• Configuring NAS servers

    PDF

    Configuring NAS servers

    About secure NFS

    You can configure secure NFS when you create or modify a NAS server that supports Unix shares. Secure NFS provides Kerberos-based user authentication, which can provide network data integrity and network data privacy.

    Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify users and services.

    Security options
    Configuring secure NFS

    Secure NFS supports the following security options:

    • krb5: Kerberos authentication.
    • krb5i: Kerberos authentication and data integrity by adding a signature to each NFS packet transmitted over the network.
    • krb5p: Kerberos authentication, data integrity, and data privacy by encrypting the data before sending it over the network. Data encryption requires additional resources for system processing and can lead to slower performance.

    In a secure NFS environment, user access to NFS file systems is granted based on Kerberos principal names. However, access control to shares within a file system is based on the Unix UID and GID, or on ACLs.

    Secure NFS supports NFS credentials with more than 16 groups. This is equivalent to the extended Unix credentials option.

    To configure secure-NFS for a NAS server that supports NFS only, configure a custom realm to point to any type of Kerberos realm (AD, MIT, Heidmal). You must upload the keytab file to the NAS server being defined.

    Create a NAS server for UNIX-only file sharing (NFS)

    Before you begin

    Obtain the following information:

    • (Optional) Name of the tenant to associate with the NAS server.
    • Name of the pool to store the NAS server's metadata.
    • Storage Processor (SP) on which the NAS server will run.
    • IP address information for the NAS server.
    • VLAN ID, if the switch port supports VLAN tagging. If you associate a tenant with the NAS server, you must choose a VLAN ID.
    • (Optional) UNIX Directory Service (UDS) information for NIS or LDAP, or local files. This can be used to resolve hosts defined on NFS share access lists.
    • (Optional) DNS server information. This can also be used to resolve hosts defined on NFS share access lists.
    • (Optional) Replication information.
    It is recommended that you balance the number of NAS servers on both SPs.
    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the Add icon.
    3. On the General and Interface pages, specify the relevant settings. Note the following:
      • On the General page, the Server name identifies the NAS server. It is not a network name.
      • Optionally select a tenant to associate with the NAS server.
        Once you create a NAS server that has an associated tenant, you cannot change this association.
      • On the Interface page, optionally select a VLAN. If you selected a tenant on the General page, you must select a VLAN. The list of VLANs represent the VLANs associated with the selected tenant.
    4. On the Sharing Protocols page:
      • Select Linux/Unix shares (NFS). The storage system supports NFSv3 by default when you select this option.
      • Optionally enable support for Virtual Volumes (VVols) and NFSv4. Selecting Enable NFSv4 enables support for both NFSv4 and NFSv3.
      • Optionally click Configure secure NFS to enable secure NFS with Kerberos. When you enable secure NFS for a NAS server that supports Unix-only file sharing, you must configure a custom Kerberos realm.
    5. On the Unix Directory Service page, configure one of the following directory services (optional unless you are configuring secure NFS):
      • Local files
      • NIS
      • LDAP
      • Local files and NIS
      • Local files and LDAP
      If you configure local files with NIS or LDAP, the system queries the local files first. You can configure LDAP to use anonymous, simple, and Kerberos authentication. You can also configure LDAP with SSL (LDAP Secure) and can enforce the use of a Certificate Authority certificate for authentication.
    6. On the DNS page, optionally configure DNS for the NAS server.
    7. On the Replication page, optionally select a replication mode and Recovery Point Objective (RPO) for the NAS server.

    Configure NAS server sharing protocols and FTP/SFTP settings

    You can configure NFS support when you create a NAS server or change its properties. You can configure FTP/SFTP support for an existing NAS server only.

    If you are creating a NAS server, access the NAS server sharing protocol options from the Sharing Protocols window in the Create a NAS server wizard.

    If you are changing NAS server properties, follow these steps to access the NAS server sharing protocol and FTP options:

    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server, and then select the Edit icon.
    3. Select the Sharing Protocols tab.
    NFS support

    If you are changing NAS server properties, select the NFS sub-tab on the Sharing Protocols tab.

    Task
    Description
    Enable or disable the NAS server's ability to serve files using the NFS protocol.
    Select or clear the Enable Linux/Unix shares (NFS Server) option.

    By default, the NAS server supports NFSv3 when NFS is enabled. To enable NFSv4, select Enable NFSv4 (when creating a NAS server) or NFSv4 enabled (when editing NAS server properties).

    Enable or disable the NAS server's ability to serve VVols.
    Select or clear Enable VVols. If you enable VVols, you must select the IP address for the VMware protocol endpoint.
    Enable or disable support for secure NFS.
    Select Show advanced, and then select or clear Enable Secure NFS (with Kerberos).
    Configure secure NFS using a custom realm
    See Configure Kerberos with a custom realm.
    FTP/SFTP support

    You can configure FTP or FTP over SSH (SFTP) settings for an existing NAS server only. Select the FTP sub-tab on the Sharing Protocols tab.

    Task
    Description
    Enable or disable the NAS server's ability to share files using the FTP protocol.
    Select or clear Enable FTP. If this option is selected, optionally click the other options to customize user authentication, user home directory, and message settings.
    Enable or disable the NAS server's ability to share files using the SFTP protocol.
    Select or clear Enable SFTP. If this option is selected, optionally click the other options to customize user authentication, user home directory, and message settings.

    FTP access can be authenticated using the same methods as NFS. Once authentication is complete, access is the same as NFS for security and permission purposes. If the format is anything other than domain@user or domain&#xser, NFS authentication is used. NFS authentication uses local files, LDAP, NIS, or local files with LDAP or NIS.

    To use local files for FTP access, the passwd file must include an encrypted password for the users. This password is used for FTP access only. The passwd file uses the same format and syntax as a standard Unix system, so you can leverage this to generate the local passwd file. On a Unix system, use useradd to add a new user and passwd to set the password for that user. Then, copy the hashed password from the /etc/shadow file, add it to the second field in the /etc/passwd file, and upload the /etc/passwd file to the NAS server.

    Configure a NAS server Unix Directory Service

    There are three ways to configure identity lookups:

    If you configure local files with a UDS, the storage system queries the local files first.

    If you are creating a new NAS server, use the Unix Directory Service window in the Create a NAS server wizard to configure identity lookups.

    If you are configuring a UDS for an existing NAS server, access the Naming Services tab to access the identity lookup options:

    1. Under Storage, select File > NAS Servers.
    2. Select a NAS server, and then select the Edit icon.
    3. Select the Naming Services tab.
    Using local files

    To enable the use of local files for directory services when you are creating a NAS server:

    1. From the Unix Directory Service window in the Create a NAS server wizard, select Enable a Unix Directory service using Local Files.
    2. Create the password file for the UDS. To view the template for this file, select Open a Passwd File Template.
    3. Select Upload Passwd File to upload the password file to the NAS server.

    After you create the NAS server, you can upload additional local files as specified below.

    To enable the use of local files for directory services for an existing NAS server:

    1. From the Naming Services tab, select the Local Files sub-tab.
    2. Select Enable a Unix Directory service using Local Files.
    3. For each type of local file, select Retrieve current <file-type> file to download the current file. If there is no file on the storage system, the system downloads a file template.
    4. Make the necessary changes to the file.
    5. Select Upload New <file-type> File to upload the file.

    To troubleshoot issues with configuring local files, ensure that:

    • The file is created with the proper syntax. (Six colons are required for each line). Reference the template for more details about the syntax and examples.
    • Each user has a unique name and UID.
    Configuring a Unix Directory Service using NIS

    To configure a UDS using NIS when you are creating a NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select NIS.
    3. Enter an NIS domain and add up to three IP addresses for the NIS servers.

    To configure a UDS using NIS for an existing NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select NIS.
    3. Enter an NIS domain and add up to three IP addresses for the NIS servers.

    To troubleshoot issues with configuring a UDS using NIS, ensure that the NIS server domain and server IP addresses you enter are correct.

    Configure a UDS using LDAP

    LDAP must adhere to the IDMU, RFC2307, or RFC2307bis schemas. Some examples include AD LDAP with IDMU, iPlanet, and OpenLDAP. The LDAP server must be configured properly to provide UIDs for each user. For example, on IDMU, the administrator must go in to the properties of each user and add a UID to the UNIX Attributes tab.

    To configure a UDS using LDAP when you are creating a NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select LDAP.
    3. Select how the NAS server will obtain LDAP server IPs:
      • If you leave the default option, the NAS server will use DNS service discovery to obtain LDAP server IP addresses automatically. For this discovery process to work, the DNS server must contain pointers to the LDAP servers, and the LDAP servers must share the same authentication settings.
      • To manually enter the IP addresses of LDAP servers, select Configure LDAP server IPs manually, enter each IP address, and click Add.
    4. Configure the LDAP authentication as described in Table 1.

    To configure a UDS using LDAP for an existing NAS server:

    1. From the Naming Services tab, select the LDAP/NIS sub-tab.
    2. In the Enable Unix Directory service field, select LDAP
    3. Configure the LDAP authentication as described in Table 1.
    By default, LDAP uses port 389, and LDAPS (LDAP over SSL) uses port 636.
    Table 1. LDAP authentication
    Option
    Considerations
    LDAP with Anonymous or Simple authentication
    For Anonymous Authentication, add the LDAP servers and specify the port number used by the LDAP servers, the Base DN, and the Profile DN for the iPlanet/OpenLDAP server.

    For Simple Authentication, add the LDAP servers and specify the following:

    • If using AD, LDAP/IDMU:
      • Port number used by the LDAP servers.
      • User account in LDAP notation format; for example, cn=administrator,cn=users,dc=svt,dc=lab,dc=com.
      • User account password.
      • Base DN, which is the same as the Fully Qualified Domain Name (for example, svt.lab.com).
    • If using the iPlanet/OpenLDAP server:
      • User account in LDAP notation format; for example, cn=administrator,cn=users,dc=svt,dc=lab,dc=com.
      • Password.
      • Base DN. For example, if using svt.lab.com, the Base DN would be DC=svt,DC=lab,DC=com.
      • Profile DN for the iPlanet/OpenLDAP server.
    LDAP with Kerberos authentication
    To configure Kerberos, configure a custom realm to point to any type of Kerberos realm (Windows, MIT, Heimdal). With this option, the NAS Server uses the custom Kerberos realm defined in the Kerberos subsection of the NAS server's Security tab. AD authentication of the SMB server is not used when you choose this option.
    If you use NFS secure with a custom realm, you have to upload a keytab file.

    To troubleshoot issues with configuring a UDS using LDAP, ensure that:

    • The LDAP configuration adheres to one of the supported schemas, as described earlier in this topic.
    • All of the containers specified in the ldap.conf file point to containers that are valid and exist.
    • Each LDAP user is configured with a unique UID.

    You can also use the -ldap option of the svc_nas service command to troubleshoot LDAP issues. This command can display advanced diagnostics for the connection to the LDAP server and can run a user name resolution to ensure that the LDAP settings are correct. For more information, see the Service Commands Technical Notes, which is available from the UnityOE Features Info Hub.

    Configure Kerberos with a custom realm

    This method of configuring Kerberos lets you configure any kind of KDC (MIT/Heidmal or AD). Use this method when you do not have an SMB server domain configured on the NAS server or if you want to use a different Kerberos realm than the one configured for the SMB server.

    If you are configuring Kerberos for secure NFS, be aware of the following:

    • Using LDAPS or LDAP with Kerberos is recommended for increased security.
    • A DNS server must be configured at the NAS-server level. All members of the Kerberos realm, including the KDC, NFS server, and NFS clients, must be registered in the DNS server. Some applications, such as VMware, might also require reverse DNS lookup.
    • The NFS client's hostname FQDN and NAS server FQDN must be registered in the DNS server. Clients and servers must be able to resolve any member of the Kerberos realm's FQDNs to an IP address.
    • The FQDN part of the NFS client's SPN must be registered in the DNS server.
    To configure Kerberos, the storage system must have a configured NTP server. Kerberos relies on the correct time synchronization between the KDC, servers, and client on the network.
    Before using Unisphere

    To use a Windows-based KDC without using the SMB server account on the NAS server, follow these steps before configuring Kerberos in Unisphere. The steps assume you want to use myrealm.windows.dellemc.com as the FQDN for the NFS server.

    1. Create account myrealm for the NAS server in the Active Directory (AD) of the windows domain windows.dellemc.com.
    2. Register the service SPN on the computer account you created:
                                C:\setspn -S nfs/myrealm.windows.dellemc.com myrealm
                              
    3. Verify that the SPN was created.
                                C:\setspn myrealm
                              
    4. Generate a keytab file for the SPN:
                                C:\ktpass -princ nfs/myrealm.windows.dellemc.com@WINDOWS.DELLEMC.COM -mapuser WINDOWS\myrealm
       -crypto ALL +rndpass -ptype KRB5_NT_PRINCIPAL -out myrealm.windows.dellemc.com.keytab
                              

    To use a Unix-based KDC, follow these steps before configuring Kerberos in Unisphere. The steps assume you want to use myrealm in the Kerberos realm linux.dellemc.com as the hostname of the NFS server.

    1. Run the kadmin.local tool.
    2. Create the principals and their keys:
                                kadmin.local: addprinc -randkey nfs/myrealm.linux.dellemc.com
                              

      and/or

                                kadmin.local: addprinc -randkey nfs/myrealm
                              
    3. Put the key of the principal into the keytab file myrealm.linux.dellemc.fr:
                                kadmin.local: ktadd -k myrealm.linux.dellemc.com.keytab nfs/myrealm.linux.dellemc.fr
                              
    When creating a NAS server

    To configure Kerberos with a custom realm when you create a NAS server, follow the steps in the Create a NAS Server wizard, while noting the following:

    • If you are configuring Kerberos for secure NFS:
      1. On the Sharing Protocols window configure a NAS server that supports NFS or multiprotocol file sharing.
      2. Select Configure secure NFS.
      3. Select Enable Secure NFS (with Kerberos) > Use custom realm.
      4. Enter the name of the custom realm.
      5. Upload the keytab file to the NAS server's NFS server.
      6. On the Unix Directory Service window, add the LDAP servers, and specify the Kerberos principal, password, base DN, and optionally, profile DN.
      7. On the DNS window, configure DNS for the NAS server.
      8. Register all members of the Kerberos realm in the DNS server.
    • If you are configuring Kerberos for LDAP or LDAP secure:
      1. On the Sharing Protocols window configure a NAS server that supports NFS or multiprotocol file sharing.
      2. On the Unix Directory Service window, add the LDAP servers and select Kerberos as the authentication method.
      3. Specify the principal, password for the principal, and base DN.
      4. On the Kerberos window, add the KDC servers, and optionally change the TCP port.
      5. On the DNS window, configure DNS for the NAS server.
    When changing NAS server properties
    • If you are configuring Kerberos for secure NFS:
      1. Make sure that DNS and a UDS are configured for the NAS server and that all members of the Kerberos realm are registered in the DNS server.
      2. On the Security tab, select the Kerberos sub-tab, and then select Configure custom Kerberos settings.
      3. Configure the custom Kerberos settings.
      4. Upload the keytab file to the NAS server's NFS server.
      5. On the Sharing Protocols tab, select the NFS sub-tab.
      6. Select Show advanced, and specify the host name.
      7. Select Enable Secure NFS (with Kerberos) > Use custom realm.
    • If you are configuring Kerberos for LDAP:
      1. Make sure that DNS and LDAP are configured for the NAS server and that all members of the Kerberos realm are registered in the DNS server.
      2. On the Security tab, select the Kerberos sub-tab, and then select Configure custom Kerberos settings.
      3. Configure the custom Kerberos settings.
      4. On the Naming Services tab, select the LDAP/NIS sub-tab, and select Kerberos as the LDAP authentication method.
      5. Select Specify custom principal.
      6. Specify the principal and password for the principal.
    Troubleshooting Kerberos
    You can use the -kerberos option of the svc_nas service command to troubleshoot Kerberos issues. For more information, see the Service Commands Technical Notes, which is available from the UnityOE Features Info Hub.

    Change NAS server properties

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server, and then select the Edit icon.
    3. On the General tab:
      • Change the NAS server name.
      • Select SP Owner to transition from one SP to the other SP for this NAS server. For example, you may want to do this if you have an overloaded SP, and want to reduce the load by moving the server to the other SP.
    4. On the Network tab:
      • Select the Interfaces & Routes sub-tab to add, change, delete, or verify NAS server interfaces, enable or disable IP packet reflect for the NAS server, or change the NAS server's preferred interfaces. Select an interface, and then select Show external routes for interfaces to access the per-interface routing table, where you can add, change, or delete the selected interface's routes for responding to client requests.
      • Select the Routes to External Services sub-tab to add, change, or verify NAS server routes for external service requests, or to configure default gateways.
    5. On the Naming Services tab, configure DNS and either configure the UNIX Directory Service (UDS) for the NAS server (LDAP or NIS) or use local files. Alternatively, you can use local files with a UDS. In this case, the system checks the local files first.
    6. On the Sharing Protocols tab:
      • Select the NFS sub-tab to enable or disable support for NFS shares, VVols, NFSv4, and extended UNIX credentials. You can also configure secure NFS with Kerberos and change the credential cache retention period.
      • Select the FTP sub-tab to enable or disable FTP or SFTP, or to change FTP or SFTP properties.
    7. On the Protection & Events tab:
      • Select the NDMP Backup sub-tab to enable or disable NDMP, and to change the NDMP password.
      • Select the DHSM sub-tab to enable or disable Distributed Hierarchical Storage Management (DHSM) and to change the DHSM password.
      • Select the Events Publishing sub-tab to enable or disable Events Publishing, create or modify an event pool, and create or modify events policy settings.
    8. On the Security tab, select the Kerberos sub-tab to configure a custom Kerberos realm and to retrieve or upload the Kerberos keytab file.
    9. On the Replication tab, optionally select a replication mode and Recovery Point Objective (RPO) for the NAS server.

    Change NAS server Unix credential settings

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server from the list, and then select the Edit icon.
    3. On the Sharing Protocols tab, select Show advanced.
    4. Make the desired changes, as described in the following table.
      Table 2. NAS server Unix credential settings
      Task
      Description
      Extend the Unix credential to enable the storage system to obtain more than 16 group GIDs.
      With secure NFS, the Unix credential is always built by the NAS server, so this option does not apply.
      Select or clear Enable extended Unix credentials.
      • If this field is selected, the NAS server uses the User ID (UID) to obtain the primary Group ID (GID) and all group GIDs to which it belongs. The NAS server obtains the GIDs from the local password file or UDS.
      • If this field is cleared, the Unix credential of the NFS request is directly extracted from the network information contained in the frame. This method has better performance, but it is limited to including up to only 16 group GIDs.
      Specify a Unix credential cache retention period.

      This option can lead to better performance, because it reuses the Unix credential from the cache instead of building it for each request.

      In the Credential cache retention field, enter a time period (in minutes) for which access credentials are retained in the cache. The default value is 15 minutes, minimum value is 1 minute, and maximum value is 1439 minutes.

    View the active LDAPS CA certificate for a NAS server

    This option is available for anonymous and simple LDAP authentication that uses SSL and enforces certification.

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server from the list, and then select the Edit icon.
    3. Select the Naming Services tab, and then select the LDAP/NIS sub-tab.
    4. Click Retrieve CA Certificate.

    Upload an LDAPS CA certificate for a NAS server

    Procedure
    1. Under Storage, select File > NAS Servers.
    2. Select the relevant NAS server, and click the Edit icon.
    3. On the Naming Services tab, select the LDAP/NIS sub-tab.
    4. Select LDAP Secure (Use SSL) and Enforce Certification Authority (CA) Certificate, if these options are not already selected. These options are available for Anonymous and Simple authentication.
    5. Select Upload CA Certificate, locate the certificate to upload, locate the certificate, and click Start Upload.

    NDMP settings

    The Network Data Management Protocol (NDMP) provides a standard for backing up file servers on a network. NDMP allows centralized applications to back up file servers running on various platforms and platform versions. NDMP reduces network congestion by isolating control path traffic from data path traffic, which permits centrally managed and monitored local backup operations. Enabling NDMP for file system storage resources makes it possible to use third party NDMP products to back up and restore file system data.

    You can enable NDMP by configuring NAS server settings.