VTrak G-Class (NAS Gateway) Articles

External LDAP Server Configuration

2017-10-27T10:36:12.4930000

Table of Contents
A. macOS Open Directory (GUI)
B. Windows Active Directory (GUI)
Appendix I - Setup Windows Active Directory with IDMU (Identity Management for UNIX)
Appendix II - Add the IDMU role to Windows Server (Example illustrated with Windows Server 2008)
Appendix III - Add UNIX Attributes to AD | User and Group
C. Linux Open LDAP with PDC
D. Samba Login Tool Instructions (Only applicable to macOS Open Directory)
E. Adding Permissions to the NAS Gateway SMB Share

Scope

The purpose of this article is to provide an A-Class SAN administrator the appropriate instructions on binding their
A-Class and NASGW to an External LDAP server.

Internal and External LDAP servers cannot be enabled at same time. There are three LDAP statuses:

Internal LDAP enabled while External LDAP is disabled
Internal LDAP disabled while External LDAP is enabled
Internal and External LDAP servers are both disabled

There are (3) types of External LDAP servers that are supported:

Windows Active Directory
macOS Open Directory or Linux LDAP without PDC
Linux LDAP with PDC

Select “Enable External LDAP Server” to enable the external LDAP module. If the Internal LDAP module is enabled, it will be disabled when the External LDAP is selected.

Setting Description

The table below demonstrates the external LDAP settings in the A-Class GUI.
Note: Some of the settings are common for all the supported LDAP servers; however, certain settings may not be supported on some of the LDAP servers. For more information, please contact Technical Support.

Setting Item	Description
SSL	Possible value: True or False. It should be set to False if LDAP server doesn’t support SSL.
Timeout	Timeout value in second. Value is from 1 to 30 seconds. Default is 10 seconds
BaseDN	The BaseDN of LDAP server. If the server is ptu.promise.com, the value shall be “dc=ptu,dc=promise,dc=com”. Note that there shouldn’t have space character in the value.
Server	The IP address of LDAP server.
Port	The port of LDAP server. Default value is 389
SAMBANetBIOSName	NetBIOS name for Samba server running in NAS Gateway. Optional value if there isn’t NAS gateway configured.
ServerType	LDAP server type. Three types are supported: Windows AD, Mac OD and Linux OpenLDAP.
Samba NetBIOS	This setting is enabled for “Linux LDAP with PDC” only.
AnonymousBind	Possible values: True or False. True: Bind LDAP server by using anonymous. LDAP server must support it. False: Don’t use anonymous user to bind LDAP server. BindDN (username) and BindPassword must be provided.
BindDN	Bind username When Windows AD is set up, four types of BindDN can be used: 1. <Domain_Name>\<Username> Such as: example.com\Administrator 2. <Username>@<Domain_Name> Such as: Administrator@example.com 3. CN=<Username>,CN=users,DC=<Domain_name> For example: CN=Administrator,CN=users,DC=example,DC=com Note: “users” must be lower case. “Users” doesn’t work for NAS gateway If Windows AD is on Windows 2000 or earlier version, type #1 is suggested. For other versions, all 3 types can be used. Note: <Username> only doesn’t work for NAS gateway. NAS gateway will report “LDAP connection failed” if type in username only.
BindPassword	Bind password. The password of the username which is used in BindDN
UIDAttribute	Attribute containing the LDAP username. Default values for different LDAP servers: - Mac OD: uid - Windows AD: uid (Identity Management for UNIX must be installed and UNIX Attributes must be configured) - Linux OpenLDAP: uid Other possible values can be checked on different LDAP server setup: - Windows AD: sAMAccountName, cn
ObjectClass	The object class to get user entries from LDAP server. The below hierarchy of object classes, the value can be user, organizationalPerson or person. Value cannot be top, because top is the root class and cannot be used to filter user. objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user Default values for different LDAP servers: - macOS OD: posixAccount - Windows AD: user - Linux OpenLDAP: posixAccount
GroupIDAttribute	Attribute containing the LDAP group name. Default values for different LDAP servers: - Mac OD: cn - Windows AD: cn - Linux OpenLDAP: cn Other possible values can be checked on different LDAP server setup: - Windows AD: sAMAccountName
ObjectClass ofGroup	The object class to get group entries from the LDAP server. The below hierarchy of object classes, the value can be group. Value cannot be top, because top is the root of the class hierarchy and cannot be used to filter group. objectClass: top objectClass: group Default values for different LDAP servers: - macOS OD: posixGroup - Windows AD: group - Linux OpenLDAP: posixGroup
EmailNotification forEvent	True: enable email notification for event. New event will be sent to the email address provided by EmailAddrAttribute. False: disable
FullNameAttribute	The LDAP attribute to get the full name of email recipient.
EmailAddrAttribute	The LDAP attribute to get the email address for email notification. With this setting, new events will be sent to the email address automatically.
Privilege for LDAP Users	Default: Use default privilege selected from next item. Role Mapping: Map LDAP role to subsystem privilege
DefaultPrivilege	The default privilege for all LDAP users. Used only when previous setting is select to Default.

A. macOS Open Directory (GUI)

Note: The Samba Login Tool is required. If you don't authenticate your users, the OD users will not be able to login to the SMB shares on the NAS Gateway.

CLI Output

administrator@cli> ldap -v
-------------------------------------------------------------------------------
ExternalLDAP: Enabled 
SSL: Disabled Timeout: 10 seconds
BaseDN: dc=macserver,dc=promise,dc=com
Server: 192.168.252.159 Port: 389
SAMBANetBIOSName: promise
ServerType: MAC Open Directory or Linux LDAP without PDC 
AnonymousBind: Disabled
BindDN: uid=test,cn=users,dc=macserver,dc=promise,dc=com
BindPassword: ******
UIDAttribute: uid
ObjectClass: posixAccount
GroupIDAttribute: cn
ObjectClassOfGroup: posixGroup
EmailNotificationForEvent: Enabled
FullNameAttribute: displayName
EmailAddrAttribute: mail
RolePolicy: default DefaultPrivilege: View
-------------------------------------------------------------------------------

B. Windows Active Directory (GUI)
Please make sure that the AD bind account is part of the Domain Admins group or has sufficient privileges to join the Domain. If you use a standard user (with no Domain Admin Privileges), the LDAP connection will fail.

CLI Output

administrator@cli> ldap -v
-------------------------------------------------------------------------------
ExternalLDAP: Enabled
SSL: Disabled Timeout: 10 seconds
BaseDN:dc=ptb,dc=local
Server:192.168.252.111 Port: 389
ServerType: Windows Active Directory
DNS: 192.168.252.111
AnonymousBind: Disabled
BindDN: ptb\test
BindPassword: ******
UIDAttribute: uid 
ObjectClass: user
GroupIDAttribute: cn
ObjectClassOfGroup: group
EmailNotificationForEvent: Enabled
FullNameAttribute: displayName
EmailAddrAttribute: mail
RolePolicy: default DefaultPrivilege: View
-------------------------------------------------------------------------------

Appendix I - Setup Windows Active Directory with IDMU (Identity Management for UNIX)

Windows Active Directory is heavily dependent upon DNS. If a DNS IP address has been established in the A-Class, it is recommended that an administrator configures the DNS server to support AD.

If the A-Class is configured with a Linux DNS server, the administrator should create a DNS zone on the DNS server for the AD domain.

If the A-Class is configured with a Windows DNS server, the administrator can configure AD in following (3) ways:

Install AD on the DNS server; AD and DNS are on the same server.
Install AD without DNS settings on another server, and use the primary DNS.
Install AD with DNS settings on another machine, create a DNS zone on the DNS server for the AD domain.

In order to store UNIX attributes in Active Directory, you must install Active Directory and then add the “Identity Management for UNIX” role service (this can be downloaded in Server Manager). Once the role service has been installed, the AD schema now includes a partially RFC 2307-compliant set of UNIX attributes. A new tab labeled “UNIX Attributes” will appear in the properties dialog box for users and groups in Active Directory. Each Active Directory account that will authenticate via Linux must be configured in the new “UNIX Attributes” tab.

Appendix II - Add the IDMU role to Windows Server (Example illustrated with Windows Server 2008)

Appendix III - Add UNIX Attributes to AD | User and Group
If you don't execute this step, the AD users and groups won't populate in the Folder Share setting when applying permissions for the NAS Gateway SMB share(s).

Note: The Samba Login Tool is not required when using Active Directory for authentication.

> Install IDMU for Windows Server 2008/2012

C. Linux Open LDAP with PDC

CLI Output

administrator@cli> ldap -v
-------------------------------------------------------------------------------
ExternalLDAP: Enabled 
SSL: Disabled Timeout: 10 seconds
BaseDN: dc=test,dc=com
Server: 192.168.252.143 Port: 389
SAMBANetBIOSName: test
ServerType: Linux LDAP with PDC 
AnonymousBind: Disabled
BindDN: cn=lily,dc=test,dc=com
BindPassword: ******
UIDAttribute: uid 
ObjectClass: posixAccount
GroupIDAttribute: cn 
ObjectClassOfGroup: posixGroup
EmailNotificationForEvent: Enabled
FullNameAttribute: displayName
EmailAddrAttribute: mail
RolePolicy: default DefaultPrivilege: View
-------------------------------------------------------------------------------

D. Samba Login Tool Instructions (Only applicable to macOS Open Directory)

Using your web browser, enter the Virtual IP Address of the NAS Gateway Cluster to access the Promise NAS Gateway Samba Login Tool.
You can retrieve the Virtual IP Address of the cluster by going to NAS Gateway > Detail.
Enter the user's credentials that you will be authenticating and Login:
If you don’t execute this step, your Open Directory users will not be able to access the SMB share.
You will receive a message stating that the user has been successfully authenticated.

E. Adding Permissions to the NAS Gateway SMB Share

Go to NAS Gateway > Mount Point.
Click the gear and select Folder Share:
You can set permissions by User or Group.
A. User = Read-Write Example:

B. Group = Read-Write Permission Example
Click Submit to save the changes and you will receive the following notification message:

Contact Promise Technology Support
Need more help? Save time by starting your support request online and a technical support agent will be assigned to your case.

Promise Technology Technical Support >

Internal LDAP Server Configuration

2017-10-27T08:17:01.2370000

Table of Contents
A. Enable Internal LDAP
B. Create Internal LDAP Users and Groups
C. Add the Internal LDAP User to the Samba User List
D. Default Folder Anonymous Permissions
E. Adding Permissions to the NAS Gateway SMB Share

Scope

The purpose of this article is to provide an A-Class SAN administrator the appropriate instructions on using the Promise Internal LDAP server module.

Internal and External LDAP servers cannot be enabled at same time. There are three LDAP statuses:

Internal LDAP enabled while External LDAP is disabled
Internal LDAP disabled while External LDAP is enabled
Internal and External LDAP servers are both disabled

A. Enable Internal LDAP

Go to the Administration tab and go to LDAP Settings.
Select Enable Internal LDAP Server

B. Create Internal LDAP Users and Groups
In the A-Class GUI, if the internal LDAP is enabled, the administrator can create LDAP users and groups under tab "User Management" and "Group Management" respectively.

Create Internal LDAP Group

Click "Add LDAP Group" under the gear icon in tab "Group Management"
Input the Group Name in popup window.
Click the Save button.

Create Internal LDAP User

Click "Add New User" under the gear icon in tab "User Management"
Select Internal LDAP
Input the user’s name
(This will automatically update the Display Name and Surname)
Enter the user’s password.
Click the Save button.

C. Add the Internal LDAP User to the Samba User List

Using your web browser, enter the Virtual IP Address of the NAS Gateway Cluster to access the Promise NAS Gateway Samba Login Tool.
You can retrieve the Virtual IP Address of the cluster by going to NAS Gateway > Detail.
Enter the user's credentials that you will be authenticating and Login:
If you don’t execute this step, your Internal LDAP users will not be able to access the SMB share.
You will receive a message stating that the user has been successfully authenticated.

D. Default Folder Anonymous Permissions

Go to the NAS Gateway tab and go the Detail
Ensure that the Default Folder Anonymous Permissions is set to: No Anonymous User
Click the pencil edit icon set the No Anonymous User permission and click Save:

E. Adding Permissions to the NAS Gateway SMB Share

Go to NAS Gateway > Mount Point.
Click the gear and select Folder Share:
You can set permissions by User or Group.
A. User = Read-Write Example:

B. Group = Read-Write Permission Example
Click Submit to save the changes and you will receive the following notification message:

Unable to Save File on the NASGW from a File Created by a FC Client - Internal/External LDAP Configurations

2016-10-18T17:15:14.4030000

By default in OS X, you will see that that each folder you create on the FC client will result with permissions in correlation with the umask 022 when you create a directory [777 – 22 = 755].

[Creating folder on the A-Class with Squash_All]:

iPhilBendeck:iPhilClass philbendeck$ mkdir Test_Phil iPhilBendeck:iPhilClass philbendeck$ ls -la | grep Test_Phil drwxr-xr-x 2 philbendeck staff 4096 Apr 28 17:02 Test_Phil

In the first column, you will see the file permissions. A “d” in front denotes that the name on that line is a directory (folder) and a dash (-) in front denotes that it’s a file. There are 9 other characters after that. Break up those 9 characters into 3 groups, and you'll get the permissions for each user group (user, group, and world).

A “r” denotes read permissions, a “w” denotes write permissions, and a “x” denotes execute permissions. If there is a dash where a character should be, then that denotes that a particular file permission doesn’t exist.

Let’s take this for example:

1. Created a folder on the A-Class = Test_Phil and re-shared the folder via SMB (NASGW)

- Permissions from FC Directory Creation

drwxr-xr-x 2 philbendeck staff 4096 Apr 28 17:02 Test_Phil

2. Since the NASGW doesn’t support extendedACLs, the NASGW can only inherit and respect POSIX Permissions. When you execute permissions via Folder Share on the NASGW, it’s parsing and writing the allowed users to access the SMB share via the smb.conf file stored on the NASGW. These permissions in the smb.conf only grant access to the SMB share(s). Once you have established a connection to the SMB share, there is no permission or ACL that defines the LDAP user you used to authenticate; hence, establishes its permissions rights with the World user group permissions [R/W] to allow the user to read and write data.

Therefore, when you create a folder on the SAN via FC, it's automatically going to write folders/files with the umask that the machine is configured with.

I created two folders one on FC client and one from the SMB client.

[FC = FC_DIR]
[SMB = SMB_DIR]

drwxr-xr-x 2 philbendeck 1000 4096 Apr 28 18:36 FC_DIR drwxrwxrwx 2 2002 3000 4096 Apr 28 18:35 SMB_DIR

If you notice that when I created the folder on the SAN Volume, it gave the folder drwxr-xr-x meaning that when the SMB user wants to write to that folder, they will not be able to since the POSIX UID/GID are completely different and the NAS user will rely on the the R/W properties of the World user group. If you notice, that only the character x for the World user group is enabled for the FC_DIR directory.

When I created the folder on the SMB share, it created the folder [SMB_DIR] with drwxrwxrwx allowing everyone to R/W when they access the SAN volume via FC. NASGW is designed to always write files to the FS with 777 permissions. Keep in mind that the NASGW is also a FC Linux client.

What’s the solution?

- Changing the umask of the OS X FC clients with 000 umask

Apple published a well written document that should illustrate on how to change this with each specific OS X build.

https://support.apple.com/en-us/HT201684
https://en.wikipedia.org/wiki/Umask

There are several customers that have found this as a feasible workaround. Once you change the umask on the OS X client, you will be able to R/W simultaneously across SMB and FC.

If you have any questions or concerns, please open a support request via https://support.promise.com

Disable SMB Signing on OS X (10.11.5 > 10.12.x)

2016-10-07T23:46:42.9400000

SMB Signing has been enabled by default by Apple dating back since the release of OS X 10.11.5 (15F34).

SMB Signing digitally signs at the packet level of the SMB communication. This enables the receiver of the packets to confirm the point of origination and it’s authenticity. This security mechanism helps avoid issues like tampering and “man in the middle” attacks. As long as you're on a secure network, this should not be an issue. In addition, this causes slow performance and will not allow you to connect via SMB to the NAS Gateway. We also recommend you to disable SMB signing on clients that access a Vess R2600 to gain better performance on your macOS 10.11.5 - 10.13.4 clients.

Issues:

Unable to mount volume using the SMB protocol with the NAS Gateway G1100.
Authentication rejected with Internal and External LDAP users and only cifs:// allows mount and authentication.
Slow performance via SMB with the Vess R2000 series.

To disable SMB signing which is enabled by default on macOS versions 10.11.5 -10.13.4, execute the instructions below by creating a nsmb.conf file:

sudo -s
echo "[default]" >> /etc/nsmb.conf
echo signing_required=no >> /etc/nsmb.conf
exit

To check that it properly wrote the nsmb.conf file:

cat /etc/nsmb.conf
[default]
signing_required=no

Check if SMB signing is disabled on your share after you remount the SMB volume:

#Display stats for a specific SMB share
smbutil statshares -m /Volumes/SMB_Volume_Name

#Display stats on all mounted SMB shares
smbutil statshares -a

=====================================================================================
SHARE                         ATTRIBUTE TYPE                VALUE
=====================================================================================
SD01 
                              SERVER_NAME                   10.0.0.140
                              USER_ID                       501
                              SMB_NEGOTIATE                 AUTO_NEGOTIATE
                              SMB_VERSION                   SMB_3.0
                              SMB_SHARE_TYPE                DISK
                              SIGNING_SUPPORTED             TRUE
                              EXTENDED_SECURITY_SUPPORTED   TRUE
                              LARGE_FILE_SUPPORTED          TRUE
                              CLIENT_REQUIRES_SIGNING       TRUE
                              FILE_IDS_SUPPORTED            TRUE
                              DFS_SUPPORTED                 TRUE
                              MULTI_CREDIT_SUPPORTED        TRUE
                              ENCRYPTION_SUPPORTED          TRUE

If the SIGNING_ON variable is still outputted via smbutil statshares -a, 
that means it's still enabled.

This variable should not show up after you have disabled SMB signing.
             SIGNING_ON                    TRUE

Related Article:

Article from Apple (HT205926)
Turn off packet signing for SMB 2 and SMB 3 connections

Contact Promise Technology Support

Need more help? Save time by starting your support request online and a technical support agent will be assigned to your case.

Promise Technology Technical Support >

If there are multiple G1100 NAS Gateways (NAS Gateway Cluster) connected to the AClass SAN, the ﬁrmware update process will only update the ﬁrst G1100

2015-11-10T14:54:45.0000000

Workaround:

Upgrading additional NAS Gateways must be done manually. - Note - The upcoming SR1.1 firmware release will address this issue. For additional information or assistance, please visit kb.promise.com or contact PROMISE technical support at support.promise.com

Manual NAS Gateway firmware update:

First, download NAS Gateway firmware from the PROMISE Download center

Point a browser to http://www.promise.com/us/Support/downloadcenter Click the VTrak logo Then click G1100 NAS Gateway. It is below the VTrak A-Class logo

Locate and download the VTrak G-Class NAS Gateway SR1(v01.11.0000.00) firmware:

To ﬁlter the available categories, Uncheck All Categories and only select the Firmware check-box.

Click on English to start the file download

Get the NAS Gateway IP address:

After downloading the firmware file (it will have a .upg extension) log into the VTrak A-Class management interface.

This will be the virtual IP address assigned to the VTrak A-Class.
Next, click on the NAS Gateway tab.

Expand the NASGW Cluster tree and select the ﬁrst G1100 node and locate the Metadata IP address.
Record the Metadata IP address of the first node. You will need it later in the firmware update process.

Next, select the second G1100 node and locate the Metadata IP address.
Once again, record the Metadata IP address for the second node.

Open up a web browser session (Firefox, Chrome, or Safari)

Update the firmware:

Next, browse to https://XXX.XXX.XXX/upload_fw.php
(where XXX.XXX.XXX is the NAS Gateway Metadata Node IP address recorded earlier)
After this web page loads, accept the SSL certificate. This will open the FAE Firmware Upgrade page.

Click on Choose File and select the SR1 firmware (it will have the .upg extension) downloaded earlier. Once the file is selected, it will be listed beside Filename. Click Submit to start the firmware update.
Repeat the same steps for the second NAS Gateway node.
You will see a successful firmware update message once the update is complete.
After success, each NAS Gateway node will restart on its own. - Please allow 5 minutes per node to rejoin the NASGW cluster If the firmware update is successful, and after each node reboots, you will see both NASGW G1100 with a green operational status icon. If you need further assistance, please contact PROMISE technical support at support.promise.com

In the NAS G1100 when clicking the “Folder Share” refresh settings, AD Group and Users do not get populated.

2015-10-14T14:47:12.0000000

Configure LDAP settings correctly via the A-Class GUI using the following Active Directory parameters:

Response TimeOut: 10 sec
LDAD Server <IP Address>
LDAP Port 389
Server Type: Windows Active Directory
DNS: 10.0.0.76
Base DN: dc=aclass,dc=test,dc=com

Anonymous bind: unchecked

Bind DN: aclass\administrator

Bind Password: (password)

UID Attribute: cn

Object Class: user
Group ID Attribute: cn
Object Class of Group

Be sure your AD server has "Identity Management for UNIX" service installed.

In order to store UNIX attributes in Active Directory, you must add the "Identity Management for UNIX" Role Service; this will provide a partial RFC 2307-compliant set of UNIX attributes. A new tab labeled "UNIX Attributes" will appear in the properties dialog box for Users and Groups in Active Directory, and each Active Directory account that will authenticate via Linux must be configured in this tab.

Once "Identity Management for UNIX" service is installed, reboot your AD server.

After the reboot the UID/GID will be assigned to Users and Groups.

The NAS G1100 will now display the Users and Groups correctly.

If still unable to see Users and Groups, be sure to refresh settings in the page.

What is the the maximum power consumption for the VTrak G1100 NAS Gateway?

2015-04-16T14:47:59.0000000

Maximum usage during power up:

113.5 Watts

Maximum usage while powered on with no load:

85.8 Watts

Typical power use during normal operations:

70 Watts to 80 Watts

NAS Gateway Node FC HBA Replacement

2015-02-13T11:38:03.0000000

This document explains how to replace a NAS Gateway Fibre Channel HBA. This procedure must be conducted with the consultation and approval of Promise Technical Support or Promise Field Applications Personal.

Please follow link below:

NAS Gateway Node FC HBA Replacement

NAS Gateway Node Replacement

2015-02-13T11:28:08.0000000

This document explains how to replace a NAS Gateway.

See PDF in the link below:

NAS Gateway Node FC HBA Replacement.pdf