Network and Storage Protocols

Can a filer be member of two different active directory domains?

sequeirad
6,590 Views

Have run into an issue...

I need to be able to create CIFs shares and share it out with NTFS permissions for a totally separate and different active directory domain from the current one to which the filer is registered.

Is this possible?

If so, how would I go about doing it?

thanks for any and all help.

7 REPLIES 7

jbogardus3
6,590 Views

Look at the documentation related to vFilers/Multistore.  A vFiler can have a different 'cifs setup' run on it and be added to a different domain.

The following will set up a root volume to contain /etc config of the vFiler, and another volume to put cifs shares in

vol create cgy2v_root -s none cgy3b_agrst01_64 10g

vol create cgy2v_st00c_sh01 -s none cgy3b_agrst01_64 1t
vfiler create cgy2v -i 172.31.10.10 /vol/cgy2v_root /vol/cgy2v_st00c_sh01

Then run 'cifs setup' on the vFiler to put it in a different domain

vfiler context cgy2v

cifs setup

A domain administrator can then connect to 172.31.10.10 with Windows Computer Manager seeing it as a logically separate NetApp filer to create shares on.

sequeirad
6,590 Views

Thanks but dont have multistore license and not goiing to get funds for it.

Is there any other way?

shaunjurr
6,590 Views

Hi,

Unless the domains are trusted, you are pretty much out of luck.  One authentication domain per filer (vfiler with Multistore)

Good luck.

sequeirad
6,590 Views

No the domains need to be separate and therefore cannot have trusts setup between them...

Sigh..thanks

shaunjurr
6,590 Views

The only other compromise would be to setup a windows server in the other domain and use some of the storage via iscsi... Not quite the same thing with all of the NetApp advantages, but if you have extra disk capacity and no budget to build a fat windows server, you could at least use the disk...

If you had a cluster, you could put one partner in each domain as well, but for a single system... I don't see any other options...

aborzenkov
6,590 Views

If you can do it with “normal” Windows server, you most probably can do it with filer. Is it possible with Windows?

I think it could be possible from technical point of view, but access rights management becomes nightmare, as you will have to use raw SIDs for one domain (no backward SID-to-name resolution).

shaunjurr
6,590 Views

Hi,

I can't really imagine how you would "do it" with a normal server either when it is already part of a domain, except for maybe adding all of the users as local users...

You have to understand how authentication works.  The file rights are going to be "looked-up" by going to the domain controller because that is how authentication is set up.

You can make shares that map to IP adresses, but pretty much anyone will be able to do what they want there.  It would be a bad hack of usermap.cfg and setting Share rights with SIDS, but generally, this would basically be, as you say, a nightmare to administer... but, it's your life, hehe...

The iSCSI suggestion would take 20 minutes to setup if you have a server with enough resources to be a file server and a bit of a network.  Trying to force it any other way is going to give you lots of gray hair, I would guess...

Public