This section explains how to use Active Directory (AD) for POSIX attributes in Qumulo Core for clusters with multi-protocol access (with NFS and SMB) that manage POSIX and Windows identities from within Active Directory.
For changes to take effect, any Qumulo clusters that are already joined to an Active Directory domain must leave the domain and then rejoin it.
How Full Credential Expansion Works in Qumulo Core
Because the SMB and NFS protocols have unique identifiers and exist in different identity domains, it becomes difficult to link the two protocols when they represent the same identity. In addition, storage devices can’t determine the entity that attempts to access a file; as a result, a file that a Linux system writes can be inaccessible on a Windows machine.
One solution to this issue is full credential expansion, which involves mapping the two identities—Windows identities for SMB clients and POSIX identities for NFS clients—by using Active Directory as a central reference. For more information, see RFC 2307 . This approach ensures that, when you use Active Directory to maintain identity mappings from POSIX to Windows, Qumulo Core abides by the mappings.
After you enable Active Directory for POSIX attributes in Qumulo Core, you must enable user identity mapping from your Windows SID to your NFS UID. To do this, assign a user object (SID or objectSid
) to every object in Windows and enter the NFS UID of the user as an object attribute. This configuration allows Qumulo Core to correlate an NFS UID (for example, 2053
) to a SID on Windows (for example, S-1-5-21-...
).
Whenever this user identity is required (for example, to check permissions), Qumulo Core uses the established mapping to retrieve the entire identity for the user by referencing the NFS UIDs and GIDs, and all SIDs, including the group IDs of any relevant parent groups.
The full credential expansion method lets your Qumulo Core cluster support more than 16 group memberships for your NFS users, as long as Active Directory manages the group memberships.
Enabling Active Directory for POSIX Attributes in Qumulo Core
This section explains how to enable Active Directory for POSIX attributes in Qumulo Core by using the Qumulo Core Web UI and Qumulo REST API.
To Enable Active Directory for POSIX Attributes by Using the Qumulo Core Web UI
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Active Directory.
-
On the Active Directory page:
-
Enter the details for your Active Directory server.
-
For Use Active Directory for POSIX Attributes, click Yes.
-
(Optional) To limit part of the Active Directory tree that Qumulo Core can query, enter a Base DN (Distinguished Name) for User and Group Accounts.
-
Click Join.
-
When your cluster joins Active Directory, all SMB sessions and NFS operations result in full credential expansion for every user. For example, when NFS UID 2053 attempts to access a file, the cluster first queries the AD server to:
- Determine the groups to which the user belongs
- Map the user and groups to all Windows SIDs
- Apply permissions based on the fully expanded credential set
This configuration allows Qumulo Core to correlate an NFS UID (for example, 2053
) to a SID on Windows (for example, S-1-5-21-...
).
To Manage Active Directory for POSIX Attributes by Using the Qumulo REST API
To toggle Qumulo Core’s ability to use Active Directory for POSIX attributes, use the fields use_ad_posix_attributes
and base_dn
for the following REST API endpoints.
- Get Configuration and Status:
/v1/ad/status
- Get Operation Status:
/v1/ad/monitor
- Join Active Directory:
/v1/ad/join
To map identities from one domain to another, use the following REST API endpoints.
- GID to SIDs:
/v1/ad/uids/:gid:/sids
- Local Username to All Related Identities:
/v1/auth/local-username/:username:/related-identities
- POSIX GID to All Related Identities:
/v1/auth/posix-gids/:id:/related-identities
- POSIX UID to All Related Identities:
/v1/auth/posix-uids/:id:/related-identities
- SID to Expanded Group SIDs:
/v1/ad/uids/:gid:/sids
- SID to GID:
/v1/ad/uids/:uid:/gid
- SID to UID:
/v1/ad/uids/:sid:/uid
- UID to SIDs:
/v1/ad/uids/:uid:/sids
- Windows NT SID to All Related Identities:
/v1/auth/sids/:id:/related-identities
It is possible for one UID to be mapped to multiple SIDs.
To retrieve related identities, use the /v1/auth/auth-ids/:id:/related-identities
REST API endpoint.