4.3 Upgrading to OES 2018 SP2 and Deploying NSS AD (Clustered Environment)

NOTE:Beginning with OES 24.4, OES User Rights Map (NURM) is deprecated and removed from OES.

Figure 4-3 Upgrading to OES 2018 SP2 and Deploying NSS AD in a Clustered Environment

IMPORTANT:Before proceeding, ensure that you have met all the prerequisites specified in Section 3.2, Meeting NSS AD Infrastructure Requirements.

Table 4-3 Upgrading to OES 2018 SP2 and Deploying NSS AD

Process

Information and Links

  1. Using the instructions in the installation guide, upgrade only one cluster node in your tree at a time.

    IMPORTANT:When upgrading the OES server, if NSS AD pattern is selected, then any misconfiguration in joining the domain can result in upgrade failure. Hence, it is recommended not to install NSS AD Support as part of the upgrade process.

For more information about upgrading OES Clusters, see Upgrading OES Clusters in the OES 23.4: OES Cluster Services for Linux Administration Guide.

  1. On the cluster node (OES server), run YaST and when you reach the Software Selections screen, select the OES Storage Service AD Support pattern.

  2. Specify the following details:

    • AD Domain Name: The AD domain that the OES server is joining.

    • AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to this group will have supervisory rights for all the volumes associated with that OES server.

    • AD User Name: Specify an AD administrator or user with the following privileges required to join the domain:

      • Reset password

      • Create computer objects

      • Delete computer objects

      • Read and write the msDs-supportedEncryptionTypes attribute.

    • Password: Is the password of the AD user who is used for the domain join operation.

    • Container to Create Computer Object: The container where the OES 2018 computer object either has been or will be created.

      If you have already created a computer object in Active Directory for the OES server, select Use pre-created computer object.

    • Novell Identity Translator (NIT) Configuration: NIT generates UIDs as required for anyone accessing data on a Linux server. For more information on NIT, see Section 7.2, NIT (Novell Identity Translator).

      If you want NIT to generate UIDs for AD users, select Generate UID for AD users, then specify the UID range. If you want NIT to retrieve UIDs from Active Directory, do not select the Generate UID for AD users option.

      For more information about this option, see Table 7-2.

  3. When you click Next, the server/node is joined to the AD domain.

    For more information about joining cluster nodes to the AD domain, see Joining the Cluster Node to an Active Directory Domain in the OES 23.4: OES Cluster Services for Linux Administration Guide.

Verify the AD domain and Kerberos is configured and working in all the cluster nodes.

  1. Ensure that the OES computer object is created in the AD domain you specified.

  2. Verify that the default keytab entries for the OES server are created by entering the following command at the server’s terminal prompt:

    klist -k

    For example:

    tstsrv:~/Desktop #klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- ----------------------------------
       2 tstsrv$@ACME.COM
       2 tstsrv$@ACME.COM
       2 tstsrv$@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv.acme.com@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 cifs/tstsrv@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
       2 host/tstsrv.acme.com@ACME.COM
    tstsrv:~/Desktop #

    The 12 keytab entries represents the Service Principals of the OES server.

  3. You can also execute kinit -k <name of the OES server>$ to ensure that the OES server is joined to the AD domain successfully.

    For example, kinit -k tstsrv$

    On successful execution of the above command, it does not display any output message and returns to terminal.

  1. Ensure that CIFS is chosen as the advertizing protocol for the cluster resource. NSS resource access for AD users happens only through the CIFS protocol.

    For more information, see Adding Advertising Protocols for NSS Pool Cluster Resources in the OES 23.4: OES Cluster Services for Linux Administration Guide.

  2. Join the cluster pool to the AD domain by following the instructions in Joining Cluster Pools to the AD Domain in the Storage Services File System (NSS) Administration Guide for Linux or Joining the Cluster Resource to an Active Directory Domain in the OES 23.4: OES Cluster Services for Linux Administration Guide.

    You can also use the following tools:

  3. Verify the Service Principal Names and computer objects by completing the steps in Verifying the Service Principals and Computer Objects in the OES 23.4: OES Cluster Services for Linux Administration Guide.

  1. Media-upgrade your NSS32 cluster pools that your AD users need access to.

    The following is a simple, GUI-driven method.

    1. At a terminal prompt, enter nssmu.

    2. Select Pools

    3. Select a pool.

    4. Type g, then type Y(es) > O(kay).

    5. Select another pool and continue until all of the NSS32 cluster pools that AD users need access to are media-upgraded

For more information on the NSS Media upgrade options and processes, see NSS Media Upgrade Commands and Upgrading the NSS Media Format in the Storage Services File System (NSS) Administration Guide for Linux.

  1. AD-enable the NSS volumes that your AD users need access to.

    The following is a simple, GUI-driven method.

    1. At a terminal prompt, enter nssmu.

    2. Select Volumes

    3. Select a volume.

    4. Type G, then type Y(es) > O(kay).

    5. Select another volume and continue until all of the volumes that AD users need access to are AD-enabled.

For more information on the NSS Media upgrade options and processes, see NSS Media Upgrade Commands in the Storage Services File System (NSS) Administration Guide for Linux.

See also, AD-enable the Volume and Volume AD-enablingin the Storage Services File System (NSS) Administration Guide for Linux.

  1. Review the information in Section 5.0, Assigning NSS Trustee Rights for AD Users and Groups to ensure that you understand the trustee-assignment processes and the associated caveats, then continue with Step 2.

  2. Assess whether the OES User Rights Map utility (NURM) applies to your organization by considering the following questions:

    1. Do any of your AD users and groups have matching eDirectory accounts?

      If so, you can use the OES User Rights Map utility (NURM) to map the rights between eDirectory and Active Directory users and groups and then apply NSS trustee assignments based on the mapping.

      If not, skip to process 8.

    2. Do you use NetIQ Identify Manager 4.5 or later to coordinate identities and passwords between Active Directory and eDirectory, and do you have a user map that was created using IDM Designer?

      If so, NURM can leverage that map.

      If not, you can create a map using NURM.

    3. Do you want to consolidate your overlapping eDirectory and Active Directory accounts to only Active Directory?

      If so, you can have NURM delete the eDirectory trustee assignments.

  3. If applicable, run NURM to assign NSS trustee rights to your AD users.

For more information, see Section 7.4, NURM (OES User Rights Map).

  1. For AD users and groups who need NSS access and do not have matching eDirectory accounts, you can grant trustee assignments using either the NFARM Windows shell extension or the rights utility.

  2. Use other NSS tools to manage file and directory ownership, usage quotas and the other things that you manage for eDirectory users and groups.

    For more information, see OES File Access Rights Management (NFARM), rights, nsschown, and nssquota in the Storage Services File System (NSS) Administration Guide for Linux.

To access the AD enabled NSS cluster volumes, do the following:

  • Ensure to create a forward lookup DNS entry for netbios name of the cluster resource.

  • Map the NSS cluster volumes with the complete DNS name created for the cluster resource or with the short name of the netbios name of cluster resource (not with the IP address).