7.3 Prerequisites for Installing and Configuring NSS AD

  • Active Directory: Ensure that you have a working AD server, and the OES 2018 or later server must resolve the DNS name of the AD domain controller in the domain to which the server will be joined to.

    • Single Forest Environment: Create a Universal Group with the sAMAccountName "OESAccessGrp" anywhere in the AD forest. Only the members of this group will have access to the NSS resources based on their trustee assignments. In absence of this group, all the AD users in the forest can access the NSS resources based on their trustee assignments.

    • Multi Forest Environment: Create a Domain Local Group (DLG) with the sAMAccountName "DLOESAccessGrp" in the AD domain to which this OES server is joined. Only the members of this group (OES forest and across forest) will have access to the NSS resources based on their trustee assignments. In absence of this group, the AD users across the forest cannot access the NSS resources.

  • Reverse Lookup Entry for the AD Server: AD server's reverse lookup entry (IPv4 and IPv6) must exist in the DNS server before the domain join operation is performed.

  • Firewall: For NSS AD to communicate, ensure that ports 389, 636, 88, 749, and 464 are open.

  • Time Synchronization: The clocks must be synchronized between OES 2018 or later server and the Active Directory Server.

  • DNS A Record: To access the shared resource on OES, add DNS A record for netbios name of the host or cluster resource.

  • DNS Nslookup Entry for the AD Server: Ensure to resolve the AD server using DNS Nslookup entry.

  • Rights Required for the Domain Join: The AD domain administrator or any AD user who has the rights to change password, reset password and create container objects on an AD server can be used for the domain join process.

  • Novell Identity Translator (NIT): NIT can operate in two modes: Fetch and Generate. If you decide to generate UIDs, ensure to plan and select a UID range that does not conflict with LUM and Linux UID ranges. If you opt for the fetch mode, UID should exist in AD and the UID number attributes must be replicated to the global catalog. Only then the NIT will be able to fetch the users’ UID for authorization. For more information on replicating the UIDs to the global catalog, see Microsoft Documentation.

    NOTE:If NIT is configured in generate mode, it generates UIDs even for users who already have a UID stored in AD. For more information on NIT, see Section 7.5, About Novell Identity Translator (NIT).

  • NSS AD Coexistence with Other OES Services: When you configure and install NSS AD, ensure that you do not opt to install DSfW on the same server where NSS AD will be installed and configured.

  • NSS AD’s Dependency on CIFS Service: Before installing and configuring NSS AD, ensure that the CIFS service is installed and running.

  • Cluster Recommendation: In a cluster environment, if you plan to upgrade to OES 23.4 with NSS AD support, it is recommended to upgrade all the cluster nodes to OES 23.4. NSS cluster resources whose pools have not been NSS AD Media upgraded, volumes AD-enabled, and joined to the AD domain will not be accessible for AD users. For more information on joining the cluster resources to the AD domain, see Joining Cluster Pools to the AD Domain in the OES 23.4: NSS File System Administration Guide for Linux. You could also use the novell-ad-util CLI tool for the domain join. For more information, see novell-ad-util Command Line Utility in the OES 23.4: NSS AD Administration Guide.