Map home directory based on AD group membership to different NFS shares

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 10
Registered: ‎01-21-2015
#1 of 5 6,088

Map home directory based on AD group membership to different NFS shares

I want to be able to map users' home directories based on an AD group that their centrified machine is a member of.  For example, user logs into finance machine, their home directory should map fserver:/shared/home/username.  Same user logs into hr machine, their home directory should map to hserver:/shared/home/username.  What's the most efficient way of going about this? 

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#2 of 5 6,085

Re: Map home directory based on AD group membership to different NFS shares

[ Edited ]

Mike,

 

With Centrify you get all the identity and authentication building blocks to accomplish this (notice the bold font).  Your challenge may be with your specific approach, this is not a simple "plug and play";  this is a project.  I suspect that you're applying Windows logic to the problem, but typically when using UNIX/Linux systems, what you want to do is mount a single filesystem (served maybe by a filer or server) as the /home fileystem at system initialization and based on the user's UNIX identity home directory, their home directory will be allocated.

 

The benefit of this approach is that you're not mounting a filesystem each time a user logs in interactively or via SSH;  mounts are memory intensive and in addition, only root can perform mounts.  Contrast this to the Windows approach in which you would define something like <drive letter> \\my-fileserver\home\%username% in the profile page of the AD user's identity and you're all set.  This is all good for workstations, but not very good for servers.  Ubuntu has implemented some clever stuff with CIFS.

 

Let's outline what you have with Standard Edition:

 

- Identity Manipulation - needed to consolidate home directories (check) - it's all in the Centrify Zones.
This benefit is not there for Express users.

- Authentication - needed for the nfs client and nfs server to  validate users (check) - check it's AD

- Identity for an appliance - needed if the file server is an appliance that can't have Centrify  (check) - the LDAP Proxy

- Kerberized environment and tools - needed to support authentication (check)

- Authorization via the listed RBAC role.  (check) This eliminates the need to allow login access to end users in the case you're using an actual server as the NFS server.

 

Access Manager - UNIX Profile arrow home dir.jpg

 

With this in mind, now you're ready to start your planning;  here are the questions to ask yourself:

 

  • Is this going to be used for servers or workstations?
  • What are the platforms to be supported?
  • Is this part of a scheme that has a multiprotocol share (e.g. \\fileserver\home\%username% over CIFS is the same as /exports/home/%username% over NFS) - this way, regardless of the platform (UNIX, Linux, MacOSX) the end user has the same experience.
  • What are the variabilities of the mount command between platforms  (mount on Solaris is not the same as mount on Ubuntu)
  • How is my permission set?  Does my back-end support mixed permissions (NTFS/NFS) on mixed scenarios?
  • What version of NFS is the best for me?  Is it supported in the platforms outlined above?
  • How can I eliminate the usage of any cleartext credentials to perform the mount?

 

The good thing is that the Centrify KnowledgeBase and even this board and the expess board have a treasure trove of information.  As a matter of fact, the very problem that you outline has triggered prospects to look at Centrify.

 

Good places to start:

Automount:  KB-3036: How to automount an NFSv4 share in Centrify

If using a filer:  KB-3382: Using DirectControl with Network Appliance (NetApp) Filers

 

My blog:

Basics on NFS: http://centrifying.blogspot.com/2014/01/basics-unix-shared-network-folders-and.html

Mixed Scenario:  http://centrifying.blogspot.com/2014/07/business-problems-how-to-solve-issue-of.html

 

My advice, take it by building blocks.  Break down your project and get the small wins.  The pitfalls are on the variability of platforms and unfortunately we provide you only with the identity and authentication piece;  the details on how mounts work vary per platform or appliance.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 10
Registered: ‎01-21-2015
#3 of 5 6,075

Re: Map home directory based on AD group membership to different NFS shares

Thank you for the thorough response. I couldn't mask it, you spotted my Gates-ian Microsoft logic.

One of the requirements is to have multiple home directories for a single users (whether single or multiple filers), which I know goes against the strong preference to consolidate and centralize in most use cases. Suggestions in KB-3036 sounds promising. Do you by any chance know of a document that explains some example uses of the variables tab when configuring Unix Profile, do you? Thanks again!
Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#4 of 5 6,066

Re: Map home directory based on AD group membership to different NFS shares

[ Edited ]

Your requirement seems unorthodox, but I believe you have a good toolset to work with.

 

Page 128 of the UNIX Admin Guide explains the runtime variables in depth
http://www.centrify.com/downloads/products/documentation/suite2014/centrify-unix-adminguide.pdf

Here's an excerpt:

Admin Guide - Runtime Variables.JPG

They will come in handy in this particular use case.  In addition, having multiple zones or computer-level profile overrides can help too. 

 

You can also use this link from my blog to view a set of vidoes on how to implement what's stated in KB-3036.

 

https://www.youtube.com/playlist?list=PL6FKnqrWmi-x0wGAVb_zGzgdS13Yv53JQ

 

PS - I just got a tip from my coworker Fel as well.  The Copy-Files GPO may come in handy as well.

 

It's just very cool to have

 

R.P

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Highlighted
Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#5 of 5 6,049

Re: Map home directory based on AD group membership to different NFS shares

Hi,

 

An option available to you is to use Centrify's zoning technology to configure different automount maps for different classes of systems.  This way, when a user logs in to a system in the finance zone, they get the automount entry and when they logon to an hr machine, they get the hr automount entry.

 

Another option is to use Group Policy along with the FileCopy GPO Centrify provides to copy different automount maps to different sets of systems.  Depending on the OU the system is a member of, the appropriate automount map would be copied to the system. 

 

Hope this helps,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: