Specify the requested information.
    3. Optionally, click Advanced to change the default NetBios name and organizational unit.
    Optionally enable the NAS server's ability to serve VVols.
    Select Enable VVols.
    Optionally enable NFSv4
    Select Enable NFSv4.
    If you do not select this option, NFSv3 is used by default.
    Optionally enable support for secure NFS.
    Select Show advanced, and then select or clear Enable Secure NFS (with Kerberos). For detailed information about configuring NFS with Kerberos, see the online help.
    Optionally enable the NAS server's ability to share files using FTP or SFTP.
    1. Select the FTP sub-tab.
    2. Select Enable FTP or Enable SFTP. The use of SFTP is recommended over FTP, because SFTP encrypts transmits encrypted text.
    3. Optionally customize user authentication, user home directory, and message settings.

    Configure a NAS server Unix Directory Service

    When you configure a NAS server that supports multiprotocol file sharing, you must configure a way to look up identity information, such as UIDs, GIDs, net groups, and so on.

    There are three ways to configure identity lookups:

    If you configure local files with a UDS, the storage system queries the local files first.

    If you are creating a new NAS server, use the Unix Directory Service window in the Create a NAS server wizard to configure identity lookups.

    If you are configuring a UDS for an existing NAS server, access the Naming Services tab to access the identity lookup options:

    1. Under Storage, select File > NAS Servers.
    2. Select a NAS server, and then select the Edit icon.
    3. Select the Naming Services tab.
    Using local files

    To enable the use of local files for directory services when you are creating a NAS server:

    1. From the Unix Directory Service window in the Create a NAS server wizard, select Enable a Unix Directory service using Local Files.
    2. Create the password file for the UDS. To view the template for this file, select Open a Passwd File Template.
    3. Select Upload Passwd File to upload the password file to the NAS server.

    After you create the NAS server, you can upload additional local files as specified below.

    To enable the use of local files for directory services for an existing NAS server:

    1. From the Naming Services tab, select the Local Files sub-tab.
    2. Select Enable a Unix Directory service using Local Files.
    3. For each type of local file, select Retrieve current <file-type> file to download the current file. If there is no file on the storage system, the system downloads a file template.
    4. Make the necessary changes to the file.
    5. Select Upload New <file-type> File to upload the file.

    To troubleshoot issues with configuring local files, ensure that:

    • The file is created with the proper syntax. (Six colons are required for each line). Reference the template for more details about the syntax and examples.
    • Each user has a unique name and UID.
    Configuring a Unix Directory Service using NIS

    To configure a UDS using NIS when you are creating a NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select NIS.
    3. Enter an NIS domain and add up to three IP addresses for the NIS servers.

    To configure a UDS using NIS for an existing NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select NIS.
    3. Enter an NIS domain and add up to three IP addresses for the NIS servers.

    To troubleshoot issues with configuring a UDS using NIS, ensure that the NIS server domain and server IP addresses you enter are correct.

    Configure a UDS using LDAP

    LDAP must adhere to the IDMU, RFC2307, or RFC2307bis schemas. Some examples include AD LDAP with IDMU, iPlanet, and OpenLDAP. The LDAP server must be configured properly to provide UIDs for each user. For example, on IDMU, the administrator must go in to the properties of each user and add a UID to the UNIX Attributes tab.

    To configure a UDS using LDAP when you are creating a NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select LDAP.
    3. Select how the NAS server will obtain LDAP server IPs:
      • If you leave the default option, the NAS server will use DNS service discovery to obtain LDAP server IP addresses automatically. For this discovery process to work, the DNS server must contain pointers to the LDAP servers, and the LDAP servers must share the same authentication settings.
      • To manually enter the IP addresses of LDAP servers, select Configure LDAP server IPs manually, enter each IP address, and click Add.
    4. Configure the LDAP authentication as described in Table 1.

    To configure a UDS using LDAP for an existing NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select LDAP
    3. Configure the LDAP authentication as described in Table 1.
    By default, LDAP uses port 389, and LDAPS (LDAP over SSL) uses port 636.
    Table 1. LDAP authentication
    Option
    Considerations
    LDAP with Anonymous or Simple authentication
    For Anonymous Authentication, add the LDAP servers and specify the port number used by the LDAP servers, the Base DN, and the Profile DN for the iPlanet/OpenLDAP server.

    For Simple Authentication, add the LDAP servers and specify the following:

    • If using AD, LDAP/IDMU:
      • Port number used by the LDAP servers.
      • User account in LDAP notation format; for example, cn=administrator,cn=users,dc=svt,dc=lab,dc=com.
      • User account password.
      • Base DN, which is the same as the Fully Qualified Domain Name (for example, svt.lab.com).
    • If using the iPlanet/OpenLDAP server:
      • User account in LDAP notation format; for example, cn=administrator,cn=users,dc=svt,dc=lab,dc=com.
      • Password.
      • Base DN. For example, if using svt.lab.com, the Base DN would be DC=svt,DC=lab,DC=com.
      • Profile DN for the iPlanet/OpenLDAP server.
    LDAP with Kerberos authentication
    There are two methods for configuring Kerberos:
    • Authenticate to the SMB domain. With this option, you can either authenticate using the SMB server account or authenticate with other credentials.
    • Configure a custom realm to point to any type of Kerberos realm (Windows, MIT, Heimdal). With this option, the NAS Server uses the custom Kerberos realm defined in the Kerberos subsection of the NAS server's Security tab. AD authentication of the SMB server is not used when you choose this option.
      If you use NFS secure with a custom realm, you have to upload a keytab file.

    To troubleshoot issues with configuring a UDS using LDAP, ensure that:

    • The LDAP configuration adheres to one of the supported schemas, as described earlier in this topic.
    • All of the containers specified in the ldap.conf file point to containers that are valid and exist.
    • Each LDAP user is configured with a unique UID.

    You can also use the -ldap option of the svc_nas service command to troubleshoot LDAP issues. This command can display advanced diagnostics for the connection to the LDAP server and can run a user name resolution to ensure that the LDAP settings are correct. For more information, see the Service Commands Technical Notes, which is available from the UnityOE Features Info Hub.

    Upload an LDAPS CA certificate for a NAS server

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server, and click the Edit icon.
    3. On the Naming Services tab, select the LDAP/NIS sub-tab.
    4. Select LDAP Secure (Use SSL) and Enforce Certification Authority (CA) Certificate, if these options are not already selected. These options are available for Anonymous and Simple authentication.
    5. Select Upload CA Certificate, locate the certificate to upload, locate the certificate, and click Start Upload.

    Change NAS server Unix credential settings

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server from the list, and then select the Edit icon.
    3. On the Sharing Protocols tab, select Show advanced.
    4. Make the desired changes, as described in the following table.
      Table 2. NAS server Unix credential settings
      Task
      Description
      Extend the Unix credential to enable the storage system to obtain more than 16 group GIDs.
      With secure NFS, the Unix credential is always built by the NAS server, so this option does not apply.
      Select or clear Enable extended Unix credentials.
      • If this field is selected, the NAS server uses the User ID (UID) to obtain the primary Group ID (GID) and all group GIDs to which it belongs. The NAS server obtains the GIDs from the local password file or UDS.
      • If this field is cleared, the Unix credential of the NFS request is directly extracted from the network information contained in the frame. This method has better performance, but it is limited to including up to only 16 group GIDs.
      Specify a Unix credential cache retention period.

      This option can lead to better performance, because it reuses the Unix credential from the cache instead of building it for each request.

      In the Credential cache retention field, enter a time period (in minutes) for which access credentials are retained in the cache. The default value is 15 minutes, minimum value is 1 minute, and maximum value is 1439 minutes.

    View the active LDAPS CA certificate for a NAS server

    This option is available for anonymous and simple LDAP authentication that uses SSL and enforces certification.

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server from the list, and then select the Edit icon.
    3. Select the Naming Services tab, and then select the LDAP/NIS sub-tab.
    4. Click Retrieve CA Certificate.

    Configuring user mappings for multiprotocol NAS servers

    A multiprotocol environment requires the following types of user mappings:

    • In order to access a file system configured with a Unix access policy, a Windows user name must map to a corresponding Unix user name. In addition, the storage system must be able to resolve that Unix user name to a UID.
    • A Unix user name must map to a corresponding Windows user name when using NFS to access a file system configured with a Windows access policy.
    • A Unix user does not have to map to a corresponding Windows user when using NFS to access a file system configured with a Unix or native access policy.

    The system automatically creates a mapping between a Windows and Unix user user when the same user name is defined to the Unix Directory Service (UDS) or local password file, and the Windows Active Directory (AD). Unix user names are case sensitive. For example, Windows User1 will automatically map to Unix User1. If the user names are different, you can upload a customized user mapping file (ntxmap) to create custom mapping rules. These rules can be bidirectional, or they can map Windows users to Unix users or Unix users to Windows users. The rules support wildcards and substitutions.

    To allow users with unmapped user names to access a file system, you can set default Unix and default Windows accounts for the NAS server.

    Automatic user mapping process

    The automatic user mapping process maps together the Unix UID and Windows SID. This is done by matching the user name from the UDS to the user name from the AD.

    If the administrator changes the UID of a user who previously connected to the NAS server, the NAS server will not automatically update the user mapping for that user unless a new re-mapping job is run from Unisphere.
    Default user names

    When you modify the NAS server sharing protocols, you can optionally configure default user accounts for a NAS server:

    • The default Unix user account specifies the Unix account to use for file system access from an unmapped Windows account. If you do not specify a default Unix account, an unmapped Windows user will not be able to access the system. The default Unix user account must exist in the configured UDS or the local password file. The default UNIX user can be a valid existing UNIX account name or follow the format @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively.

      Consider the following when you configure a default Unix user:

      • If you use a default Unix account for Windows users, these users will be mapped to one UID. Therefore, only one user quota will apply to all of these users.
      • Setting the default user to a UID of 0 or to a user that will be resolved to a 0 UID grants full root access to that user, which can be dangerous from a security point of view.
    • The default Windows account specifies the Windows account to use for file system access from an unmapped Unix account, if the file system access policy is Windows. For Windows security authorization, the credential is built from the Windows Domain Controller (DC) and Local Group Database (LGDB) of the SMB server. If you do not specify a default Windows account and if the default Windows user is not found in the Windows DC or the LGDB, an unmapped Unix user will not be able to access a file system that has a Windows access policy. The default Windows user account must be an existing user account in the AD in which the SMB server of the NAS server is joined. It is case insensitive.
    Automatic mapping for Windows users

    When you modify NAS server sharing protocols, you can optionally direct the system to automatically generate a Unix UID for each Windows user that is not already mapped to a Unix account through a directory service (LDAP or NIS) or local files. This option is available when there is no default UNIX user configured, and it is intended for multiprotocol configurations where most users are Windows users. Using this option allows for the retention of file system quotas for each unmapped Windows user. (File system quotas are based on the Unix UID.) The automatically-generated Unix UIDs are in the reserved range of 0x80000001 to 803FFFFF.

    You cannot enable automatic mapping for Windows users if you have a default Unix user configured.
    Customizing the user mapping file

    When you create a NAS server, you can optionally use a customized user mapping file (ntxmap) to map one or more Windows user accounts to one or more Unix user accounts or one or more Unix user accounts to one or more Windows user accounts (both directions are valid). This allows you to provide file system access when:

    • A Windows user account does not have a corresponding Unix user account.
    • The file system access policy is Windows, and a Unix user account does not have a corresponding Windows user account.
    • A Windows user account and Unix user account exist, but they use different naming rules. Note that Unix user accounts are case sensitive.

    The user mapping file supports the use of wildcards and substitution sequences.

    To use a customized user mapping file, download the file template, customize the file, and upload it to the system. The syntax for the mapping file is displayed in the file template.

    Change NAS server user mappings

    You can change the user mappings for multiprotocol NAS servers.

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server, and then click Edit.
    3. Select the Sharing Protocols tab, and then select the Multiprotocol sub-tab.
    4. Make the desired changes, as described in the following table:
      Task
      Description
      Map together Unix accounts and Unix accounts that have different user names.
      The ntxmap configuration file lets you map together Unix accounts and Windows accounts that have different user names. The syntax for ntxmap is displayed in the template that you retrieve by following these steps:
      1. Select Show advanced mapping rules.
      2. Select Retrieve Current Mapping File to download the current mapping file. If there is no mapping file, the NAS server returns a file template.
      3. Use a text editor to add or change user account mappings in the file.
      4. Select Upload New Mapping File to upload the customized file to the NAS server.
      Automatically generate a Unix UID for each Windows user that is not mapped to a Unix account.

      Select Enable automatic mapping for unmapped Windows accounts to generate a UID for each Windows user that is not mapped to a Unix account.

      This option is for multiprotocol environments in which most users are Windows users. When you select this option, the system generates Unix UIDs for Windows users that are not already mapped to Unix accounts through a directory service (LDAP or NIS) or local files. This functionality allows for the retention of file system quotas for unmapped Windows users.

      Enable or disable default accounts for unmapped users.
      Select or clear Enable default account for unmapped users. If this option is selected, you can enter default Unix and Windows accounts that the system will use to grant file system access to unmapped users. To avoid configuration issues, ensure that the specified Windows default account exists and has an SID mapping. Also ensure that the specified Unix default account exists and has a UID mapping.

      The default UNIX user can be a valid existing UNIX account name or follow the format @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively.

      If you use a default Unix account for Windows users, these users will be mapped to one UID. Therefore, only one user quota will apply to all of these users.
      Run user mapping diagnostics and repair broken mappings.
      You can run a user mapping diagnostics report to confirm that the user mappings are configured as desired. Both resolved and unsolved users are listed in this report.

      To run the report and fix mappings:

      1. Select Show mapping diagnostics.
      2. Select Run user mapping diagnostics.
        This operation can take a long time to complete.
      3. When the user mapping diagnostics report completes, select Retrieve Mapping Diagnostics Report to view the report.
      4. For each Windows user name that does not map to a UID/GID, create a corresponding UID/GID in LDAP, NIS, or local files, depending on your Unix Directory Service selection.
      5. Optionally repeat steps a and b to verify that the user mappings are as desired, and fix them as necessary.
      6. Select Update user mapping on all file systems. This operation uses information from LDAP, NIS, or local files to parse all file systems associated with the NAS server and to update the SID/UID mapping in all nodes.