FAQ / How to Integrate NexentaStor shares with Active Directory

This guide assumes the user already has Windows Server 2003 set up to run an Active Directory server and DNS server.

From the ‘Active Directory users and computers console, add computer objects for both nodes in the cluster.

Add computer objects to domain

Then, do the following on both nodes. This example uses NMV, but it can also be done with NMC:

  • Settings -> Applience -> Domainname: Change this value to the AD domain

Changeing domainname to AD domain

  • Settings -> Network -> Name servers: Change this to the IP address of the DNS server on the Windows Server machine

Name Server

  • Data Management -> Shares -> Create: Create the required shares

Create a share

  • Data Management -> Shares: Under ‘CIFS Server’
    • Click ‘Join AD/DNS server’
    • Fill in the DNS IP address and the fully qualified domain name. Fill in the username and password of a user in the domain that has authority to join a computer to the domain – Administrator in this example.
    • Click ‘Save’ and the computer will be added to the domain.
    • Note: this step must happen AFTER the computer object has been created in the Users and Computers console.

Join domain

  • Data Management -> Shares (only on the node that the service is imported on):
    • Tick CIFS checkbox for each share
    • Click Edit next to the check box and set the name of the share

Setting share name

  • In an NMC console, type:
nmc@c1:/$ idmap dump -n|grep 'Domain Users'
nmc@c1:/$ idmap dump -n|grep 'Domain Admins'

This will give the UIDs for each of these domain groups:

nmc@c1:/$ idmap dump -n|grep 'Domain Admins'
wingroup:Domain Admins@active.local     ==      gid:2147483651

nmc@c1:/$ idmap dump -n|grep 'Domain Users'
wingroup:Domain Users@active.local      ==      gid:2147483650
  • In NMV, navigate to Data Management -> Shares, and for each share:
    • Click on the share name
    • Click ‘(+) Add Permissions for Group’
    • Fill in the UNIX/LDAP group with the GID for ‘Domain Admins@. . .’
    • Fill in the various permissions for that group as appropriate
    • Click ‘Add new group’
    • Repeat for ‘Domain Users@. . .’

Setting group permissions

It is now possible to access both machines from the domain, and the shares are visible in whichever machine the service is imported on.

The service can also be accessed via the VIP for that service.

Access using VIP

Posted in: Microsoft Active Directory, NexentaStor