This is the second post of a few loosely coupled posts to install and test a nfs4 environment with EMC Isilon. In the first post I covered the steps to install a Windows 2012 R2 active directory server and this post will present the steps to prepare the active directory for linux clients. The next post covers the required steps to configure a RHEL to join the domain and use kerberize NFS.

Windows is using the concept of SIDs (security identifier) to uniquely identify windows users and groups. They look something like this: “S-1-5-32-544” (well-known domain-relative SID of the local Administrators group).
In contrary to windows is linux using UID (user identifier) and GID (group identifier) to uniquely identify a user or group. UID and GID are integers like 32767 (default for nobody).

As we want to use our active directory not only to authenticate a linux host or user but also to resolve user- and group-names to UID and GID, we have to enter these IDs into our active directory database.
Luckily windows supports RFC2307 (An Approach for Using LDAP as a Network Information Service) and therefore no changes to the active directory schema itself is necessary.

The LDAP attributes for groups are:
msSFU30NisDomain
gidNumber

and for users:
uidNumber
gidNumber
unixHomeDirectory
loginShell
msSFU30NisDomain

Please note, as we are going to use AD/LDAP to resolve UID/GID from our linux/Isilon system, you don’t need to install the Microsoft Identiy Management for Unix services. This is especially great because Windows Server Core does not support theses services! Only if you want to manage the UID/GID with the active directory users and computers MMC you need these services. They can be installed on a Windows Server 2012 R2 with following command:

Dism.exe /online /enable-feature /featurename:adminui /featurename:nis /all

To add the required attributes to an existing or new user/group you can use the following powershell cmdlets:
New-ADGroup
Set-ADGroup
New-ADUser
Set-ADUser

Here is an example to create a AD group “linux_user” with a GID of 20000 and a NisDomain “emc”:

New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000}

If you have an existing group you can use following cmdlet to add the attributes:

Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000}

Next we are creating an user “user1” with a UID of 10000, being member of group 20000 and NisDomain ’emc’. Furthermore the user will use “/bin/bash” as login shell and a home directory located in “/home/EMC/user1”.

New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}

And again for adding attributes to an existing user:

Set-ADUser -Instance user1 -Add @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}

Now you are able to query the active directory by LDAP from you linux client or Isilon system to resolve user and group attributes. Furthermore you have a mapping between windows and linux users which is necessary for a multiprotocol access to Isilon!

For testing in my lab I used follwing powershell command to quickly create 5 users with the appropriate linux attributes, the password “Passw0rd” and also added the user to the ad group “linux_user”:

for ($i=1; $i -le 5; $i++){New-ADUser -name ('user' + $i) -PasswordNeverExpires:$true -AccountPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) -Enabled:$true -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}; Add-ADGroupMember -Identity linux_user -Members ('user'+$i)}

The last steps are configuring and joining the Isilon and linux host to our active directory. This will be covered in one of the next posts.