4.1 Installing a New OES Server and Deploying NSS AD

Figure 4-1 Installing OES as a New Server and Deploying NSS AD

IMPORTANT:Before proceeding, ensure that you have met all the prerequisites specified in Section 3.2, Meeting NSS AD Infrastructure Requirements.

If you want to install NSS AD after your OES server is installed and running, follow the instructions in Section 4.2, Upgrading to OES 2018 SP2 and Deploying NSS AD (Non-Clustered Environment), starting with Step 2.

Table 4-1 Installing OES and Deploying NSS AD

Process

Information and Links

  1. Using the instructions in the installation guide, install only one OES server at a time in your eDirectory tree.

    For detailed instructions, see Installing OES as a New Installation in the OES 23.4: Installation Guide.

  2. When you reach the Software Selections screen, select the OES Storage Service AD Support pattern along with the other services that you are installing.

  3. Specify the required details:

    • AD Domain Name: Is the domain that the OES server is joining.

    • AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to this group will have supervisory rights for all the volumes associated with that OES server.

    • AD User Name: Specify an AD administrator or user with the following privileges required to join the domain:

      • Reset password

      • Create computer objects

      • Delete computer objects

      • Read and write the msDs-supportedEncryptionTypes attribute.

    • Password: Is the password of the AD user who is used for the domain join operation.

    • Container to Create Computer Object: The container where the OES 2018 computer object will live.

      If you have already created a computer object in Active Directory for the OES server, select Use pre-created computer object and include the object name in the specification.

    • Novell Identity Translator (NIT) Configuration: NIT manages UIDs as required for data access on a Linux server. For more information, see Section 7.2, NIT (Novell Identity Translator).

  4. When you click Next, you should receive a message that The domain join is in progress.

  1. Ensure that the OES computer object is created in the AD domain you specified.

  2. Verify that the default keytab entries for the OES server are created by entering the following command at the server’s terminal prompt:

    klist -k

    For example:

    tstsrv:~/Desktop #klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- ----------------------------------
       2 tstsrv$@ACME.COM
       2 tstsrv$@ACME.COM
       2 tstsrv$@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
    tstsrv:~/Desktop #

    The 12 keytab entries represents the Service Principals of the OES server.

  3. You can also execute kinit -k <name of the OES server>$ to ensure that the OES server is joined to the AD domain successfully.

    For example, kinit -k tstsrv$

    On successful execution of the above command, it does not display any output message and returns to terminal.

  1. Media-upgrade the NSS32 pools that your AD users need access to.

    The following is a simple, GUI-driven method.

    1. At a terminal prompt, enter nssmu.

    2. Select Pools

    3. Select a pool.

    4. Type g, then type Y(es) > O(kay).

    5. Select another pool and continue until all of the NSS32 pools that AD users need access to are media-upgraded

For more information on the NSS Media upgrade options and processes, see NSS Media Upgrade Commands in the OES 23.4: NSS File System Administration Guide for Linux.

  1. AD-enable the NSS volumes that your AD users need access to.

    The following is a simple, GUI-driven method.

    1. At a terminal prompt, enter nssmu.

    2. Select Volumes

    3. Select a volume.

    4. Type G, then type Y(es) > O(kay).

    5. Select another volume and continue until all of the volumes that AD users need access to are AD-enabled.

For more information on the NSS Media upgrade options and processes, see NSS Media Upgrade Commands in the OES 23.4: NSS File System Administration Guide for Linux.

See also, AD-enable the Volume in the OES 23.4: NSS File System Administration Guide for Linux.

  1. Review the information in Section 5.0, Assigning NSS Trustee Rights for AD Users and Groups to ensure that you understand the trustee-assignment processes and the associated caveats, then continue with Step 2.

  2. Assess whether the OES User Rights Map utility (NURM) applies to your organization by considering the following questions:

    1. Do any of your AD users and groups have matching eDirectory accounts?

      If so, you can use the OES User Rights Map utility (NURM) to map the rights between eDirectory and Active Directory users and groups and then apply NSS trustee assignments based on the mapping.

      If not, skip to process 6.

    2. Do you use NetIQ Identify Manager 4.5 or later to coordinate identities and passwords between Active Directory and eDirectory, and do you have a user map that was created using IDM Designer?

      If so, NURM can leverage that map.

      If not, you can create a map using NURM.

    3. Do you want to consolidate your overlapping eDirectory and Active Directory accounts to only Active Directory?

      If so, you can have NURM delete the eDirectory trustee assignments.

  3. If applicable, run NURM to assign NSS trustee rights to your AD users.

For more information, see Section 7.4, NURM (OES User Rights Map).

  1. For AD users and groups who need NSS access and do not have matching eDirectory accounts, you can grant trustee assignments using either the NFARM Windows shell extension or the rights utility.

  2. Use other NSS tools to manage file and directory ownership, usage quotas and the other things that you manage for eDirectory users and groups.

    For more information, see OES File Access Rights Management (NFARM), rights, nsschown, and nssquota in the OES 23.4: NSS File System Administration Guide for Linux.

To access the AD enabled NSS volumes, do the following:

  • Ensure to create a forward lookup DNS entry for OES server where AD enabled NSS volumes are available.

  • Map the NSS volume with the complete DNS name of the OES server or host name (not with the IP address).