6.0 Managing NSS AD

Table 6-1 outlines tools and tips for different the management areas associated with NSS AD Support.

Table 6-1 Managing NSS AD Support

Subject

Tools and Tips

AD Administrator Supervision of AD-enabled Volumes:

  • Members of the Domain Admins group in the domain that a OES server joins, have supervisory rights for all the AD-enabled volumes associated with that server.

  • To change the supervisor group for a server, enter the following command at the server’s terminal prompt:

    nitconfig set ad-supervisor-group=AD-group-name

Consolidate Storage to NSS

  • If your eDirectory users access NSS, your Active Directory users access NTFS, and you want to consolidate your storage on NSS, you can retain both identity sources and use NFARM to manage the trustee rights and quotas of AD users.

  • You can also use the NSS rights and quota utilities to manage the rights and quotas of AD users and groups.

  • You can continue to use both eDirectory and Active Directory as is, or you can consolidate all identities to Active Directory and continue to use the NSS file system.

Mass ACL Assignment

  • OES User Rights Management (NURM)

Move and Split AD-enabled Volumes

NSS

  • iManager

    Media-upgrade an NSS32 pool at the time of pool creation.

    AD-enable a volume during or after volume creation.

  • NRM

    Manage DST Policies, primary and secondary volumes, and so on.

  • NSSMU

    Media-upgrade existing NSS32 pools.

    AD-enable existing volumes.

  • NLVM

    Specify the pool type as NSS64 or NSS32 (default).

    Force the creation of a 64-bit pool in a cluster with pre-OES 2015 servers.

    Display all size outputs in a specified human-readable format.

Quotas

For AD Users and Groups

For eDirectory Users and Groups

Restrict General AD User Access

To restrict NSS resource access for Active Directory users and groups:

  1. Create a universal group anywhere in the AD forest

  2. Specify its sAMAccountName as

    OESAccessGrp

Only the members of this group will have NSS resource access based on their trustees assignments.

If this group does not exist, all Active Directory users and groups in the forest can access the NSS resources based on their trustee assignments.

Only one OESAccessGrp universal group can be created for an AD forest.

Allow AD User Access in Multi-Forest Environment

To allow NSS resource access for Active Directory users and groups in Multi-forest environment:

  1. Create a Domain Local Group (DLG) in the AD domain to which OES server is joined.

  2. Specify its sAMAccountName as

    DLOESAccessGrp

Only the members of this group (OES forest and across forest) has access to NSS resources based on their trustees assignments.

In absence of this group, the AD users across the forest cannot access the NSS resources.

Trustee Rights on AD-enabled NSS Volumes

For AD Users and Groups

  • OES File Access and Rights Management (NFARM)

  • rights utility

For eDirectory Users and Groups

  • iManager

  • rights utility

  • Client for Open Enterprise Server

For information, see

UIDs for Linux Access

Users and Groups

AD Users and Groups

  • Use native AD tools, such as the Microsoft Management Console (MMC)

eDirectory Users and Groups

  • Use iManager