7.4 Installing OES 24.4 with NSS AD Support

Here’s how you can install and configure NSS AD afresh or after an OES upgrade.

There is no change with the way you install or upgrade to OES 24.4 except in the Storage Services AD Support Configuration screens.

7.4.1 Resolving the AD DNS Name from OES 24.4

To make OES work properly with NSS AD, ensure that AD server and OES servers are mutually resolvable. If you are not able to resolve, do not proceed with the NSS AD installation. Your Domain Search name and Name Server entries might be incorrect.

7.4.2 Installing and Configuring NSS AD Support

After resolving the AD DNS Name from the OES server, under the OES Patterns screen, select OES Storage Service AD Support pattern and specify the following details:

  • AD Domain Name: Specify the appropriate AD domain name.

  • AD Supervisor Group: Specify the AD supervisor group name. The AD users belonging to this group will have supervisory rights for all the volumes associated with that OES server.

  • AD User Name: Specify the user name that can be used for the domain join operation. This user should have the following privileges: rights to reset password, create computer objects, delete computer objects, and read and write the msDs-supportedEncryptionTypes attribute.

  • Password: Specify the appropriate password of the user who is used for the domain join operation.

  • Container to Create Computer Object: You can specify the container under which the OES computer object will be created. The default container is cn=computers. If you have already created an OES computer object in the AD server, select Use pre-created computer object, then specify the container name where the pre-created OES computer object exists.

  • NIT - Novell Identity Translator Configuration: If you want NIT to generate UIDs for AD users, select Generate UID for AD users, then specify the UID range. The default range is from 100000 to 200000. If you want NIT to fetch UIDs, do not select the Generate UID for AD users option.

7.4.3 Validating the NSS AD Configuration

After successfully installing and configuring NSS AD, you should find an entry for the cluster node object created in the Active Directory Users and Computers screen of the AD server as shown in the following image.

You can also execute klist -k command and verify that the default keytab entries are created as shown below.

tstsrv:~/Desktop #klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 tstsrv$@ACME.COM
   2 tstsrv$@ACME.COM
   2 tstsrv$@ACME.COM
   2 cifs/tstsrv.acme.com@ACME.COM
   2 cifs/tstsrv.acme.com@ACME.COM
   2 cifs/tstsrv.acme.com@ACME.COM
   2 cifs/tstsrv@ACME.COM
   2 cifs/tstsrv@ACME.COM
   2 cifs/tstsrv@ACME.COM
   2 host/tstsrv.acme.com@ACME.COM
   2 host/tstsrv.acme.com@ACME.COM
   2 host/tstsrv.acme.com@ACME.COM
tstsrv:~/Desktop #

This command updates the default keytab, /etc/krb5.keytab and /etc/krb5.conf files. OES 2018 or later supports three strongest encryption types: AES128, AES256, RC4HMAC. For each encryption type, an entry is made in the default key tab.