Configuring Static User Mapping; Configuring Groups And Users On The Active Directory Server - HP StoreAll Series Installation Manual

Configuring static user mapping

This section describes how to configure static user mapping.

Configuring groups and users on the Active Directory server

You must configure an administrative user and group, a proxy user, the unknown Windows user,
and any other Windows client users. All are required.
Creating an administrative user and group
An administrative user in Active Directory must be mapped to the Linux root (UID 0) to extend root
permissions on the file system to the Windows side. You can create a new user or modify an
existing user, but the user must be assigned the UID of 0 on its Properties→UNIX Attributes.
Alternatively, you can create or modify an administrative group in Active Directory, with all members
having root privileges on HP StoreAll OS Software files and folders. This group must be assigned
the GID of 0 on the group's Properties→UNIX Attributes, and must be mapped to the root group
on Linux with GID 0. Note, however, that the Linux root group might have a lower level of
permissions than root itself (for example, it might not have write permission). If you use this method,
ensure that the permissions on the Linux root group are rwx before mapping.
Mapping a single user to UID 0 might be more secure than granting the same level of control over
all HP StoreAll OS Software files to multiple users.
Creating a proxy user and delegate control folder
The proxy user queries the Active Directory server on behalf of the client to find mappings from
Linux UIDs/GIDs to Windows SSIDs. It must be defined in the management console with the
ibrix_activedirectory command, and it must be created in Active Directory.
1. Log into the Active Directory Main Catalog server, and open the Active Directory Users and
Computer screen.
2. Under the domain where the user is to be created, right-click Users, select New, and then click
User.
3. On the Create New Object - User screen, add the user. Two fields are required: Full name
and User logon name. You can use a name, such as StoreAll_proxy for both fields, and
it can be a name of your choice. The domain is automatically assigned.
4. Click Next, and then assign a password and password policy.
5. Click Next, and then click Finish.
6. Right-click the Users folder, click Delegate Control to open the delegation wizard, and then
click Next to open the Users or Groups screen.
7. Click Add to open the Select Users, Computers, or Groups screen.
8. In the Enter Object Names field, add your new user (IBRIX_proxy).
9. Click Next to open the Tasks to Delegate screen.
10. Select Create a Custom Task to Delegate.
1 1. Click Next to open the Active Directory Object Type screen, select Only the Following Objects,
and then scroll to and select User Objects.
12. Click Next to open the Permissions screen.
13. Select Property-Specific. The property names vary by server version:
(Windows Server 2008) Scroll to and select Read msSFU30GidNumber and Read
msSFU30UidNumber.
(Windows Server 2008 and later) Scroll to and select Read gidNumber and Read
uidNumber.
14. Click Next, and then click Finish.
If you create other OUs in Active Directory and users in those units are to access the file system,
you must also delegate control for these OUs to the proxy user.
Installing and configuring the HP StoreAll Windows client 163