Disclaimer - I'm not Windows savvy so feel free to set me straight if/when/where needed..
I've searched around in the communities site and have read loads of posts about auth'ing admin users against AD. I've also searched the web for hours looking for similar content. I don't feel that all of what I've read fully addressed what I seem to be looking for though. Before I ramble on and on (my apologies in advance), here are some key things that need to be factored in:
1. There is no cDOT - everything is 7G/7-Mode 2. The use of vFilers is **not** an option 3. A 2-way trust **cannot** be established
Reading through documentation all the way back to 7.2.5.1 (I didn't go any further), the docs say the following requirements exist to use AD:
======================== A valid CIFS license Your storage system joined to an Active Directory domain A two-way trust relationship established between your storage system’s domain and your LDAP server’s domain, if they are different ========================
From what I've read, all one needs to do is run through the initial CIFS setup and that should suffice - but the above seems to contradict that. So do you actually /have to have/ a CIFS license AND be "..joined to an Active Directory domain" ?? IIRC you can auth against AD via the LDAP options without making the storage controllers actually be part of any AD. What if they *are* part of an existing AD; can you point them at a different set of AD servers all together for **just** admin auth? That whole trust req above seems to point to no..
Thanks!
All you need is to run CIFS setup to allow for the Kerberos/SASL bind to take place against the AD server. You don't need a CIFS license, as 7-Mode allows for a limited use CIFS server (no data access).
If they are part of an existing AD, you would need to have a trust between the two to allow it to work. You can't join the same filer to two domains unless you use vfilers, which are essentially separated filers anyway and you said it wasn’t an option anyway.
You don't have to have a 2-way trust in this scenario. You could probably get away with a one way trust.
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Mike B. Sent: Monday, July 15, 2013 12:40 PM To: toasters@teaparty.net Subject: AD/LDAP Auth
Disclaimer - I'm not Windows savvy so feel free to set me straight if/when/where needed..
I've searched around in the communities site and have read loads of posts about auth'ing admin users against AD. I've also searched the web for hours looking for similar content. I don't feel that all of what I've read fully addressed what I seem to be looking for though. Before I ramble on and on (my apologies in advance), here are some key things that need to be factored in:
1. There is no cDOT - everything is 7G/7-Mode 2. The use of vFilers is **not** an option 3. A 2-way trust **cannot** be established
Reading through documentation all the way back to 7.2.5.1 (I didn't go any further), the docs say the following requirements exist to use AD:
======================== A valid CIFS license Your storage system joined to an Active Directory domain A two-way trust relationship established between your storage system’s domain and your LDAP server’s domain, if they are different ========================
From what I've read, all one needs to do is run through the initial CIFS setup and that should suffice - but the above seems to contradict that. So do you actually /have to have/ a CIFS license AND be "..joined to an Active Directory domain" ?? IIRC you can auth against AD via the LDAP options without making the storage controllers actually be part of any AD. What if they *are* part of an existing AD; can you point them at a different set of AD servers all together for **just** admin auth? That whole trust req above seems to point to no..
Thanks!
_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Mike B. -
Parisi, Justin