How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris



Similar documents
How to Configure IDMU on the Oracle ZFS Storage Appliance

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

Sun ZFS Storage Appliance Rule-Based Identity Mapping Between Active Directory and Network Information Services Implementation Guide

CLEO NED Active Directory Integration. Version 1.2.0

Windows Security and Directory Services for UNIX using Centrify DirectControl

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Installation and Configuration Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Installation and Configuration Guide. Version

RHEL Clients to AD Integrating RHEL clients to Active Directory

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

NexentaConnect for VMware Virtual SAN

F-Secure Messaging Security Gateway. Deployment Guide

How To Use Directcontrol With Netapp Filers And Directcontrol Together

VINTELA AUTHENTICATION SERVICES

F-SECURE MESSAGING SECURITY GATEWAY

Integrating Microsoft Servers and the Oracle ZFS Storage Appliance

Migrating Your Windows File Server to a CTERA Cloud Gateway. Cloud Attached Storage. February 2015 Version 4.1

Using Internet or Windows Explorer to Upload Your Site

ONEFS MULTIPROTOCOL SECURITY UNTANGLED

Secure Messaging Server Console... 2

Department of Veterans Affairs VistA Integration Adapter Release Enhancement Manual

Livezilla How to Install on Shared Hosting By: Jon Manning

1.6 HOW-TO GUIDELINES

Setting Up Scan to SMB on TaskALFA series MFP s.

Configuring the Active Directory Plug-in

Active Directory and Linux Identity Management

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

RoomWizard Synchronization Software Manual Installation Instructions

Configuring a Windows 2003 Server for IAS

Spectrum Technology Platform. Version 9.0. Administration Guide

Savvius Insight Initial Configuration

Creating a DUO MFA Service in AWS

SITRANS RD500 Configuring the RD500 with PSTN or GSM modems and Windows-based servers and clients for communication Objective:

MATLAB on EC2 Instructions Guide

Informatica Corporation Proactive Monitoring for PowerCenter Operations Version 3.0 Release Notes May 2014

Installing, Uninstalling, and Upgrading Service Monitor

Searching for accepting?

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

VERALAB LDAP Configuration Guide

Installation of MicroSoft Active Directory

Using and Contributing Virtual Machines to VM Depot

Desktop Web Access Single Sign-On Configuration Guide

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Performing Database and File System Backups and Restores Using Oracle Secure Backup

How to Join QNAP NAS to Microsoft Active Directory (AD)

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations

Volume SYSLOG JUNCTION. User s Guide. User s Guide

OpenCart. SugarCRM CE (Community Edition Only) Integration. Guide

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

Two Factor Authentication in SonicOS

Application. 1.1 About This Tutorial Tutorial Requirements Provided Files

Getting Started with ESXi Embedded

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

Parallels Plesk Panel

Specops Command. Installation Guide

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

IBM WebSphere Application Server Version 7.0

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Configuring Global Protect SSL VPN with a user-defined port

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Getting Started Guide

VMTurbo Operations Manager 4.5 Installing and Updating Operations Manager

Vintela Authentication from SCO Release 2.2. Installation Guide

How To Set Up Egnyte For Netapp Sync For Netapp

Implementing a SAS Metadata Server Configuration for Use with SAS Enterprise Guide

HIPAA Compliance Use Case

Device Log Export ENGLISH

Configure thin client settings locally

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

NSi Mobile Installation Guide. Version 6.2

Security Provider Integration Kerberos Server

Creating a Domain Tree

Managing Access Control in PresSTORE

IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE

Wavecrest Certificate

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Parallels Panel. Parallels Small Business Panel 10.2: Administrator's Guide. Revision 1.0

How To Configure Syslog over VPN

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Reflection DBR USER GUIDE. Reflection DBR User Guide. 995 Old Eagle School Road Suite 315 Wayne, PA USA

Using Active Directory as your Solaris Authentication Source

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Test Case 3 Active Directory Integration

How To Install An Org Vm Server On A Virtual Box On An Ubuntu (Orchestra) On A Windows Box On A Microsoft Zephyrus (Orroster) 2.5 (Orner)

How To Configure Vnx (Vnx) On A Windows-Only Computer (Windows) With A Windows 2.5 (Windows 2.2) (Windows 3.5) (Vnet) (Win

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

HP Enterprise Integration module for SAP applications

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

IBM Endpoint Manager Version 9.2. Patch Management for SUSE Linux Enterprise User's Guide

Installing and Configuring vcloud Connector

CommandCenter Secure Gateway

Prerequisites and Configuration Guide

Installing and Using the vnios Trial

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

Transcription:

How To Configure the Oracle ZFS Storage Appliance for Quest Authentication for Oracle Solaris January 2014; v1.3 By Andrew Ness This article describes how to configure Quest Authentication Services in the Oracle ZFS Storage Appliance to integrate Oracle Solaris 10 or Oracle Solaris 11 environments with Active Directory. Quest Authentication Services (QAS) by Quest Software provide a cross-platform bridge between Windows-based Active Directory and authentication functions for other platforms, including UNIX (Oracle Solaris 10 and Oracle Solaris 11) and Linux. When installed and configured, QAS allows nominated Active Directory users and groups to be represented on Oracle Solaris systems, providing a consistent Active Directory user or group to a Solaris User ID (UID) or group ID (GID). Oracle Solaris hosts can also verify passwords for the Active Directory. Because Quest Authentication Services provide a single point of administration for UNIX and Windows users through Active Directory, permissions can be consistent for both platforms that share storage from an Oracle ZFS Storage Appliance. Contents Overview Installing the Quest Authentication Services Agents on Oracle Solaris Configuring the Oracle ZFS Storage Appliance for Active Directory and QAS Verifying Correct Operation Conclusion References Overview When Active Directory (AD) is used to provide the directory services for users and groups, authentication must be performed on the AD framework. Due to the configuration of attributes under AD, the password field is not exported for external verification. Since only AD domain servers can provide authentication, Quest Authentication Services provide a necessary bridge to allow non- Windows platforms to authenticate against Active Directory. QAS also provides a mapping between the Windows internal user and group identifiers and Oracle Solaris user and group IDs. This mapping is used by the Oracle ZFS Storage Appliance to ensure that consistent permissions and ownership of files is maintained among the differing platforms. QAS is installed on the AD domain controller to provide the necessary changes to AD to be used by the agents installed on the Oracle Solaris clients. No additional software packages need to be installed on the Oracle ZFS Storage Appliance, but it may require some configuration changes in order to facilitate the mapping process. 1 Version 1

Activating QAS for the Oracle ZFS Storage Appliance is a two-step process. First, you must configure the Oracle ZFS Storage Appliance to use AD services in the normal way. Next, you configure the mapping service to allow sharing of ownership and permission attributes to all the cooperating platforms. The following figure shows the architecture of an example QAS deployment with the Oracle ZFS Storage Appliance. Oracle Solaris Host QAS Solaris Agent installed QAS AD Authentication Windows Active Directory Domain Controller with QAS File Access Oracle ZFS Storage Appliance IDMU + AD Client Active Directory Lookup File Access Active Directory Lookup Windows Active Directory Domain Controller with QAS Windows Active Directory Domain Controller with QAS Windows Active Directory Domain Controller with QAS Windows Clients Figure 1. QAS deployment with the Oracle ZFS Storage Appliance Installing the Quest Authentication Services Agents on Oracle Solaris This section provides a quick-start view of the procedure to install QAS agents on the Oracle Solaris host system. Consult the Quest Authentication Services Installation Guide (www.quest.com/authentication-services/) for the full procedure and for further details. 1. Connect to a command-line interface (CLI) session on the Oracle Solaris host (using telnet, ssh, or the console). 2. Log in as root or a valid user and assume the root user role using the command su on the Oracle Solaris server. 3. Locate the installation media and license key files. admin@quest:~$ su Password: root@quest# unzip -d QAS-Agents \ Quest_AuthenticationServicesSolarisAgents_403.zip Archive: Quest_AuthenticationServicesSolarisAgents_403.zip creating: QAS-Agents/add-ons/ creating: QAS-Agents/add-ons/smartcard/ creating: QAS-Agents/add-ons/smartcard/solaris8-sparc/ inflating: QAS-Agents/add-ons/smartcard/solaris8- sparc/vassc_sunos_5.8_sparc-4.0.3.24.pkg creating: QAS-Agents/add-ons/siebel/ creating: QAS-Agents/add-ons/siebel/solaris10-x64/ inflating: QAS-Agents/add-ons/siebel/solaris10-x64/quest-mav_SunOS-ap20-3.6.7.i386.pkg inflating: QAS-Agents/add-ons/siebel/solaris10- x64/vassiebelad_sunos_5.10_i386-4.0.3.24.pkg creating: QAS-Agents/add-ons/siebel/solaris8-x86/ [ ] 2 Version 1

root@quest# cd QAS-Agents root@quest#./install.sh Quest Authentication Services Installation Script Script Build Version: 4.0.3.24 Copyright 2011 Quest Software, Inc. ALL RIGHTS RESERVED. Protected by U.S. Patent Nos. 7,617,501, 7,895,332, 7,904,949. Patents pending. Host Name: quest Operating System: SunOS 11 (x86_64) Checking for recommended patches...done Checking for available software... Done Checking for installed software... Done Executing the following commands: Install VAS Client (vasclnt) Install VGP Client (vasgp) License VAS (license) Join the Active Directory Domain (join) Do you wish to continue? (yes no)? [yes]: yes Executing command: vasclnt [ ] Do you accept the Quest Software, Inc. agreement (yes no) [no]: yes [ ] /opt/quest/share/oat/oat.msg /opt/quest/share/oat/oat_adlookup.msg /opt/quest/share/oat/oat_match.msg /opt/quest/usr/lib/security/64/pam_vas3.so /opt/quest/usr/lib/security/pam_vas3.so [ verifying class <run> ] ## Executing postinstall script. Registering vasd with SMF WARNING: This system does not support a system wide global manpath. You will need to set your MANPATH environment variable to /opt/quest/man, or use "man -M /opt/quest/man <manpage>" to view the man pages. Installation of <vasclnt> was successful. vasclnt (4.0.3.24) installed. Executing command: 'vasgp'... echo 'y' pkgadd -a '/tmp/vas-admin' -G -d '/home/admin/qas- Agents/client/solaris10-x64/vasgp_SunOS_5.10_i386-4.0.3.24.pkg' all Processing package instance <vasgp> from </home/admin/qas- Agents/client/solaris10-x64/vasgp_SunOS_5.10_i386-4.0.3.24.pkg> vasgp 4.0.3.24(amd64) 4.0.3.24 Copyright 2011 Quest Software, Inc. ALL RIGHTS RESERVED. Protected by U.S. Patent Nos. 7,617,501, 7,895,332, 7,904,949. Patents pending. [ ] Installation of <vasgp> was successful. vasgp (4.0.3.24) installed. Executing command: 'license'... Found existing licenses Number of Unix Enabled users in use: 0 ---QAS--- No licenses are installed. ---QAS Siebel--- No licenses are installed. Would you like to install further licenses (yes no)? [no]: yes 3 Version 1

Please specify the full local path for each license file, e.g. /tmp/licenses/license1.txt. Standard wildcards are also valid, e.g. /tmp/licenses/*.txt. When all licenses have been installed press <enter> to quit. Please specify full local path of license to install (<enter> to quit): > /var/tmp/qas-197-39181.txt Installed '/var/tmp/qas-197-39181.txt' -> '/etc/opt/quest/vas/.licenses/qas-197-39181.txt Please specify full local path of license to install (<enter> to quit): > Resulting license state: Number of Unix Enabled users in use: 0 ---QAS--- Number of Licensed Unix Enabled Users: Valid licenses: Number of days until license expires: XXXXX X XXXXX ---QAS Siebel--- No licenses are installed. Executing command: 'join'... Do you wish to join the host to an Active Directory domain at this time (yes no)? [yes]: yes Checking whether computer is already joined to a domain... no Password for Administrator@EXAMPLE.COM: ADPASSWORD Stopping daemon: vasd... OK Configuring forest root... example.com... OK Configuring site... Default-First-Site-Name... OK Joining computer to the domain as host/quest.example.com... OK Joined using computer object "CN=quest,CN=Computers,DC=example,DC=com"... OK Writing vas.conf... OK Populating misc cache... OK Preparing to apply Group Policy... OK Applying Group Policy Settings... OK Starting daemon: vasd... OK Caching Schema... OK Caching Users... OK Mapping mapped users... OK Processing user overrides... OK Caching Groups... OK WARNING: No Unix-enabled groups found in domain! Processing group overrides... OK Caching Srvinfo... OK Caching Netgroups... OK Configuring Name Service Switch... OK Configuring PAM Authentication... OK In the preceding example, QAS agents were installed and a valid license was applied to the installation. Any users who require access to both Oracle Solaris and Windows servers should have their UNIX account enabled on the Active Directory Server. Figure 2 shows creation of a Windows user named A N Test. You can access this properties panel by selecting a user in the "Active Directory Users & Computers" application under the Administrator tools on the Active Directory domain controller. 4 Version 1

Figure 2. Creating a test user called AN Test Once you have created the user, you must enable the user for UNIX access, as shown in Figure 3. Figure 3. Enabling UNIX access In the preceding example, the Windows user A N Test is assigned the UNIX username antest, a UID of 80592, and the GID 1000. (The group unixusers has been created with a GID of 1000, so this user by default joins the group unixusers.) For further details on the processes for initial configuration, consult the Quest Authentication Services Installation Guide. Configuring the Oracle ZFS Storage Appliance for Active Directory and QAS 1. Using the browser user interface (BUI) of the Oracle ZFS Storage Appliance, ensure that the DNS configuration refers to the same DNS server as the Active Directory servers. As shown in 5 Version 1

the following figure, access the DNS Configuration screen by selecting Configuration > Services > DNS. Figure 4. Verifying DNS configuration 2. Ensure that the clocks on the Oracle ZFS Storage Appliance and the Windows AD Servers are in sync. On the BUI, select Configuration and Services and then click on NTP. Figure 5 shows the screen display that results. As the browser is running on the Windows Active Directory server (shown as Client Time in the following display), you can see that the clocks are in sync. Figure 5. Verifying clock synchronization 3. Next, request to join the AD by selecting Configuration > Services > Active Directory, as seen in Figure 6. 6 Version 1

Figure 6. Selecting Active Directory 4. Select JOIN DOMAIN as shown in Figure 7. Figure 7. Select Join Domain 5. Enter the details of a Domain Administrator user to enable the Oracle ZFS Storage Appliance to join the AD. Figure 8. Enter AD administrator details 6. If you have successfully joined, you will see a display similar to Figure 9. 7 Version 1

Figure 9. Successful AD join If a message indicating access is denied or the operating system cannot log on the user displays and the username and password are correct, you may need to change the LAN Manager compatibility level to level 2. Do this by selecting Configuration > Services > SMB as shown in Figure 10. Figure 10. Configuring the LAN Manager compatibility level 1 Change the LAN Manager compatibility level to 2 and click APPLY, as shown in Figure 11. 8 Version 1

Figure 11. Configuring the LAN Manager compatibility level - 2 Once this has been completed, retry from step 3. 7. Configure the Mapping rules to be applied by selecting Configuration > Services > Identity Mapping as shown in Figure 12. Figure 12. Selecting Identity Mapping 8. Ensure that the mapping mode is set to IDMU as shown in Figure 13. Click APPLY if it was changed. 9 Version 1

Figure 13. Selecting IDMU as the mapping mode Verifying Correct Operation In order to test correct operation, a share called QUEST-test was configured on the Oracle ZFS Storage Appliance owned by user antest. Within this share is a folder called Secret which has all permissions removed except for the owner antest (the UNIX version name for A N Test), as can be seen in the following screenshot of the Windows properties display for the folder Secret. These folders were created on the Windows AD client on the share presented by the Oracle ZFS Storage Appliance also accessible by the Oracle Solaris server. Figure 14. Restrictive permissions on QUEST-test\Secret A text file was created in the directory Secret by user antest and a further non-restricted text file called Test Document.txt was created in the root directory of the QUEST-test share. 10 Version 1

The following Oracle Solaris CLI session shows that the appropriate permissions applied on the Windows environment have successfully translated to the Solaris environment through the Identity Mapping and services provided by QAS. login: antest Password: <Windows AD Password> Oracle Corporation SunOS 5.11 11.0 December 2011 antest@quest$ cd /net/zfssa/export/quest-test antest@quest$ ls alr total 16 drwxr-xr-x+ 3 antest other 4 Feb 6 14:24. drwxr-xr-x+ 4 root root 255 Feb 6 14:21.. drwx------+ 2 antest nobody 3 Feb 6 14:25 Secret -rwxr--r-- 1 antest antest 26 Feb 6 14:10 Test Document.txt.txt antest@quest$ ls -alr.: total 16 drwxr-xr-x+ 3 antest other 4 Feb 6 14:24. drwxr-xr-x+ 4 root root 255 Feb 6 14:21.. drwx------+ 2 antest nobody 3 Feb 6 14:25 Secret -rwxr--r-- 1 antest antest 26 Feb 6 14:10 Test Document.txt.txt./Secret: total 8 drwx------+ 2 antest nobody 3 Feb 6 14:25. drwxr-xr-x+ 3 antest other 4 Feb 6 14:24.. -rwx------+ 1 antest nobody 82 Feb 6 14:26 My PIN Collection.txt antest@quest$ logout Next, another AD UNIX-enabled user logs in to the Solaris server to view the share: login: lookyloo Password: <Windows AD Password> Oracle Corporation SunOS 5.11 11.0 December 2011 lookyloo@quest$ cd /net/zfssa/export/quest-test lookyloo@quest$ ls -alr.:./secret: Permission denied total 13 drwxr-xr-x+ 3 antest other 4 Feb 6 14:24. drwxr-xr-x+ 4 root root 255 Feb 6 14:21.. -rwxr--r-- 1 antest antest 26 Feb 6 14:10 Test Document.txt.txt lookyloo@quest$ cd Secret -bash: cd: Secret: Permission denied lookyloo@quest$ logout The correct permissions have therefore been applied in both environments. Conclusion The Oracle ZFS Storage Appliance Identity Mapping and Active Directory support provides an effective platform to share data between Oracle Solaris and Windows environments, with Quest Authentication Services being the single point of user account administration. Through QAS, restrictive permissions can be applied correctly in both environments to ensure data security. 11 Version 1

References For more information, visit the following Web resources. Web Resource Description Oracle Solaris Quest Software Quest Authentication Services Oracle ZFS Storage Appliances Web Resource URL www.oracle.com/solaris www.quest.com www.quest.com/authentication-services/ www.oracle.com/us/products/servers-storage/storage/nas/overview/index.html 12 Version 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information