OpenFiler 2.3 Integration with Active Directory

From Wiki

Revision as of 23:47, 16 March 2009 by EduTech (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to:navigation, search
Michael's guide to setting up OpenFiler 2.3 with Active Directory as a NAS box.

I have to admit I've spent a lot of time trying to figure out how to set up OpenFiler as a NAS after our Terastation unit died for the fourth time. Unfortunately there's not a lot a lot of resources out there that give you a step-by-step guide to getting Active Directory set up, and also to make a share actually work. The techie people out there are probably reading this now thinking "what's he on about? It's simple!" but for those of us who aren't the least bit familiar with Linux and its foibles, I've put together this guide.

This is by no means the definitive method of setting up OpenFiler, but it works for me andI hope it helps you! If you've any suggestions for adding to it, or corrections, please email me at dwimorberg [at] hotmail [dotcom].

A few assumptions have been made about the configuration of your machine at this point.

  • Firstly, you're accessing the web interface of OpenFiler, so the network must be working.
  • Secondly, that your storage medium is set up and formatted as per your requirements.
  • Thirdly, that, at this stage, you just want to use your OpenFiler box on the network as a NAS

The settings I've used here are:

OpenFiler IP address = Name = NAS-FDomain name = domain.localDomain controller name = dc1Domain admin username = adminDomain admin password = password

So here goes... (click the screenshot thumbnails to enlarge them)

1) Firstly, check your services page. They should be set up as shown:SMB / CIFS server Enabled NFSv3 server Disabled HTTP / WebDAV server DisabledFTP server DisablediSCSI target server Disabled Rsync server Enabled UPS server Disabled LDAP server Disabled ACPI daemon Enabled iSCSI initiator EnabledIf not, enable or disable them to match this list.
2) Next, click on the SMB/CIFS Setup link on the "Services Section" Menu on the right. Enter the following data:

Server string: NASboxName (the name your OpenFiler will use to join the domain. In this case, NAS-F)NetBIOS name: NASboxName (again, the name your OpenFiler will use to join the domain. In this case, NAS-F)

Leave the rest of the settings as the default values.

3) Click the Rsync Setup link on the "Services Section" Menu on the right.

All you need to do here is use the IP address drop-down box to choose your network port. In this case it's eth0 <==> , the only choice.

4a) Here's the slightly more complicated bit! Click the Accounts tab at the top and then choose Expert View below.

• Firstly, do NOT put a tick in the Use LDAP server box!

• For the LDAP settings,Root bind DN: (this is an admin password for your domain, in this case, admin@domain.local)Root bind password: password (the corresponding password for the account you entered above)

The rest of the LDAP settings should be as their defaults. Some of them are automatically added, such as server, and base DN

4b) Still in the Accounts Expert View, scroll down the page to the second part.

• Put a tick in the box labelled Use Windows domain controller and authentication.

• Select the appropriate Security model (Active Directory in this example)

Domain/workgroup: domainname (for this example, simply "domain" without the ".local")

Domain controllers: domaincontrollername.domain.local (for this example, dc1.domain.local)

ADS realm: domainname.something (for this example, domain.local)

• Leave the UID and GID ranges at their default values

Join domain: selected

Administrator username: adminusername (for this example, "admin" as used for LDAP but without the @domain.)

Administrator password: password (the corresponding password for the above admin account)

4c) Still on the same page scroll past the next few boxes to the Authentication Configuration section. All settings should remain at default except:

• Select Use Kerberos 5

Realm: domain.something (in this example, domain.local)

KDC: yourdomaincontroller.domain.something (in this example, dc1.domain.local)

Admin Server: yourdomaincontroller.domain.something (in this example, dc1.domain.local)

  5) Click the big ol' Submit button! Wait for a while, you should be able to see your users and groups populating after a few minutes. I took the opportunity of restarting the OpenFiler at this point too.

The next bit: Setting up a share

  First of all the important bit is identifying your network to OpenFiler. This is the range of computers that you want to be able to access your OpenFiler box. This could be just the whole network (as is the case in this example), or, when you've got the hang of it, you can be a bit more exclusive, say just choosing admin-office computers. It all helps if your network is set up logically. Which mine isn't.
1) On the System tab, under the Network Access Configuration heading, you need to make a new configuration line.

Name: Give it a name to identify it ("MyLAN" in this example)

Network/Host: This is the base address of your network, it could be or for basic networks. In my case it's

Netmask: Select your netmask to define your network. ought to do it for a simple network. If your network isn't simple you can use this to be more specific, I assume you know what you're doing.

Type: Easy. Select Share!

Click the Update button and your config data will appear as saved in the list.

2) Assuming your volumes are set up, partitioned and formatted as you want them, go to the Shares tab at the top. Your mounted volume(s) will appear in the list on that page. First of all here you need to create a folder to share.

• Click the name of your volume ("data" in this example), name your subfolder and click the Create Sub-folder button.

3) This will have created a new shared folder in the volume hierarchy. Click this new name ("Shared" in this example) and click the Make Share button. Your folder now gets the shared-folder icon.

This applies to any other folders you create too, but concentrate on just one for now.

4a) Click on the now-shared folder to take you to the Edit share window. This is where you apply permissons.

You don't need to change the Share name, Share description or Override SMB/Rsync share name boxes.

• In the Share Access Control Mode you want to select Controlled Access (I assume you do anyway, this is why we've set it up Active directory!).

However, if you don't want to control a particular folder, so that everyone has access to it, just choose Public guest access.

4b) Scroll down to the Group access configuration section. Here's where the magic happens!

First of all here, you'll find your list of Security Groups from Active Directory. Each group has four options to its right, as follows:

PG: the Primary Group. Every share needs to have one. This is comparable to the Folder Owner and should be set as the main security group that uses the share, or more commonly, the Domain Admins group.

NO: No Access. Exactly what it says on the tin, if your user group is selected in this group (as they all are by default) then every user in that group will be denied access to your group.

RO: Applies in the same way as NO but gives users in the appropriate group Read Only access.

RW: Gives users in the appropriate security group Read/Write access to all the files in this share.

• Set your shares according to how and who you want to access your files, and click the Update button beneath the Security groups list.

Ignore the Host access config for now, that's in the next step.

  4c) Once you've updated the Group Access Config above, scroll back down the Edit Share page to the Host access configuration section. This is what had me confused for a while, and why we set up the network at the beginning of this half of the guide!

You'll notice in the screenshot that the MyLAN network is now listed with a bunch of options. It has the same selection of access rights as you set in the Security Groups above. The setting you need to change is for SMB/CIFS one.

• Under SMB/CIFS select the RW button. You'll notice restart services automatically gets selected too. This is fine.

• If you want to set the other Service options while you're here, feel free, but the above is all you need to do to get your share visible/usable in Windows.

• Click the Update button and wait while the settings are applied.

If all has gone well at this point, in Windows you can go to the Start > Run box and type \\NASboxName . This should list the OpenFiler's shares for you to start using & mapping.

I hope this is helpful to someone! I've compiled it using all the settings above and all was tested along the way so it works as I've described.

© 2009