OES server with NSS AD configured can join to any DSfW (Domain Services for Windows) domain, which allows DSfW users to access AD enabled NSS volumes over SMB protocol. DSfW users are considered same as AD users which enables them to perform authentication over kerberos. Management tools such as NURM and NFARM can be used by a DSfW user to manage the trustees, rights, quotas, salvage and purge. DSfW users can also access files from DST enabled and DFS enabled NSS volumes. Users of Active Directory domain which has bi-directional trust to DSfW domain can access the NSS volume.
Overall, OES server with NSS AD configured can join to AD or DSfW domain and users of cross forest AD or DSfW domain can seamlessly access the NSS volumes over SMB.
Name-mapped or non-name-mapped DSFW environment + eDirectory tree: OES is installed in the same eDirectory tree. The users from the eDirectory partition of DSFW domain access NSS over CIFS by using eDirectory credentials.
With NSS-AD support for DSfW, customers would like their users to access NSS over CIFS as DSFW domain users, thereby taking advantage of Single Sign-On through Kerberos.
As filesystem rights are already assigned to eDirectory users that there is no need to change the filesystem rights as the user set is same for both eDirectory and DSFW.
All the servers joined to the DSFW domain should be OES 2018 SP2 or later.
The user should access NSS by using either eDirectory or DSfW credentials. The same user should not access NSS by using both eDirectory and DSFW credentials.
The eDirectory users accessing NSS will all be changed to access NSS as DSFW users over Kerberos.
Ensure to meet the NSS AD requirements. For more information, see Section 3.0, Preparing to Deploy NSS AD.
The OES server should resolve the DNS queries for the DSFW domain.
Join OES server to the DSFW domain.
By using novcifs command set --map-adsessions-to-edir=YES on the OES server.
By setting this option,
The DSFW/AD domain users can access NSS over CIFS by using DSFW or AD credentials seamlessly.
The filesystem operations are executed with the rights granted to their eDirectory identities.
On successful authentication the OES filesystem treats the connections as eDirectory connections.
All the details related to connections in novcifs and NRM is listed as eDirectory connections.
Name-mapped or non-name-mapped DSFW environment + DSfW Domain Trust with AD Forests/ Domains + eDirectory tree: AD and eDirectory have different user sets.
The DSFW and AD users authenticate by using their respective DSFW and AD credentials. However, file permissions for AD users shall be granted for their AD identities.
Ensure to meet all the prerequisites listed in Planning the Environment.
Users in the DSFW and AD environments should be unique.
Join OES to DSFW domain.
Enable file access for both DSFW and AD users.
For AD users file permissions should be grated for their respective AD identities.
Use novcifs command and set --map-adsessions-to-edir=fallback on the OES server.
With this setting, file permissions on NSS for DSFW users are enforced using their eDirectory identities.
All the connections from the DSfW users are listed as eDirectory connections.
All the connections from the AD users are listed as AD connections.