Enable RFC2307 for OneFS and Active Directory

Windows Active Directory(AD) supports authenticate the Unix/Linux clients with the RFC2307 attributes ((e.g. GID/UID etc.). The Isilon OneFS is also RFC2307 compatible. So it is recommended to use Active Directory as the OneFS authentication provider to enable the centric identity management and authentication. This post will talk about the configurations to integrate AD and OneFS with RFC2307 compatible. In this post, Windows 2012R2 AD and OneFS 8.1.0 is used to show the process.

Prepare Windows 2012R2 AD for Unix/Linux

Unlike Windows 2008, Windows 2012 comes equipped with the UNIX attributes already loaded within the schema. And as of this

release the Identity Services for UNIX feature has been depreciated, although still available until Windows 2016 the NIS and Psync

services are not required.

The UI elements to configure RFC2307 attributes are not as nice as they were in 2008 since the IDMU MMC snap-in has also been depreciated. So we will install the IDMU component first to make it easier to configure the UID/GID attributes. With the following command, you can install the IDMU component in Windows 2012R2.

  • To install the administration tools for Identity Management for UNIX.
    • dism.exe /online /enable-feature /featurename:adminui /all
  • To install Server for NIS.
    • dism.exe /online /enable-feature /featurename:nis /all
  • To install Password Synchronization.
    • dism.exe /online /enable-feature /featurename:psync /all

After restarting the AD, you can see the UI element(UNIX Attributes) tab same as Windows 2008R2, show as below. Now you can configure your AD users/groups to compatible with Unix/Linux environment. Recommended to configure the UID/GID to 10000 and above, meanwhile, do not overlap with the OneFS default auto-assign UID/GID range (1000000 – 2000000).

UNIX Attributes.png

Configure the OneFS Active Directory authentication provider to enable RFC2307

For mixed mode(Unix/Linux/Windows) authentication operations, there are several advanced options Active Directory authentication provider will need to be enabled.

  • Services for UNIX: rfc2307 – This leverages the Identity Management for UNIX services in the Active Directory schema
  • Auto-Assign UIDs: No – OneFS by default will generate pseudo UIDs for users it cannot match to SIDs this can cause potential user mapping issues.
  • Auto-Assign GIDs: No – OneFS by default will generate pseudo GIDs for groups it cannot match to SIDs as with the user mapping equally a group-mapping mismatch could occur.

You can do this configuration using both WebUI and CLI, with command isi auth ads modify EXAMPLE.LOCAL –sfu-support=rfc2307 –allocate-uids=false –allocate-gids=false. Or change the settings from the WebUI, shown below:

RFC2307 OneFS.png

After the configurations above, the OneFS can use Active Directory as identity source for Unix/Linux client, and in this method, you can also simplify the identity management, as you have a centric identity source (AD) to be used for both Unix/Linux clients and Windows clients.

Related:

7005060: NFS4 mount shows all ownership as “nobody” or 4294967294

This document (7005060) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Desktop 10
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10

Situation

An NFS client is successfully mounting an NFS v4 file system. However, upon executing “ls -al,” all the file user and group ownership is showing as “nobody” or as “4294967294”, instead of the values that are shown when viewed directly on the remote NFS server.

Resolution

This issue is due to the NFS v4 identity mapping daemon (idmapd) is not running, or is misconfigured, or is holding old information in it’s cache. The identity mapping daemon is not used in NFS v3. See the “Cause” section for more details on the purpose of idmapd, or for discussion of NFS v3 versus v4 in this regard.
1. idmapd not running.
Both the NFS client and the NFS server machines must be running idmapd. On linux, check for an idmapd process with “ps aux | grep idmapd”. A process for “/usr/sbin/rpc.idmapd” should be found.
On SLES 10, you could restart idmapd with the command “rcidmapd restart”.
On SLES 11 and 12, idmapd is not separately started, it is part of the initialization of nfs server or nfs client services. It should start anytime either “nfsserver” service or the “nfs” service (which is an initializer for nfs client dependencies) are started. So “rcnfs restart ” or “rcnfsserver restart” could be attempted if idmapd is not running.
However, in some cases idmapd might not be started. For example, if the /etc/fstab does not contain any NFS v4 mount, it is possible that idmapd will not be started when “nfs” starts.
2. idmapd misconfigured
Both the NFS server and the NFS client must have good /etc/idmapd.conf settings. Even when the same user accounts are known to both the servers and clients, idmapd configuration problems can prevent proper ownership from being displayed.
Check the /etc/idmapd.conf file. The [General] section should have a Domain setting. The domain is an arbitrary string but it must be set identically on NFS clients and their NFS servers. This setting often reports “localdomain” by default, and that is usually adequate. Often, it will be set to match the company’s DNS domain name, but that is not required (and would merely be coincidence, rather than meaningful). It can also be helpful for there to be a [Translation] section which specifies the method of translating between names and IDs. Typically, it is best to point to nsswitch methodology.
So, for example, a typical idmapd.conf file might look like the following. If this file is changed, idmapd must be restarted.
[General]
Verbosity=7
Pipefs-Directory=/var/lib/nfs/rpc_pipefs
Domain=localdomain
[Mapping]
Nobody-User=nobody
Nobody-Group=nobody
[Translation]
Method=nsswitch
3. idmapd is caching old information.
Old information can be held by idmapd, which may temporarily prevent it from learning new information. Even the fact that a user has no mapping can be cached beyond the point where one is later created or available. The cache defaults to keeping entries for 10 minutes. This is usually fine, because user identities do not change or get created very often. However, idmapd may learn early in system boot that certain users are not found. This may be due to a delay in access to information. For example, idmapd might started before sssd or other methods used in obtaining user identities. In such a case, negative cache might exist for the first 10 minutes after server boot. To make the cache clear more quickly:
Stopping and starting idmapd will correct this, but that is not always desired.
On SLES 12, the command “nfsidmap -c” is available and should clear the cache and allow new information to be learned.
Another option is to lower the cache timer. This is set inside/etc/sysctl.conf with:
fs.nfs.idmap_cache_timer = 60

#(this value represents seconds, the default is 600)

Cause

For user names to be displayed correctly, the NFS v4 server must have knowledge of the same user and group accounts as the NFS client is using, and must be in the same idmapd domain.
NFS v4 is designed to pass identities between servers and clients in the form ‘username@domainname’.
This is a major change from NFS v3’s method of passing the UID number. With NFS v3, an NFS server would store and report these UID values in the file system, even if it had no knowledge of the user accounts they belonged to. So essentially, a UID that was not known to one side or the other could still be handled in a valid way.
If users and groups are centrally managed, and all systems have access to the same identify store, idmapd’s methods works fairly easily. But it is crucial that NFS server and NFS client have access to identical account information and idmapd domain name setting, otherwise idmapd cannot properly do it’s job, and may display ownership as “nobody” or equivalent high values.

Event ID 4012 — NFS LDAP Connection

Event ID 4012 — NFS LDAP Connection

Updated: January 27, 2011

Applies To: Windows Server 2008 R2

Server for NFS enables you to control access by users and groups to Services for Network File System (NFS) resources. A connection to an Light Directory Access Protocol (LDAP) server allows Server for NFS to query Windows-UNIX user account mappings and grant file access to a user.

Event Details

Product: Windows Operating System
ID: 4012
Source: NfsService
Version: 6.1
Symbolic Name: ERR_NFS_LDAP_NOT_UNIQUE_GID
Message: Active Directory Domain Services(R) contains multiple groups which match attribute <%1>. Only one Windows(R) group should be assoicated with each UNIX GID.

With multiple Windows groups associated with one UNIX GID, Server for NFS cannot determine which Windows group to use to grant access to files.

Try removing the duplicate UNIX GID entries.

Resolve
Remove duplicate UNIX GID entries

Remove duplicate UNIX group identifier (GID) entries.

Note: For more information about removing GID entries, see your LDAP vendor’s documentation.

Verify

To verify that Services for Network File System (NFS) is properly configured for retrieving Windows-UNIX identity mappings from the LDAP service:

  1. Open a command prompt with elevated privileges and type nfsadmin mapping config.
  2. Verify that the Mapping Server field in the list displays your installed LDAP service.

Related Management Information

NFS LDAP Connection

File Services

Related:

Event ID 1074 — NFS File Sharing

Event ID 1074 — NFS File Sharing

Updated: January 27, 2011

Applies To: Windows Server 2008 R2

A computer running Windows and Server for NFS can act as a file server  and share files between Windows-based and UNIX-based computers.

Event Details

Product: Windows Operating System
ID: 1074
Source: NfsServer
Version: 6.1
Symbolic Name: EVENT_NFS_ICB_INIT_UNSUPPORTED_VOLUME
Message: Server for NFS cannot initialize the non-NTFS volume with drive letter <%2> for sharing.

Server for NFS only supports NTFS file system volumes and not FAT, CDFS, or any other volume formatting.

Move the Network File System (NFS) shared resource to an NTFS volume.

Resolve
Move the Services for NFS shared resource to an NTFS volume

Move the Services for Network File System (NFS) shared resource to an NTFS volume.

Verify

To verify Server for NFS is sharing files:

  1. Open a command prompt with elevated privileges and type nfsshare.
  2. Verify that the list of shared resources is correct.

For more information about file sharing and Services for Network File System (NFS), see the Services for NFS configuration guide at http://go.microsoft.com/fwlink/?LinkId=100954.

Related Management Information

NFS File Sharing

File Services

Related:

Event ID 1027 — Subsystem for UNIX-based Applications Availability

Event ID 1027 — Subsystem for UNIX-based Applications Availability

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

Subsystem for UNIX-based Applications (SUA) Availability is a measure of SUA’s readiness to support POSIX applications and scripts.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 1027
Source: Microsoft-Windows-SUA-Psxss
Version: 6.0
Symbolic Name: PSX_SUA_LICENSE_ERROR
Message: Subsystem for UNIX-based Applications is not available in this edition of Windows.

Resolve
Make sure the feature has been installed correctly on this version of Windows

Subsystem for UNIX-based Applications (SUA) is not supported on this version or edition of the Windows operating system.

Errors or failures might have occurred during the SUA installation and setup process. Look for error messages that were logged after SUA was installed. Try reinstalling SUA to clear errors. Note that when you reinstall SUA, you must also reinstall the Utilities and SDK package before you can use SUA shells, tools, and libraries.

To reinstall SUA on a computer running Windows Server 2008 by using the Windows interface:

  1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Features Summary area of the Server Manager home page, click Remove Features. The Remove Features wizard opens.
  3. On the Select Features page of the Remove Features Wizard, clear the check box next to Subsystem for UNIX-based Applications. Click Next.
  4. On the Confirm Removal Options page, click Remove. Removal completes after a short period.
  5. In the Features Summary area of the Server Manager home page, click Add Features. The Add Features Wizard opens.
  6. On the Select Features page of the Add Features Wizard, select Subsystem for UNIX-based Applications, and then click Next.
  7. Click Install. Allow a few minutes for installation to complete.

To reinstall Utilities and Software Development Kit (SDK) for Subsystem for UNIX-based Applications:

  1. Download the Utilities and SDK for Subsystem for UNIX-based Applications from the Microsoft Web site (http://go.microsoft.com/fwlink/?linkid=67558).
  2. In the Utilities and SDK for Subsystem for UNIX-based Applications Wizard, click Next.
  3. In the User name box, type your name. If the name of your organization does not show in the Organization field, enter the name of your organization.
  4. Read the Microsoft Software License Terms carefully. If you accept the terms of the agreement, click I accept the terms in the License Agreement, and then click Next to continue installation. If you click I do not accept the License Agreement (Exit Setup), the installation procedure terminates.
  5. To install default Utilities and SDK for Subsystem for UNIX-based Applications components in the default directory, click Standard Installation, and then click Next. Allow a few minutes for installation to complete.

Verify

Verify that the Subsystem for UNIX-based Applications (SUA) Psxss.exe utility is available by viewing Psxss.exe in the Windows Task Manager.

To verify that Psxss.exe is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that PSXSS.exe is running.

If PSXSS.exe is not running, Subsystem for UNIX-based Applications (SUA) is not available.

Related Management Information

Subsystem for UNIX-based Applications Availability

Subsystem for UNIX-based Applications

Related:

Event ID 1026 — Subsystem for UNIX-based Applications Availability

Event ID 1026 — Subsystem for UNIX-based Applications Availability

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

Subsystem for UNIX-based Applications (SUA) Availability is a measure of SUA’s readiness to support POSIX applications and scripts.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 1026
Source: Microsoft-Windows-SUA-Psxss
Version: 6.0
Symbolic Name: PSX_SUA_RUN_IN_SAFE_MODE
Message: Subsystem for UNIX-based Applications was started in Safe Mode. This functionality in not available in Safe Mode.

Resolve
Restart the computer normally (not in Safe Mode)

Subsystem for UNIX-based Applications (SUA) cannot operate when your Windows operating system is running in Safe Mode. Restart Windows in normal operating mode to run SUA.

To restart the computer:

  • Click Start, click the arrow next to the Lock button, and then click Restart.

Verify

Verify that the Subsystem for UNIX-based Applications (SUA) Psxss.exe utility is available by viewing Psxss.exe in the Windows Task Manager.

To verify that Psxss.exe is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that PSXSS.exe is running.

If PSXSS.exe is not running, Subsystem for UNIX-based Applications (SUA) is not available.

Related Management Information

Subsystem for UNIX-based Applications Availability

Subsystem for UNIX-based Applications

Related:

Event ID 1025 — Subsystem for UNIX-based Applications Functionality

Event ID 1025 — Subsystem for UNIX-based Applications Functionality

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

Subsystem for UNIX-based Applications (SUA) Functionality is a measure of how the SUA send-and-receive utility, Psxss.exe, is functioning. When Psxss.exe is operating normally, SUA is able to accept user commands, and port applications over to Windows-based operating systems from UNIX-based operating systems.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 1025
Source: Microsoft-Windows-SUA-Psxss
Version: 6.0
Symbolic Name: PSX_BAD_SECURITY_FILE
Message: The security file was damaged, and has been recreated. This will cause existing device special files to be rejected; these files must be recreated. See the makedev -f command to restore default special files.

Resolve
Recreate device file

Subsystem for UNIX-based Applications has experienced a loss of functionality, and device files must be recreated.

Run the command /usr/sbin/makedev -f in a shell session to restore the default device files.

Verify

Verify that the Subsystem for UNIX-based Applications (SUA) Psxss.exe utility is functioning, first by viewing Psxss.exe in the Windows Task Manager, and then by using an SUA application that you have developed or are porting to Windows to transmit data over the network.

To verify that Psxss.exe is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that PSXSS.exe is running.

Next, use an application on which you are working in SUA, or that you are porting to Windows by using SUA, to send some data over the network. For example, attempt to use your application to modify files or documents in another location on the network. If PSXSS.exe is functioning properly, and is active in the list of processes in Task Manager, sending SUA application data over the network should succeed.

Related Management Information

Subsystem for UNIX-based Applications Functionality

Subsystem for UNIX-based Applications

Related:

Event ID 1021 — Subsystem for UNIX-based Applications Availability

Event ID 1021 — Subsystem for UNIX-based Applications Availability

Updated: November 14, 2007

Applies To: Windows Server 2008

Subsystem for UNIX-based Applications (SUA) Availability is a measure of SUA’s readiness to support POSIX applications and scripts.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 1021
Source: Microsoft-Windows-SUA-Psxss
Version: 6.0
Symbolic Name: PSX_BAD_PORT
Message: Connection to port %1 failed; Subsystem for UNIX-based Applications terminated during startup.

Resolve
Restart the computer–Subsystem for UNIX-based Applications failed due to an uncorrectable problem

The text of the error message in Event Viewer should show the exact source of the failure. Try restarting the computer to clear the error and resume work in Subsystem for UNIX-based Applications.

To restart the computer:

  • Click Start, click the arrow next to the Lock button, and then click Restart.

Verify

Verify that the Subsystem for UNIX-based Applications (SUA) Psxss.exe utility is available by viewing Psxss.exe in the Windows Task Manager.

To verify that Psxss.exe is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that PSXSS.exe is running.

If PSXSS.exe is not running, Subsystem for UNIX-based Applications (SUA) is not available.

Related Management Information

Subsystem for UNIX-based Applications Availability

Subsystem for UNIX-based Applications

Related:

Event ID 1016 — Subsystem for UNIX-based Applications Functionality

Event ID 1016 — Subsystem for UNIX-based Applications Functionality

Updated: December 16, 2008

Applies To: Windows Server 2008 R2

Subsystem for UNIX-based Applications (SUA) Functionality is a measure of how the SUA send-and-receive utility, Psxss.exe, is functioning. When Psxss.exe is operating normally, SUA is able to accept user commands, and port applications over to Windows-based operating systems from UNIX-based operating systems.

Event Details

Product: Windows Subsystem for UNIX-based Applications
ID: 1016
Source: Microsoft-Windows-SUA-Psxss
Version: 6.0
Symbolic Name: PSX_EXCEPTION
Message: Unexpected Exception pid=%1 cid=%2.%3 code=%4 fc=%5

Resolve
Add signal handler for SIGEXCEPTsignal in POSIX application

If an exception occurs in a POSIX application, the exact nature of the exception is detailed in the event log.

If an application on which you are working in Subsystem for UNIX-based Applications has generated this error, add a signal handler to your application to handle the SIGEXCEPT signal.

Detailed information about working with signals and adding a signal handler to applications is available in the Help included with the Utilities and Software Development Kit (SDK) for Subsystem for UNIX-based Applications download package, available from the Microsoft Web site (http://go.microsoft.com/fwlink/?linkid=67558). Specifically, you can find information about signal handling in Help for Porting Applications to Subsystem for UNIX-based Applications (PortApps.chm).

Verify

Verify that the Subsystem for UNIX-based Applications (SUA) Psxss.exe utility is functioning, first by viewing Psxss.exe in the Windows Task Manager, and then by using an SUA application that you have developed or are porting to Windows to transmit data over the network.

To verify that Psxss.exe is running:

  1. Open Windows Task Manager by pressing CTRL+ALT+DEL, and then clicking Task Manager.
  2. On the Processes tab, select the Show processes from all users check box.
  3. Verify that PSXSS.exe is running.

Next, use an application on which you are working in SUA, or that you are porting to Windows by using SUA, to send some data over the network. For example, attempt to use your application to modify files or documents in another location on the network. If PSXSS.exe is functioning properly, and is active in the list of processes in Task Manager, sending SUA application data over the network should succeed.

Related Management Information

Subsystem for UNIX-based Applications Functionality

Subsystem for UNIX-based Applications

Related: