Using QuantaStor in a Centrify Environment
Centrify Privileged Access Service allows client-to-server authentication for Linux, Mac, and Windows clients.
OSNEXUS QuantaStor supports CIFS Network Share authentication using Centrify SFU Zone users in a Windows ActiveDirectory environment.
With QuantaStor and Centrify, user permissions and access to CIFS Network Shares can be managed through both Centrify Access Manager and Microsoft Active Directory for clients using Linux, Mac, and Windows computers.
User ID and Group ID (UID/GID) mapping must be done to map ActiveDirectory SID's (Secuirty Identifier) to QuantaStor UID/GID's. There are several methods to do this mapping. RFC2307 is a method that is compatible with both QuantaStor and Centrify SFU zones. When joining a QuantaStor system to Active Directory, AD Managed Unix UID/GIDs (RFC2307) can be selected in the ID Mapper drop down. Using a Centrify SFU Zone automatically populates the necessary Active Directory RFC2307 compliant UID/GID fields ensuring ActiveDirectory, Centrify, and QuantaStor use the same UID/GID for individual users. This is important for NFS users where the client machine user's UID/GID must match the QuantaStor's UID/GID for that user.
When setup correctly QuantaStor talks directly to ActiveDirectory querying for users and their specified UID & GID which allows access to QuantaStor Network Shares by validating user passwords against ActiveDirectory and setting / checking file permissions based on the ActiveDirectory UID/GID values. Since ActiveDirectory is used, users created in ActiveDirectory by Centrify and users directly created in ActiveDirectoryhave a valid unique RFC2307 compliant UID/GID. Both types of users work with QuantaStor network shares.
The following steps will show how a Centrify Zone was built in Active Directory and a QuantaStor network share was configure to allow users to access it.
Centrify Zone and User Creation
Starting with deployed Centrify environment, with Centrify Access Manager deployed, a SFU zone can be added that will allows Centrify managed users to be added to QuantaStor network shares.
- Open the Centrify Access Manager Application
- Click Create Zone and populate dialog
- Choose Hierarchical Zone
- Select SFU Zone Type
- Select the Windows Active Directory domain for the Centrify Zone.
- Click Finish to complete building of the Centrify Zone
Results of creating the Centrify Zone
- Zone as seen from Active Directory Users and Computers
- Zone as seen from Centrify Access Manager
Setup a QuantaStor Network Share that authenticates against ActiveDirectory
- Join the QuantaStor system to Windows ActiveDirectory.
- This can be done by right mouse clicking on Network Shares and choosing Configure Active Directory.
- Ensure that AD Managed Unix UID/GIDs (RFC2307) is selected.
- Changing this value after a network share has been created and used can cause issues with permissions. Basically the users UID/GID will be calculated differently after the change. It will then no longer match the UID/GID on the files stored in QuantaStor and a permissions change operation will have to be done for each user across the entire share(s).
- Create and configure a QuantaStor Network Share. The Advanced Settings should have the appropriate extended attributes checked. Checking the Windows ACLs allows predictable management of share and folder permissions though a Windows server.
- Add Centrify and ActiveDirectory users to the QuantaStor share
Testing User Share Access from Windows 10 host
For this setup, no changes were made to QuantaStor. It was simply joined to the ActiveDirectory domain (where Centrify was installed) and Centrify as well as non-Centrify ActiveDirectory users were added to shares.
Via this setup, share and file permissions can be configured from a Windows host by a user with the proper ActiveDirectory permissions.