Active Directory Compatibility with ExtremeZ-IP

Similar documents
Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

The End of Services for Mac (SFM): Evaluating Your Replacement Options A Technical Best Practices Whitepaper

The Best of Both Worlds Sharing Mac Files on Windows Servers

The Best of Both Worlds: Sharing Mac Files on Windows Servers A Technical Best Practices Whitepaper

The End of Services for Mac (SFM): Evaluating Your Replacement Options

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Centralized Mac Home Directories with ExtremeZ-IP

Leveraging MassTransit and Active Directory for Easier Account Provisioning and Management

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper April 2009

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Charles Firth Managing Macs in a Windows World

Creating Home Directories for Windows and Macintosh Computers

Active Directory and DirectControl

Best Practices: Integrating Mac OS X with Active Directory. Technical White Paper September 2007

Other documents in this series are available at: servernotes.wazmac.com

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Mac OS X and Directory Services Integration

SINGLE SIGN-ON FOR MTWEB

File Services. File Services at a Glance

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Likewise Security Benefits

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Using Mac OS X 10.7 Filevault with Centrify DirectControl

Cloud Attached Storage 5.0

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Single Sign-on (SSO) technologies for the Domino Web Server

Configuring IBM Cognos Controller 8 to use Single Sign- On

Agent Configuration Guide

vsphere Upgrade vsphere 6.0 EN

Web Applications Access Control Single Sign On

Using Centrify s DirectControl with Mac OS X

Securing VMware Virtual Infrastructure with Centrify's Identity and Access Management Suite

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Deploying a File Server Lesson 2

CENTRIFY TRAINING CLASS Centrify Suite Standard Edition - Mac OS X Training Course Details. Format: 100% lecture including demonstrations.

StarWind iscsi SAN: Configuring HA File Server for SMB NAS February 2012

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

NovaBACKUP. Storage Server. NovaStor / May 2011

Imaging & Patch Management for Mac OS X Clients using Windows Servers

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

Interworks. Interworks Cloud Platform Installation Guide

WINDOWS 7 & HOMEGROUP

BarTender Print Portal. Web-based Software for Printing BarTender Documents WHITE PAPER

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

This section discusses the protocols available for volumes on Nasuni Filers.

An Overview of Samsung KNOX Active Directory and Group Policy Features

Windows Server 2003 default services

Centrify Mobile Authentication Services

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Q&A. DEMO Version

Managing UNIX Generic and Service Accounts with Active Directory

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

CA IT Client Manager. Desktop Migration

WINDOWS 2000 Training Division, NIC

identity management in Linux and UNIX environments

The Mac OS X Server Essentials v10.5 Exam Skills Assessment Guide

Centrify-Enabled Samba

StarWind iscsi SAN Configuring HA File Server for SMB NAS

VMware Virtual Desktop Manager User Authentication Guide

Clustering ExtremeZ-IP 4.1

Installing and Configuring vcenter Support Assistant

Administering Windows Server 2012

Security IIS Service Lesson 6

API-Security Gateway Dirk Krafzig

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Leveraging SAML for Federated Single Sign-on:

Apple Technical White Paper Best Practices for Integrating OS X with Active Directory

Centrify Identity and Access Management for Cloudera

WatchDox Administrator's Guide. Application Version 3.7.5

Virtualization Case Study

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Mac OS X Directory Services

Office of Information Technologies (OIT) Network File Shares

Configuring the Active Directory Plug-in

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Manual for Android 1.5

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

SQL Server Hardening

mobilecho: 5-Step Deployment Plan for Mobile File Management

Integrating Mac OS X 10.6 with Active Directory. 1 April 2010

Citrix Systems, Inc.

SAML-Based SSO Solution

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

The question becomes, How does the competent Windows IT professional open up their print server to their Mac clients?

This module explains how to configure and troubleshoot DNS, including DNS replication and caching.

Using Apple Remote Desktop to Deploy Centrify DirectControl

How To Secure Your Data Center From Hackers

Desktop Web Access Single Sign-On Configuration Guide

Transcription:

Active Directory Compatibility with ExtremeZ-IP A Technical Best Practices White Paper Group Logic White Paper October 2010

About This Document The purpose of this technical paper is to discuss how ExtremeZ-IP supports Microsoft Active Directory. It is intended for systems administrators, technical evaluators and decision-makers who are considering upgrading or purchasing ExtremeZ-IP for the first time. Active Directory Compatibility in ExtremeZ-IP ExtremeZ-IP An Overview ExtremeZ-IP is a robust Windows-based file and print server supporting all releases of the Mac operating system from Mac OS 9 to Mac OS X 10.6 (Snow Leopard). ExtremeZ-IP allows your organization to preserve the innovative Mac experience for your end users, while simultaneously integrating them fully into your Windows Server infrastructure. Whether it s security policies, Active Directory integration, performance, scalability or manageability and monitoring options, ExtremeZ-IP allows you to deliver the enterprise-class services that your Mac users require. As a software service that runs on Windows, if your Windows server is bound to the domain, ExtremeZ-IP seamlessly integrates your Macs into Active Directory. ExtremeZ-IP is the only fully-supported, server-side solution for delivering seamless Mac to Windows connectivity. ExtremeZ-IP allows your Windows Administrators to treat Macs on the network like PCs, while allowing your Mac users to continue operating in their native environment while also participating fully in your existing file server and storage infrastructure. The result is better scalability, service delivery, performance, and compliance and fewer calls to your help desk. As the proven standard for file sharing between Mac desktops and Windows servers, ExtremeZ-IP is the most trusted solution for ensuring compatibility without compromise and a must have for mixed Mac and Windows computing environments. User Authentication and ExtremeZ-IP ExtremeZ-IP leverages the Active Directory plug-in built into every Mac OS X client to provide Single Sign-on (SSO) authentication using Kerberos in the same way that normal Windows clients behave. Connecting to ExtremeZ-IP ExtremeZ-IP fully supports Active Directory and provides two authentication options Diffie-Hellman Key Exchange (DHX) for Mac OS 9 and Mac OS X and Kerberos Single Sign-on for Mac OS X. Kerberos is the standard authentication for Active Directory. With Active Directory and Extreme-IP, the Mac user can log into a Mac, and get a Kerberos ticket, that then permits them secure, controlled access to all resources in the domain. Diffie-Hellman Key Exchange (DHX) provides single server authentication which permits secure, controlled access to all resources on that server. Which option is used for logins depends upon how the Mac is configured and how the user logged into the Mac. Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 1

Option 1: If the Mac is bound to the domain via the Active Directory plug-in, how Kerberos operates depends on the type of account used to log into the Mac: Connecting a Mac to Active Directory a. If the user logs into Mac with an Active Directory account, a ticket is retrieved at login time from Active Directory and is accepted seamlessly by all ExtremeZ-IP servers b. Or, if the user logs into Mac with a local account, the user is prompted for their login credentials the first time they access an ExtremeZ-IP share, and the ticket they retrieve is then used to seamlessly access all other ExtremeZ-IP servers File server login Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 2

Option 2: If the Mac is not bound to the domain, the Mac logs in using the encrypted DHX protocol built into the AFP protocol. Password Policies ExtremeZ-IP honors all password policies expiration, complexity rules on client change, and rules for changing passwords. Therefore, password policies are consistent among all platform clients. In addition, ExtremeZ-IP can warn the user a configurable number of days before his or her password is going to expire. Disk Quotas ExtremeZ-IP enforces a user s disk quotas by controlling the amount of disk space reported available to the Mac client and enforcing disk space limitations in file I/O operations. Permissions and ExtremeZ-IP Mac and UNIX permissions are traditionally more narrow than Active Directory permissions. Common permissions are owner, group, everyone, read, write, and execute. Active Directory provides many more possibilities for permission groups. Using ExtremeZ-IP, users can take advantage of these possibilities. ExtremeZ-IP strictly honors the Active Directory file permissions for a user and maps those permissions to the effective permission the Mac will understand. This is accomplished without any client software or special tools to manipulate permissions on the server. Support for Mac ACLs For Mac computers that are bound to the Active Directory domain, ExtremeZ-IP maps the Windows permissions to the Mac OS X permissions model for Access Control Lists (ACLs). This allows Macs to see the permissions on specific files or folders, and manipulate them if they have rights to do so. Starting with version 10.5, Mac OS X provides a user interface directly in the Finder for manipulating these permissions. Adjusting permissions in the Finder Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 3

Support for UNIX Permissions ExtremeZ-IP can be configured to properly report and allow manipulating of UNIX permissions to the Mac client. This is important for Mac applications that expect the proper representation of UNIX permissions, especially lower level utilities and general UNIX software. ExtremeZ-IP supports UNIX permissions relating to the owner, group and everyone group. ExtremeZ-IP represents UNIX permissions on the Windows file system by a combination of effective Windows ACLs as well as additional, more explicit Access Control Entries (ACEs) that are added to the ACLs for the UNIX permissions. In every case, the Windows ACLs take precedence over all UNIX permissions so the underlying Windows permissions model is always honored while providing a more compatible environment for Mac applications. More information on how ACLs and UNIX permissions are handled in ExtremeZ-IP can be found in this knowledge base article: http://www.grouplogic.com/knowledge/index.cfm/fuseaction/view/docid/10 Flexible Permissions ExtremeZ-IP provides a per-volume option to enable flexible permissions. Flexible permissions are useful for collaboration workflows where one user who creates files in a folder with restrictive permissions needs to share those files with other users. Normally when files are moved from a more restrictive to a less restrictive folder, the permissions remain restrictive. This can create user frustration and help desk calls because users cannot access the files even though they were moved to a more public part of the file server. When flexible permissions are enabled on a volume, ExtremeZ-IP resets the permissions when files are moved so that the permissions of the destination are applied to all files being moved. This eliminates the need for end users or administrators to manually change the permissions. The configuration setting to enable flexible permissions in the image shown below is called Reset permissions on move. Shared volume settings showing flexible permissions Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 4

Home Directories and ExtremeZ-IP Special challenges exist when Macs are configured to use network-based home directories. When the user tries to access a home directory on a server hosting a large number of users, the Mac lists all of the folders on the server and looks in every folder for special preview metadata. This process can require a considerable amount of time and the user has to go through the entire list to find his or her folder. ExtremeZ-IP includes two optimizations called Access Based Enumerations (ABE) that mitigate this problem. The first optimization uses the user s profile and lists only folders in that profile. In the second optimization, for users that do not want to use Active Directory, the Mac equates the user name with the home directory and, when the user logs on, displays only the folder that matches his or her user name. Mac users with a home directory profile in Active Directory can seamlessly connect to ExtremeZ-IP for both network and portable home directories. ExtremeZ-IP has features that optimize the performance and minimize server load when acting as a home directory server. Additionally, ExtremeZ-IP caching algorithms are designed based on how the Mac operates and provide additional performance and server load optimization benefits. Mac clients can be configured using their built-in Active Directory plug-in to be bound to domain and to retrieve home directory locations from the user profile in Active Directory at login time. ExtremeZ-IP can optionally be configured so that individual volumes that host home directories have special filtering applied so that only a user s home directory is visible during file system operations: File server settings showing home directory options This minimizes the client access time during logons and reduces the server load when there are many home directories hosted on a server. Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 5

View of home directories when using Access Based Enumerations This home directory filter can be based on either the user s name or their Active Directory profile. Active Directory plug-in home directory configuration For more sophisticated control over client authentication and group policy, ExtremeZ-IP is also compatible with the DirectControl product from Centrify. ExtremeZ-IP and DirectControl complement each other by providing best of breed Mac file sharing with Mac authentication and group policy, respectively. For instructions on how to configure ExtremeZ-IP to work with home directories, please review the following knowledge base article: http://www.grouplogic.com/knowledge/index.cfm/fuseaction/view/docid/167. For instructions on how to integrate ExtremeZ-IP with Centrify DirectControl see this knowledge base article: http:// www.grouplogic.com/knowledge/index.cfm/fuseaction/view/docid/288 Group Logic White Paper: Active Directory Compatibility with ExtremeZ-IP 6

DFS and ExtremeZ-IP Microsoft Distributed File System (DFS) is a powerful set of technologies used to present a single virtual interface to a collection of Windows file servers and manage replication of data between those servers. Microsoft DFS consists of two technologies: DFS Replication: which provides facilities for replicating file server data between locations and servers. DFS Namespaces: which allows administrators to group file server shares on disparate machines into a single virtual name space so end users can access files without needing to know exactly where the files are located. There are many benefits that come with using DFS such as: Providing replication and failover in the case of server failure Distributing data geographically so that users get better performance by working with local copies Giving administrators the flexibility to reconfigure their file server infrastructure without retraining users, and Providing end users with a single view into the file sharing space. ExtremeZ-IP seamlessly supports DFS replication. Mac-specific file information is stored as alternative data streams in the NTFS file system, and this information is replicated by DFS so that Mac information is preserved. To support DFS namespaces, ExtremeZ-IP can be configured to present one or more DFS namespaces to Mac users by sharing the DFS namespace as a DFS Root volume hosted on the ExtremeZ-IP server. This allows Macs to browse the DFS namespace and be redirected to the appropriate target server as necessary. When used in conjunction with Active Directory single sign-on support, the user can seamlessly access all servers in the namespace. ExtremeZ-IP supports DFS referals to both AFP (ExtremeZ-IP) and SMB servers and provides support for DFS-based network and portable home directories. Conclusion ExtremeZ-IP is the most effective and reliable method for sharing files between Macs and Windows servers. ExtremeZ- IP supports the network protocol specifically designed for the Mac and maintains the performance and security levels that Windows administrators expect. ExtremeZ-IP also resolves the sharing problems of file structure, naming conventions, and server performance and provides added benefits that include sophisticated authentication, file name policies, and caching. ExtremeZ-IP works easily with clusters and facilitates use of network home directories. Most importantly, Group Logic maintains, updates, and supports ExtremeZ-IP so that Mac users can take advantage of all the Macintosh features and enjoy the enterprise level convenience and benefits of sharing files on Windows servers. About Group Logic Group Logic, Inc. (GLI) is a leading provider of digital content-driven collaboration solutions for the enterprise and the cloud. With over 20 years of unmatched experience, Group Logic s emphasis on customer success is the very core of its business. More than 4,500 customers trust Group Logic every day to access, share, and extend their digital content investments around the world. For more information, visit Group Logic on the Web at www.grouplogic.com or call 800.476.8781 / +1.703.528.1555. GroupLogic 1100 N Glebe Rd, Suite 800, Arlington, VA 22201, USA 1.800.476.8781 +1.703.528.1555 info@grouplogic.com w w w. g r o u p l o g i c. c o m Copyright 2010 Group Logic, Inc. All rights reserved. Group Logic and MassTransit are registered trademarks of Group Logic, Inc. ExtremeZ-IP, Zidget, and ShadowConnect are trademarks of Group Logic, Inc. All other trademarks are properties of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information