Active Directory Unix Extensions

  • Published on Jan 16, 2025
  • 6 minute(s) read
  • CD
 Prev Next

Overview

The first thing to consider is whether you really need Posix, Unix, and NTFS permissions on the same volume. It is always preferable to put objects needing NFS access on separate volumes from those needing CIFS access. If that is not possible, and if the same user or group needs access from both NFS and CIFS clients, then Active Directory Unix Extensions can be implemented.

When you choose to enable support for multiple protocols on a volume through NFS and CIFS (SMB), the user and group identities created through the different protocols do not necessarily match each other. This is because SMB typically maps a user by associating an Active Directory security identifier (SID) with a user identity (UID) or group identity (GID) through a local mapping policy, which is typically a simple algorithm that directly incorporates the relative ID (RID) component of the SID. NFS, on the other hand, uses the local UID or GID on the UNIX/Linux system without much conversion. This can lead to a situation where an Active Directory user "bob" may write files that UNIX user "bob" cannot access.

However, a Nasuni Edge Appliance can be configured in such a way that the Active Directory-mapped UIDs and GIDs match the NFS UIDs and GIDs. Currently, this support relies on the customer using a feature of Active Directory that extends the Active Directory schema to provide UNIX-style UIDs and GIDs. This feature is known by multiple names, including “Identity Management for UNIX”, “UNIX Extensions”, “Server for Network Information Services”, “Services for UNIX”, or “RFC 2307”. On a domain that supports these extensions, a UNIX/Linux-based client can obtain the UID and GID values from the canonical records in the domain.

If your organization requires this functionality:

  • During the initial engagement, inform Nasuni Professional Services of your needs.

  • Configure Active Directory in consultation with Nasuni Professional Services or Nasuni Support.

  • Request Nasuni Support to configure the Edge Appliance for Active Directory Unix Extensions (RFC 2307).

Note: Limits on domains, groups, users, objects, and other items are the same as the limits of Active Directory. See Active Directory Maximum Limits - Scalability for details.

Tip: For Nasuni recommendations for volume configuration, see Nasuni recommendations for configuring volumes on page 6.

Important: Before joining Edge Appliance to Active Directory, contact Nasuni Support.

Considerations

Here are some considerations to keep in mind:

  • In order to use Active Directory’s UNIX extensions, it is necessary to first configure domains and clients.

  • Verification involves writing files and directories to ensure that the user identities match.

  • There are different procedures for configuring the first Nasuni Edge Appliance on the account and for subsequent Nasuni Edge Appliances on the account.

  • If possible, have this configuration done before a Nasuni Edge Appliance joins Active Directory.

  • For Nasuni Edge Appliance release 8.8 and above, the Health Monitor feature requires that the Edge Appliance accounts also be assigned UID and GID. This configuration must be performed before upgrading the Edge Appliance to release 8.8 or later.

Active Directory Unix Extensions Considerations

Alternatives

Consider whether you need Posix permissions, Unix permissions, and NTFS permissions on the same volume. It is always preferable to locate objects needing NFS access and those needing CIFS access on separate volumes. If that is not possible, and the same user or group needs access from NFS and CIFS clients, then Active Directory Unix Extensions can be implemented.

Note: If possible, avoid multiprotocol volumes, because it is difficult to implement the ID mapping and permissions properly.

Volume and permission type

The volume must be created in the following manner. No other method is supported.

  1. Create the volume as an NFS volume.

  2. Add the CIFS protocol with POSIX/Mixed Mode permissions.

Important: Be aware that Windows experiences degraded capabilities with Posix/Mixed Mode permissions. For example, Modify permissions are switched to Full Control permissions due to those degraded capabilities.

Migrated Data

The nature of the data to migrate must be analyzed:

  • If the data is coming from a Unix system, does the data have Posix permissions as well?

  • If the data is coming from Windows, it must be determined how permissions could be degraded.

Handling UID/GID ranges

Thorough planning is required when setting up domain ranges for your UIDs and GIDs.

  • If you have already configured UID and GID ranges, then inform Nasuni Support about your ranges.

  • If you have not already configured UID and GID ranges, then you should plan and create your UID and GID ranges with the following considerations:

    • All GIDs and UIDs must be greater than 1000.

    • GID/UID ranges for different domains should not overlap.

    • Allow headroom in the ranges to allow for future growth.

    • GID and UID ranges should not conflict with the Nasuni native user range: 5000 through 55999 by default. This range is controlled by the NOC.

      Local groups are assigned by the NOC based on the Edge Appliance serial number. These local groups are stored in the license file.

Adjusting the range

If this assigned local range overlaps your domain range, then the local range must be adjusted. This is done by Nasuni Support using the following procedure:

Note: This shift procedure does not change the values in the license file.

  1. Find the minimum and maximum ID numbers for Users by using this command:
    Get-ADUser -Filter "UIDNumber -like '*'"
    -Property UIDNumber | Measure-Object
    -Minimum -Maximum -Property UIDNumber

    Record the values for Users.

  2. Find the minimum and maximum ID numbers for Groups by using this command:
    Get-AdGroup -Filter "gidNumber -like '*'"
    -Property gidNumber | Measure-Object
    -Minimum -Maximum -Property gidNumber

    Record the values for Groups.

  3. Use the lowest ID returned by users or groups for the low end of the range.

  4. Use the highest ID listed for users or groups to define the upper end of the range.

  5. Consider any planned ID growth in order to set headroom at the top of the range for future allocation.

Finding Users and Group IDs lower than 1000

If the minimum returned ID by either query is lower than 1000, this ID mapping does not work.
Nasuni Support uses the following commands to identify the UIDs/GIDs lower than 1000 in order to see if they can be removed from Active Directory:

  1. Find Users under ID 1000 by using this command:
    Get-AdUser -Filter "uidNumber -lt 1000"

  2. Find Groups under ID 1000 by using this command:

    Get-AdGroup -Filter "gidNumber -lt 1000"

Setting up an Edge Appliance IDmap

Important: Setting a new IDmap will affect the entire Edge Appliance and existing volumes.

Nasuni Support performs this procedure.

Checking Posix ACLs

You must check that any files or folders you create have Posix ACLs on them.

This normally happens when created through Windows, but must be done explicitly through NFS.

Nasuni recommendations for configuring volumes

The following table contains Nasuni recommendations for configuring volumes, based on the objectives for the volume. Configuration includes consideration of the following:

  • Original volume protocol

  • Additional volume protocol, if any

  • Authentication

  • Volume Permissions Policy

  • Case Sensitivity

Objective of volume

Original volume protocol

Additional volume protocol

Set Authentication to …

Set Permissions Policy to …

Set Case Sensitivity to …

Options available include:

Unsupported features include:

SMB clients only (Microsoft Windows clients, macOS clients) (no NFS, no FTP)

SMB (CIFS)

None

Active Directory

NTFS Exclusive

No

Durable handles (with SMB 2.0+ and GFL disabled).

Web Access.

Global File Lock Advanced and Optimized mode.

NFS. FTP. LDAP. Multiple volume protocols.
Switching from NTFS Exclusive to NTFS Compatible.

SMB clients + FTP (Microsoft Windows clients, macOS clients)

SMB (CIFS)

FTP

Active Directory

NTFS Compatible
or POSIX

Yes (Case sensitivity required to add FTP)

FTP. Web Access. Global File Lock: Advanced and Optimized mode. Switch from NTFS Compatible to NTFS Exclusive.

NFS.
LDAP

NFS clients (UNIX or Linux clients)

NFS

None

Active Directory

POSIX

Yes (cannot be changed)

FTP.

Global File Lock: Optimized mode.

CIFS (SMB) volumes.
Web Access.

NFS + SMB Clients: IDs mapped between SMB/NFS using AD Unix Extensions (Microsoft Windows clients, macOS clients, UNIX or Linux clients)

NFS

SMB (CIFS)

Active Directory

POSIX (translated to NTFS)

Yes (cannot be changed)

FTP.

Web Access.

Global File Lock: Optimized mode

LDAP.

NFS + SMB Basic InterOp: no ID mapping (Microsoft Windows clients, macOS clients, UNIX or Linux clients)

NFS

SMB (CIFS)

Active Directory

NTFS Compatible
+ POSIX

Yes (Case sensitivity required to add NFS and FTP protocols)

FTP.

Web Access.

Global File Lock: Optimized mode.

Can switch from NTFS Compatible to NTFS Exclusive.

NFS-only volumes.
LDAP authentication.

Important: The Nasuni Mobile Access app is scheduled for End-of-Life on May 1, 2024. After this date, the Nasuni Mobile Access app will no longer be supported or available from app stores.

Technical Support

Online self-help resources and Technical Support are available at www.nasuni.com/support.

Related articles