This section describes the prerequisites for joining a Qumulo Cluster to Active Directory for using NFSv4.1 with Kerberos.
For more information, see Join Your Qumulo Cluster to Active Directory on Qumulo Care.
Using Active Directory (AD) for POSIX Attributes (RFC2307)
Enabling RFC 2307 might simplify
AUTH_SYS-based Linux clients that access the cluster by using known UIDs and GIDs. In this way, the cluster can map the UIDs and GIDs to the user or group objects on the AD server and enforce the appropriate permissions.
If you configure
sssdon Kerberos-mounted Linux clients for mapping by SID, disabling RFC 2307 can help avoid ascribing special meaning to randomly assigned Linux UIDs and GIDs.
Specifying the Base Distinguished Name (Base DN)
Qumulo uses LDAP to query the AD domain for users and groups. For this functionality, a Base DN must cover any identities intended for use with Kerberos. For example, if multiple organizational units (OUs) contain users, you must include them all in the Base DN (separated with semicolons).
Alternatively, a parent container can hold all nested containers of interest. It is possible to set a top-level domain (TLD) as the Base DN (however, this can cause queries to perform poorly in certain scenarios). We recommend using as specific a Base DN as possible. If you don’t configure the Base DN correctly, Linux clients might present permissions such as
In the following example, there is an OU with the AD domain
my.example.com. The TLD Base DN for this domain is as follows.
Users container holds users and a
Computers container holds machine accounts, you can set the Base DN as follows.
This example is a very common configuration for user and computer objects in AD.
Using the Active Directory Domain Controller as the NTP Server
Kerberos is very sensitive to clock skew. It is important for all systems involved in a Kerberos relationship—the KDC, your Qumulo cluster, and any Linux clients—to have as little clock skew as possible. We recommend using the same NTP server for all three components.
You can use your AD domain controller as an NTP server. In the Web UI, on the Active Directory page, for Use Active Directory as your primary time server, click Yes.
To configure any other NTP server in the Web UI, click Cluster > Date & Time.