Map home directory based on AD group membership to different NFS shares
01-21-2015 06:35 PM
I want to be able to map users' home directories based on an AD group that their centrified machine is a member of. For example, user logs into finance machine, their home directory should map fserver:/shared/home/username. Same user logs into hr machine, their home directory should map to hserver:/shared/home/username. What's the most efficient way of going about this?
01-21-2015 07:23 PM
With Centrify you get all the identity and authentication building blocks to accomplish this (notice the bold font). Your challenge may be with your specific approach, this is not a simple "plug and play"; this is a project. I suspect that you're applying Windows logic to the problem, but typically when using UNIX/Linux systems, what you want to do is mount a single filesystem (served maybe by a filer or server) as the /home fileystem at system initialization and based on the user's UNIX identity home directory, their home directory will be allocated.
The benefit of this approach is that you're not mounting a filesystem each time a user logs in interactively or via SSH; mounts are memory intensive and in addition, only root can perform mounts. Contrast this to the Windows approach in which you would define something like <drive letter> \\my-fileserver\home\%username% in the profile page of the AD user's identity and you're all set. This is all good for workstations, but not very good for servers. Ubuntu has implemented some clever stuff with CIFS.
Let's outline what you have with Standard Edition:
- Identity Manipulation - needed to consolidate home directories (check) - it's all in the Centrify Zones.
This benefit is not there for Express users.
- Authentication - needed for the nfs client and nfs server to validate users (check) - check it's AD
- Identity for an appliance - needed if the file server is an appliance that can't have Centrify (check) - the LDAP Proxy
- Kerberized environment and tools - needed to support authentication (check)
- Authorization via the listed RBAC role. (check) This eliminates the need to allow login access to end users in the case you're using an actual server as the NFS server.
With this in mind, now you're ready to start your planning; here are the questions to ask yourself:
- Is this going to be used for servers or workstations?
- What are the platforms to be supported?
- Is this part of a scheme that has a multiprotocol share (e.g. \\fileserver\home\%username% over CIFS is the same as /exports/home/%username% over NFS) - this way, regardless of the platform (UNIX, Linux, MacOSX) the end user has the same experience.
- What are the variabilities of the mount command between platforms (mount on Solaris is not the same as mount on Ubuntu)
- How is my permission set? Does my back-end support mixed permissions (NTFS/NFS) on mixed scenarios?
- What version of NFS is the best for me? Is it supported in the platforms outlined above?
- How can I eliminate the usage of any cleartext credentials to perform the mount?
The good thing is that the Centrify KnowledgeBase and even this board and the expess board have a treasure trove of information. As a matter of fact, the very problem that you outline has triggered prospects to look at Centrify.
Good places to start:
Automount: KB-3036: How to automount an NFSv4 share in Centrify
If using a filer: KB-3382: Using DirectControl with Network Appliance (NetApp) Filers
My advice, take it by building blocks. Break down your project and get the small wins. The pitfalls are on the variability of platforms and unfortunately we provide you only with the identity and authentication piece; the details on how mounts work vary per platform or appliance.
01-21-2015 10:51 PM
One of the requirements is to have multiple home directories for a single users (whether single or multiple filers), which I know goes against the strong preference to consolidate and centralize in most use cases. Suggestions in KB-3036 sounds promising. Do you by any chance know of a document that explains some example uses of the variables tab when configuring Unix Profile, do you? Thanks again!
01-22-2015 05:30 AM
Your requirement seems unorthodox, but I believe you have a good toolset to work with.
Page 128 of the UNIX Admin Guide explains the runtime variables in depth
Here's an excerpt:
They will come in handy in this particular use case. In addition, having multiple zones or computer-level profile overrides can help too.
You can also use this link from my blog to view a set of vidoes on how to implement what's stated in KB-3036.
PS - I just got a tip from my coworker Fel as well. The Copy-Files GPO may come in handy as well.
It's just very cool to have
01-22-2015 09:19 PM
An option available to you is to use Centrify's zoning technology to configure different automount maps for different classes of systems. This way, when a user logs in to a system in the finance zone, they get the automount entry and when they logon to an hr machine, they get the hr automount entry.
Another option is to use Group Policy along with the FileCopy GPO Centrify provides to copy different automount maps to different sets of systems. Depending on the OU the system is a member of, the appropriate automount map would be copied to the system.
Hope this helps,
VP of Enterprise Solutions
Found my response helpful? Click the Kudos button!