C H A P T E R 6 - Active Directory Service and Authentication

C H A P T E R 6

Active Directory Service and Authentication

This chapter describes Active Directory Service (ADS) in detail, Lightweight Data Access Protocol (LDAP) setup, and how to change name service lookup order. For setup instructions for other name services, refer to Managing Name Services.

This chapter includes the following sections:

About Supported Name Services

Using Active Directory Service

Setting Up LDAP

Changing the Name Service Lookup Order

About Supported Name Services

The NAS software supports a variety of name services for both Windows networks and Unix networks. These name services include:

ADS - Active Directory Service (ADS) is a Windows 2000 name service integrated with the Domain Name Service (DNS, see Setting Up DNS). ADS runs only on domain controllers. In addition to storing and making data available, ADS protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails. When you enable and set up ADS, the system performs ADS updates. See About Active Directory Service for more information.

LDAP - Lightweight Data Access Protocol (LDAP) is a Unix service that enables authentication.

WINS - A Windows Internet Naming Service (WINS) server resolves NetBIOS names to Internet Protocol (IP) addresses, allowing computers on your network to locate other NetBIOS devices more quickly and efficiently. The WINS server performs a similar function for Windows environments as a DNS server does for Unix environments. See Setting Up WINS for more information.

DNS - Domain Name Service (DNS) resolves domain names to IP addresses for the system. This service enables you to identify a server by either its IP address or its name. See Setting Up DNS for more information.

NIS - Network Information Service (NIS) configures the system to import the NIS database. It administers access to resources based on the users group and host information. See Setting Up NIS for more information.

NIS+ - Network Information Service Plus (NIS+) was designed to replace NIS. NIS+ can provide limited support to NIS clients, but was mainly designed to address problems that NIS cannot address. Primarily, NIS+ adds credentials and secured access to the NIS functionality. See Setting Up NIS+ for more information.

Using Active Directory Service

This section provides information about the Active Directory Service (ADS) namespace and how to use it through the Web Administrator graphical user interface. The following subsections are included:

About Active Directory Service

Enabling ADS

Verifying Name Service Lookup Order

Verifying DNS Configuration

Publishing Shares in ADS

Updating ADS Share Containers

Removing Shares From ADS

About Active Directory Service

Active Directory Service (ADS) is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). ADS runs only on domain controllers. In addition to storing and making data available, ADS protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.

For the NAS software to integrate seamlessly into a Windows 2000 Active Directory Service environment, the following items must exist on the network:

A Windows 2000 server domain controller

An Active Directory-integrated DNS server that allows dynamic updates (needed in order to use the Dynamic DNS capability)

Note: An Active Directory-integrated DNS server that allows dynamic updates is recommended but not required for using ADS.

Through the graphical user interface, you enable and configure ADS on the Configure Domains and Workgroups Panel. This enables the NAS software to perform ADS updates.

After enabling and configuring ADS on the Configure Domains and Workgroups panel, you can enable ADS to publish Sun StorageTek shares in the ADS directory. To do so, create or update SMB shares on the Configure Shares Panel and specify the share container for each share that you want to publish.

Setting up ADS involves the following steps:

1. Enabling ADS, as described in Enabling ADS.

2. Verifying name-service order, as described in Verifying Name Service Lookup Order.

3. Verifying that DNS is enabled and configured to support ADS, as described in Verifying DNS Configuration.

4. Publishing shares in ADS, as described in Publishing Shares in ADS.

Enabling ADS

To enable Active Directory Service (ADS):

1. From the navigation panel, choose System Operations > Set Time and Date.

2. Verify that the system time is within five minutes of any ADS Windows 2000 domain controller.

3. Click Apply to save any changes you make.

Note: Resetting the date and time will change the system clock used for most time-related operations. It will not change the secure clock used by the license management software and the Compliance Archiving Software.

4. From the navigation panel, choose Windows Configuration > Configure Domains and Workgroups.

5. Select the Enable ADS checkbox.

6. In Domain, type the Windows 2000 Domain where ADS is running.

The system must belong to this domain.

7. In the User Name field, type the user name of a Windows 2000 user with administrative rights.

This user must be the domain administrator or a user who is a member of the domain administrators group. The ADS client verifies secure ADS updates with this user.

Note: If you specify the domain administrator name here and the ADS update fails, the domain administrator password must be changed on the domain controller. This is only required for the administrative user, and the same password can be reused. For more information, refer to the Microsoft Support Services web site, Article Q248808.

8. In the Password field, type the Windows 2000 administrative user's password.

9. In the Container field, type the ADS path location of the Windows 2000 administrative user in Lightweight Directory Access Protocol (LDAP) distinguished name (DN) notation.

Objects, including users, are located within Active Directory domains according to a hierarchical path, which includes each level of "container" object. Type the path in terms of the user's cn (common name) folder or ou (organizational unit).

For example, if the user resides in a users folder within a parent folder called "accounting," you would type the following:

ou=users,ou=accounting

Do not include the domain name in the path.

10. If the ADS domain uses sites and the ADS domain controller is in different subnet than the client, type the appropriate site name in the Site field. Otherwise, leave the Site field blank. If specified, the Site will be included when selecting a domain controller.

11. In the Kerberos Realm Info section, type the Realm name used to identify ADS.

This is normally the ADS domain or the Domain Name Service (DNS) domain. When you click Apply, this entry is converted to all uppercase letters. If you leave this field blank, the ADS domain name (in uppercase characters) is used as the Kerberos Realm.

12. Leave the Server field blank, if the system can locate the KDC server through DNS. Otherwise, enter the name of the Kerberos KDC server.

13. type the host name of the of the Kerberos KDC server.

You can leave this field blank.

14. Click Apply to save and invoke your changes.

Verifying Name Service Lookup Order

To verify the name service lookup order:

1. From the navigation panel, choose Unix Configuration > Configure Name Services.

2. Verify that the name service lookup order for Domain Name Service (DNS) is enabled by clicking the Hosts Order tab and ensuring that the DNS service is listed in Services Selected box.

If it is not, select DNS service and click the > button.

3. (Optional) Set the name service lookup order to the correct priority, by using the Up and Down buttons in the Services Selected box. This determines the order in which the selected services are scanned.

4. Click Apply to save any changes.

Verifying DNS Configuration

To verify Domain Name Service (DNS) configuration:

1. From the navigation panel, choose Network Configuration > Configure TCP/IP > Set Up DNS.

2. If DNS is not enabled, select the Enable DNS checkbox.

3. If you have not entered a domain name, type the DNS Domain Name.

This name must be the same as the Active Directory Service (ADS) domain.

4. In the Server field, type the Internet Protocol (IP) address of the DNS server you want the system to use, and then click the Add button to place the server address in the DNS Server List.

You can add up to two servers to the list.

5. Select the Enable Dynamic DNS checkbox.

If you do not enable Dynamic DNS, you must add the host name and IP address manually.

6. In the DynDNS User Name field, type the user name of a Windows 2000 user with the administrative rights to perform secure dynamic DNS updates.

You can leave this field blank for non-secure updates if they are allowed by the DNS server.

7. In the DynDNS Password field, type the password of the Dynamic DNS user.

8. Click Apply to save your changes.

If Dynamic DNS is enabled, the system immediately updates DNS with its host name and IP address.

Publishing Shares in ADS

To publish shares in Active Directory Service (ADS):

1. From the navigation panel, click System Manager to view existing volumes.

2. Right-click the file volume or directory you wish to share, then select Sharing > New Share (or Add Share, if no sharing is in effect yet) from the pop-up menu. Select at the volume level to create a root-level share.

Note: Alternatively, choose Windows Configuration > Configure Shares, then specify the file volume and directory names.

3. Type a share name, then fill in the other screen fields, including the location in the ADS directory where the share will be published (known as the container).

For more detailed field information, see New Share Window.

4. Click Apply to add the share to the specified container.

Note: The container must already exist for the share to be published in that container. The system does not create container objects in the ADS tree.

Updating ADS Share Containers

To update Active Directory Service (ADS) share containers:

1. From the navigation panel, click System Manager to view existing volumes.

2. Right-click the file volume or directory for which you wish to update the share container.

3. Select Sharing > Edit Share from the pop-up menu to open the Edit Share window.

Note: Alternatively, choose Windows Configuration > Configure Shares, then select the target share and choose Edit.

4. Modify the container to specify the new location in the ADS directory where the share will be published.

5. Click Apply to update the share container.

Removing Shares From ADS

To remove shares from Active Directory Service (ADS):

1. From the navigation panel, click System Manager to view existing volumes.

2. Right-click the file volume or directory for which you wish to remove a share.

3. Select Sharing > Remove Share from the pop-up menu.

Note: Alternatively, choose Windows Configuration > Configure Shares, then select the target share and choose Remove.

4. From the Remove Share window, select the share to remove then click Apply.

Setting Up LDAP

Before you can use Lightweight Data Access Protocol (LDAP), the LDAP server must be running.

Note: In a cluster configuration, LDAP changes made on one server are propagated immediately to the other server.

To enable the LDAP service:

1. From the navigation panel, choose Unix Configuration> Set Up NSSLDAP.

2. To enable LDAP, check the Enable NSSLDAP checkbox.

3. In the Domain field, type the domain name of the LDAP server (for example, foo.com.).

4. In the Password field, specify the password set on the LDAP server.

5. In the Server field, specify the Internet Protocol (IP) address of the LDAP server.

6. In the Proxy field, specify the proxy domain, depending on the server settings.

7. Click Apply to save the settings.

Changing the Name Service Lookup Order

The name service (NS) lookup order controls the sequence in which the system searches the name services to resolve a query. These name services can include LDAP, NIS, NIS+, DNS, and Local. You must enable the services to use them for name resolution.

Note: In a cluster configuration, NS lookup-order changes made on one server are propagated immediately to the other server.

To set the order for user, group, Netgroup, and host lookup:

1. From the navigation panel, choose Unix Configuration > Configure Name Services.

2. Click the Users Order tab to select the order of user lookup.

3. Select a service from the Services Not Selected box.

4. Click > to move it to the Services Selected box.

To remove a service from user lookup, select it and click <.

5. Arrange the order of lookup services in the Services Selected box, by selecting each service and clicking the Up or Down buttons to move it up or down.

The service at the top of the list will be used first.

6. Click the Groups Order tab to select the services to be used for group lookup, then follow the same steps described above to arrange the order of lookup services for groups.

7. Click the Netgroup Order tab to select the services to be used for netgroup lookup, then follow the same steps described above to arrange the order of lookup services for netgroups.

8. Click the Hosts Order tab to select the services to be used for hosts lookup, then follow the same steps described above to arrange the order of lookup services for hosts.

9. Click Apply to save your changes.