|
|
## Table of contents
|
|
|
[[_TOC_]]
|
|
|
|
|
|
## Introduction
|
|
|
|
|
|
### About the Institutional File Storage service
|
|
|
|
|
|
The Institutional File Storage (IFS) service allows institutions to store and share everyday documents with colleagues. This is aimed at desktop and laptop users who will have access to the storage via a mapped drive on their computer. The data is safely stored on an industry-standard hardware platform in the University's central data centres to protect against data loss. For more information, see [https://help.uis.cam.ac.uk/institutional-file-storage](https://help.uis.cam.ac.uk/institutional-file-storage).
|
|
|
|
|
|
### About this user guide
|
|
|
|
|
|
This document contains step-by-step instructions for the following:
|
|
|
|
|
|
* Provisioning your storage space, using a voucher or a purchase order
|
|
|
* Configuring Storage services.
|
|
|
* Creating Storage Projects (i.e. SMB or NFS shares)
|
|
|
* Modifying storage project, i.e. enable/disable SMB encryption and increase the size
|
|
|
* Deleting a project
|
|
|
* Managing Data Owner, Data Managers, and Data Project Managers
|
|
|
* Extending storage capacity
|
|
|
* Extending the storage duration.
|
|
|
|
|
|
### User support
|
|
|
|
|
|
All support requests and feedback should be directed to the dedicated support email address [IFS-support@uis.cam.ac.uk](mailto:mailto:ifs-support@uis.cam.ac.uk).
|
|
|
|
|
|
## Role definitions and responsibilities
|
|
|
|
|
|
Institutional IFS administrators may have one of three roles:
|
|
|
|
|
|
* Data Owner: Assigns space to institutions and oversees institutional use of the IFS. Can delegate most responsibilities to Data Managers.
|
|
|
* Data Manager: Manages IFS space on behalf of a Data Owner.
|
|
|
* Data Project Manager: Responsible for the day-to-day management of the data at the project level. This role is not applicable to NFS shares as full control permissions cannot be set at the NFS share level. The DO or DM, which have full control permission, can give access and set permissions to DPMs manually.
|
|
|
|
|
|
| | DO | DM | DPM |
|
|
|
|---------------------------------------------------------------------------------------------------------|-----|-----|---------------------------|
|
|
|
| **Responsibilities** |
|
|
|
| Can enable and disable user access | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Appoints Data Owner, Data Managers and Data Project Managers | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Sets up initial free spaces for institutions | :heavy_check_mark: | | |
|
|
|
| Validates purchase orders to purchase more space | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Can extend storage capacity and duration | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Can increase storage project space | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Day-to-day management of the data | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
|
|
|
| Acquire funding and raise a purchase order to purchase more space | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
|
|
|
| Maintains compliance with the information management guidelines and requirements that apply to the data | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
|
|
|
| Remove the project data after the storage licence expires | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Antivirus scanning of the data stored on IFS | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
|
|
|
| **Permissions** |
|
|
|
| Full control permissions on all the storage projects (i.e. SMB/NFS shares) | :heavy_check_mark: | :heavy_check_mark: | |
|
|
|
| Can be given full control permissions at the project level | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: (only for SMB shares) |
|
|
|
|
|
|
## Managing DO, DM, and DPM
|
|
|
|
|
|
The DO can add and delete DMs and DPMs and assign a new DO. DMs can add and delete DPMs and change the DO.
|
|
|
|
|
|
As a DO, to delete a DM, go to **Configure the licence** page, then delete the DM by clicking the red cross icon beside their name.
|
|
|
|
|
|
Example: delete the DM wh997.
|
|
|
|
|
|
![](screenshots/image031.png)
|
|
|
|
|
|
As a DO, to change the DO (themselves), go to **Configure the license** page, delete the DO wh330 and assign a new one, e.g., wh998\. Then, click **Save**
|
|
|
|
|
|
![](screenshots/image032.png)
|
|
|
![](screenshots/image033.png)
|
|
|
|
|
|
Also, as a DM, I can add Data Project Managers (DPM) to the existing projects.
|
|
|
|
|
|
## Payment vouchers for non-chargeable storage quotas
|
|
|
|
|
|
UIS have issued vouchers to the Institutions' Data Owners to use for the set-up of the initial quota of non-chargeable storage space. If you have a voucher, you will be able to redeem it in the [Self-Service Gateway / Buy IFS Storage](https://selfservice.uis.cam.ac.uk/storage/IFS/) instead of specifying a purchase order.
|
|
|
|
|
|
* Vouchers can only be used once and will expire by default six months from their issue date. The validity of the voucher (i.e., the period between the issue date and expiry date) can be customised according to user's requirements. Once the voucher has been redeemed, space can be allocated.
|
|
|
* A purchase order will need to be raised to pay for any additional space for a duration of 1, 3, or 5 years beyond the initial free allocation covered by the voucher.
|
|
|
* The free space granted to University institutions will be extended in duration automatically every year. Free space is provided to the colleges for the first year only and would need to be renewed with a purchase order after one year.
|
|
|
* UIS will generate and provide the institutions with vouchers of the initial free space.
|
|
|
|
|
|
Example of an IFS voucher:
|
|
|
|
|
|
```
|
|
|
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImlzcyI6Imlmcy1mcmVlbWl1bSIsImF1ZCI6InNzZ3cifQ.eyJqdGkiOiJuam5zRWRqa3F1RldpcWZGRVdqcTgiLCJpc3MiOiJpZnMtZnJlZW1pdW0iLCJ2YWwiOiIxNTAwLjAwIiwiYXVkIjoic3NndyIsImNyc2lkIjoiY3hzMjAiLCJleHAiOjE1ODIxMjc4OTUsIm5iZiI6MTU1MDU5MTkzOCwiaWF0IjoxNTUwNTkxOTM4fQ.Hn3Spe70IrqWv-snlH2srulG5WUZRbusaCiloMBA7hLfmbYaQzx6w9u9AaAgi0CAwQOLcT3xhxCkQYDqEa2Gag
|
|
|
```
|
|
|
|
|
|
Voucher value and validity can be verified using [Voucher tool](https://rjw57.github.io/voucher-tool/).
|
|
|
|
|
|
## Before you start setting up a storage account
|
|
|
|
|
|
The steps to set up a storage account requires work by the DO/DM as well as the UIS Networks team. The steps are as follows:
|
|
|
|
|
|
| Action | Responsible party |
|
|
|
|----------------------------------------------------|--------------------------------------|
|
|
|
| Obtain the space via the IFS portal (see [Obtain the space via the IFS portal](#get-space)) | Institution |
|
|
|
| Configure local institution firewall (see [Firewall rules configuration](#firewall-config)) | Institution |
|
|
|
| Port block removal (see [Firewall rules configuration](#firewall-config)) | UIS Networks team and/or Institution |
|
|
|
| Configure storage services (see [Services configuration](#svc-config)) | Institution |
|
|
|
|
|
|
## Provisioning your IFS storage space
|
|
|
|
|
|
### <a name="firewall-config"></a> Firewall rules configuration
|
|
|
|
|
|
Before you can provision storage projects, you will need to configure DNS, SMB/CIFS, NFS and Kerberos services that are needed to access and use your storage space. The Self-Service Gateway portal provides you with features to do so, but as a prerequisite, you will need to make sure that the IFS service can communicate with your local DNS Name Servers, Active Directory and Kerberos services by applying the firewall rules on your institutional firewall.
|
|
|
|
|
|
| Service | Firewall rules |
|
|
|
|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
|
| [DNS](https://library.netapp.com/ecmdocs/ECMP1155586/html/GUID-D052D155-EF55-4D19-A70F-B9A8FA86A6D3.html) | Required by SMB/NFS shares.<br>Connections from IFS LIF subnet 10.128.2.0/23 on ports: 53 (TCP/UDP) |
|
|
|
| [Kerberos and LDAP](https://library.netapp.com/ecmdocs/ECMP1155586/html/GUID-9165F61F-5B4E-4955-ACFF-6D919F238255.html) | Required by NFS and SMB shares.<br>Connections from IFS LIF subnet 10.128.2.0/23 on ports: 88 (TCP/UDP), 750 (TCP/UDP), and 389 and 636 (TCP) |
|
|
|
| [SMB/CIFS](https://library.netapp.com/ecmdocs/ECMP1368834/html/GUID-4645E16A-6CB1-4A71-8420-05749894E857.html) | Required by SMB/CIFS shares.<br>Connections to IFS LIF subnet 10.128.2.0/23 on ports: 137 and 138 (UDP), and 139 and 445 (TCP) |
|
|
|
| [NFS](https://library.netapp.com/ecmdocs/ECMP1155586/html/GUID-C764CE34-6F5B-42BC-B04B-7001744A44A3.html) | Required by NFS shares.<br>Connections to IFS LIF subnet 10.128.2.0/23 on ports: 111 (TCP/UDP) and 2049 (TCP/UDP) |
|
|
|
|
|
|
There are ACL blocks on switches into some institutions, blocking traffic on port 445. To remove this block from your institutions from the IFS, please raise a ticket with the UIS Service Desk ([service-desk@uis.cam.ac.uk](mailto:service-desk@uis.cam.ac.uk)).
|
|
|
|
|
|
If you use the UIS Managed Firewall Service, please contact the UIS Service Desk ([service-desk@uis.cam.ac.uk](mailto:service-desk@uis.cam.ac.uk)) to ensure the appropriate firewall rules are put in place. This must be done by the DO.
|
|
|
|
|
|
### <a name="get-space"></a> Obtain the space via the IFS portal
|
|
|
|
|
|
1. Go to the Self-Service Gateway portal: [https://selfservice.uis.cam.ac.uk/](https://selfservice.uis.cam.ac.uk/)
|
|
|
|
|
|
2. In the **Institutional File Store** section (bottom left) click the **Choose** button:
|
|
|
|
|
|
![](screenshots/image004.png)
|
|
|
|
|
|
3. Enter how many terabytes you want and click the **Get Quote** button. You will be redirected to the payment page.
|
|
|
|
|
|
![](screenshots/image005.png)
|
|
|
|
|
|
4. [_Example demonstrates payment by UIS-provided voucher – you can also pay by Purchase Order_] Click the **Voucher** tab:
|
|
|
|
|
|
![](screenshots/image006.png)
|
|
|
|
|
|
5. Paste in your voucher code and click the **Submit** button:
|
|
|
|
|
|
![](screenshots/image007.png)
|
|
|
|
|
|
6. The voucher is validated and you will be redirected to the confirmation page. Click the **Continue** button:
|
|
|
|
|
|
![](screenshots/image008.png)
|
|
|
|
|
|
You will be redirected to _Configure the licence_ page to set the DO and DM(s). The DO will receive a confirmation email containing a link to accept the Terms & Conditions:
|
|
|
|
|
|
![](screenshots/image009.png)
|
|
|
|
|
|
Click the **I agree** button to accept the Terms & Conditions:
|
|
|
|
|
|
![](screenshots/image010.png)
|
|
|
|
|
|
You can also add a **Data Manager** by visiting the **Licence page** by clicking **View Licence**.
|
|
|
|
|
|
![](screenshots/image011.png)
|
|
|
|
|
|
Click **Save**. Then the DM should accept the T&Cs so that their state moves to **Ready**.
|
|
|
|
|
|
![](screenshots/image012.png)
|
|
|
|
|
|
Meanwhile, the DO and DM(s) will receive a confirmation email containing a link to accept the Terms & Conditions. See the email below as an example.
|
|
|
|
|
|
![](screenshots/image013.png)
|
|
|
|
|
|
## <a name="svc-config"></a> Services configuration
|
|
|
|
|
|
The IFS needs to be aware of a number of services in order to provide shares to your institution. In order to create storage projects, the DO or DM should start with the Vserver Configuration. The [Vserver](https://library.netapp.com/ecmdocs/ECMP1136871/html/GUID-E643017F-041B-4ECC-BEA1-E4D80E26A47E.html) is a virtual storage server that resides in our storage backend and is associated with your storage account.
|
|
|
|
|
|
On the **My Account** page click **Vserver Configuration** to choose which service you wish to configure.
|
|
|
|
|
|
![](screenshots/image014.png)
|
|
|
|
|
|
Each tab in the screenshot below presents a form for a service configuration. You can also click on [**Configure All Services**](#sh-6-7) to configure all the services with BLUE Active Directory settings.
|
|
|
|
|
|
![](screenshots/image015.png)
|
|
|
|
|
|
The services to be configured are illustrated in the following table.
|
|
|
|
|
|
_table_ !!!
|
|
|
|
|
|
| Service | Remarks |
|
|
|
|--------------------------------------|--------------------------------------------------------------|
|
|
|
| DNS (see x) | Required for NFS and SMB shares.|
|
|
|
| CIFS Server (section 7.2) | Required for NFS and SMB shares. Note that CIFS server must be configured if you want to bind the LDAP Client using the CIFS server credentials.|
|
|
|
| NFS Service (section 7.3) | To configure the NFS server running on the Vserver. Required for NFS and SMB shares (NFS service is required to create export policy on the CIFS shares).|
|
|
|
| Kerberos Realm (section 7.4) | To enable Kerberos authentification for NFS clients. Only required for NFS shares. For Kerberos authentification against SMB shares, update the Service Principal Name (SPN) attribute of the CIFS machine account on your AD (e.g., using [ADSI Edit](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773354(v=ws.10)?redirectedfrom=MSDN)) to contain the CIFS SPN whose format should be: cifs/_CIFS interface DNS name_. If your account is bound to BLUE AD, please let us know. |
|
|
|
| LDAP Client (section 7.5) | To enable access the external LDAP servers. Only required for NFS shares.|
|
|
|
| Kerberos NFS Interface (section 7.6) | To enable Kerberos authentification for NFS. Only required for NFS shares.|
|
|
|
|
|
|
### DNS Service
|
|
|
|
|
|
This form allows you to create or modify the DNS configuration of the Vserver associated with your storage account.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* DNS search domains: A list of DNS domains such as 'sales.bar.com'.
|
|
|
* DNS name servers: IPv4 addresses of name servers such as '131.111.8.37'.
|
|
|
* SMB interface DNS name: **populated automatically**.
|
|
|
* SMB interface IP address and netmask: **populated automatically**.
|
|
|
* NFS interface DNS name: **populated automatically.**
|
|
|
* NFS interface IP address and netmask: **populated automatically.**
|
|
|
|
|
|
For instance, to configure the DNS service, click the **DNS Service** tab and choose between using the BLUE settings your own settings and click **Configure DNS Service**. The following screenshot shows what you see if you use BLUE settings.
|
|
|
|
|
|
![](screenshots/image016.png)
|
|
|
|
|
|
After a few seconds, a message should be displayed to indicate that the configuration has succeeded. Otherwise, you will need to check your input or contact us.
|
|
|
|
|
|
![](screenshots/image017.png)
|
|
|
|
|
|
### CIFS Server
|
|
|
|
|
|
This form allows you to configure and setup CIFS services on the Vserver associated with your storage account.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* Active Directory Domain: The fully qualified domain name of the Windows Active Directory the CIFS server belongs to. Example: cifs.domain.com.
|
|
|
* Active Directory Organisational Unit: The organisational unit within the Active Directive domain to associate with the CIFS server.
|
|
|
* Active Directory Account Username: The username of the account used to add the CIFS server to the Directory. This part of the credential only needs to be supplied if the domain is being modified.
|
|
|
* Active Directory Account Password: The password for the account used to add the CIFS server to the Active Directory. This part of the credential only needs to be supplied if the domain is being modified.
|
|
|
|
|
|
### NFS Service
|
|
|
|
|
|
This form allows you to create and modify an NFS configuration on the Vserver associated with your storage account.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* NFSv4 ID domain: NFSv4 ID mapping domain.
|
|
|
* Permitted Encryption Types: List of permitted encryption types for Kerberos over NFS.
|
|
|
|
|
|
### Kerberos Realm
|
|
|
|
|
|
This form allows modifying a Kerberos Realm configuration on a Vserver.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* Kerberos Realm: Kerberos Realm name.
|
|
|
* KDC IP Address: IP address of the Key Distribution Centre (KDC) server for this Kerberos realm.
|
|
|
* KDC Port: TCP port on the KDC to be used for Kerberos communication. The default for this parameter is 88.
|
|
|
* KDC Vendor: The vendor of the Key Distribution Centre (KDC) server. If the configuration uses a Microsoft Active Directory (AD) domain for authentication, this field should be "Microsoft".
|
|
|
* Admin Server IP: IP address of the host where the Kerberos administration daemon is running. This is usually the master KDC. If specified, this should be the same as the KDC IP Address if the KDC Vendor is "Microsoft"
|
|
|
* Password Server IP: IP address of the host where the Kerberos password-changing server is running. Typically, this is the same as the host indicated in the Admin Server IP.
|
|
|
* AD Server Name: Hostname of the Active Directory Domain Controller (DC). This is a mandatory parameter if the KDC Vendor is "Microsoft".
|
|
|
* AD Server IP: IP Address of the Active Directory Domain Controller (DC). This is a mandatory parameter if the kdc-vendor is "Microsoft".
|
|
|
|
|
|
### LDAP Client
|
|
|
|
|
|
This form allows you to create or modify a Lightweight Directory Access Protocol (LDAP) client configuration on the Vserver associated with your storage account.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* Active Directory Domain: The Active Directory Domain Name for this LDAP configuration. The option is ONLY applicable for configurations using Active Directory LDAP servers.
|
|
|
* LDAP Servers: List of LDAP Servers to use for this configuration. The option is NOT applicable for configurations using Active Directory Domain parameter.
|
|
|
* Session Security: This indicates the level of security for LDAP communications. Possible values:
|
|
|
* "none" - No Signing or Sealing
|
|
|
* "sign" - Sign LDAP traffic
|
|
|
* "seal" - Seal and Sign LDAP traffic
|
|
|
* Bind as CIFS server: If True, the Vserver will use the CIFS server's credentials bind to the LDAP server.
|
|
|
* Minimum authentication level: The minimum authentication level that can be used to authenticate with the LDAP server. Possible values:
|
|
|
* "anonymous" - Anonymous bind
|
|
|
* "simple" - Simple bind
|
|
|
* "sasl" - Simple Authentication and Security Layer (SASL) bind
|
|
|
* Bind Distinguished Name: The Bind Distinguished Name (DN) is the LDAP identity used during the authentication process by the clients. This is required if the LDAP server does not support anonymous binds. This field is not used if "Bind as CIFS server" is set to "True".
|
|
|
* Bind Password: The password to be used with the Bind Distinguished Name.
|
|
|
* LDAP schema: LDAP schema to use for this configuration.
|
|
|
* Base DN: Indicates the starting point for searches within the LDAP directory tree.
|
|
|
|
|
|
### Kerberos NFS Interface
|
|
|
|
|
|
This form allows you to create and modify Kerberos configuration information for the NFS Logical Network Interface on the Vserver associated with your storage account.
|
|
|
|
|
|
Configuration parameters:
|
|
|
|
|
|
* Organisational Unit.
|
|
|
* Service Principal Name: Kerberos service principal name.
|
|
|
* Administrator Username.
|
|
|
* Administrator Password.
|
|
|
|
|
|
### Use BLUE settings for service configuration
|
|
|
|
|
|
To configure all services at once with the Default Settings of BLUE Active Directory, click **Configure All Services** and **Confirm** in the **Vserver Configuration** page.
|
|
|
|
|
|
![](screenshots/image018.png)
|
|
|
|
|
|
All services have been configured successfully as shown below.
|
|
|
|
|
|
![](screenshots/image019.png)
|
|
|
|
|
|
## Creating a Storage Project
|
|
|
|
|
|
Storage projects may either be SMB or NFS. This can be performed by the DO or DM.
|
|
|
|
|
|
**Important note:** After creating a Storage Project, you must ensure that you **lock down the permissions on the SMB share** – by default they are open to everyone using the same Active Directory. Do this by accessing the share from a Windows machine that has access to it and changing the permissions there. Only the DO, DMs or DPMs have the correct level of access to change the permissions in this way. You also need to **lock down the permissions on the NFS shares** by updating the preconfigured NFSv4 ACLs on the shares.
|
|
|
|
|
|
To create a project, on **My Account** page, click **Unallocated**.
|
|
|
|
|
|
![](screenshots/image020.png)
|
|
|
|
|
|
### SMB shares
|
|
|
|
|
|
Define the following attributes on that page and click the **Save** button:
|
|
|
|
|
|
* Project name (e.g. _Inst1-Project1_)
|
|
|
* Project size
|
|
|
* Project type: CIFS or SMB
|
|
|
* Whether or not to use SMB encryption for SMB shares.
|
|
|
* You can specify a DPM for SMB share. DPM is not applicable for NFS shares.
|
|
|
|
|
|
**Note:** Windows versions 7 and older do not support SMB encryption, so you may need to disable it. It will be possible to disable SMB encryption using the portal at least until the end of support of Windows 7 in January 2020.
|
|
|
|
|
|
Once the Storage Project has been created you will see a confirmation message on screen…
|
|
|
|
|
|
![](screenshots/image022.png)
|
|
|
|
|
|
The DO and DM will receive a confirmation email containing a link to access the storage.
|
|
|
|
|
|
![](screenshots/image023.png)
|
|
|
|
|
|
The **Configure the storage** page is updated with the Storage Project details.
|
|
|
|
|
|
You can also add a Data Project Manager as shown below.
|
|
|
|
|
|
![](screenshots/image025.png)
|
|
|
|
|
|
### NFS share
|
|
|
|
|
|
You can also create an NFS project by setting the **Project type** to **NFS**.
|
|
|
|
|
|
![](screenshots/image026.png)
|
|
|
|
|
|
The project has been created. Note that Data Project Manager does not exist in NFS projects.
|
|
|
|
|
|
![](screenshots/image027.png)
|
|
|
|
|
|
To access the NFS share from your client, please follow the instructions in [NFSv4 / Kerberos Client configuration](#h-11).
|
|
|
|
|
|
On the **My account** page, DOs and DMs are able to see all the projects.
|
|
|
|
|
|
![](screenshots/image028.png)
|
|
|
|
|
|
However, DPMs can only view the projects that only belong to them.
|
|
|
|
|
|
![](screenshots/image029.png)
|
|
|
|
|
|
Please remember to lock down the permissions on the projects you have created.
|
|
|
|
|
|
## Deleting Storage Projects
|
|
|
|
|
|
This can be done by DOs and DMs.
|
|
|
|
|
|
On the **My Account** page, click the link to the Storage Project you want to delete. This will open the **Configure the storage** page.
|
|
|
|
|
|
Click the **red cross icon** next to the Project name. Then type the **Project name** into the text field in the confirmation form to confirm and finally click the **Delete Project** button.
|
|
|
|
|
|
![](screenshots/image030.png)
|
|
|
|
|
|
## Managing storage capacity and duration
|
|
|
|
|
|
### Arranging payment
|
|
|
|
|
|
Before a DPM can increase the size of their Storage Project, they need to provide either the DO or DM with a purchase order or voucher to use to buy the additional capacity/duration. Once that payment is made, the DPM will be able to increase the size/duration of their Storage Project.
|
|
|
|
|
|
### Increasing storage capacity
|
|
|
|
|
|
This is done by the DO or DM(s).
|
|
|
|
|
|
Go to **Configure the licence** page and click the **Increase My Storage Size** button.
|
|
|
|
|
|
![](screenshots/image037.png)
|
|
|
|
|
|
In the pop-up dialogue box, enter how many additional TB you want, select an activation date from the date drop-down menu, and click the **Get Quote** button:
|
|
|
|
|
|
![](screenshots/image040.png)
|
|
|
|
|
|
You will be redirected to the payment page. Enter your purchase order number (or click the **Voucher** link to enter a voucher code, tick the checkbox to accept the Terms & Conditions, and click the **Pay** button:
|
|
|
|
|
|
![](screenshots/image042.png)
|
|
|
|
|
|
When the payment is processed, you will see the payment confirmation page.
|
|
|
|
|
|
You will be redirected to the **Configure the licence** page where you will see the original **Full licence** and the newly purchased **Size Extension** licence:
|
|
|
|
|
|
![](screenshots/image044.png)
|
|
|
|
|
|
### Extending storage duration
|
|
|
|
|
|
This is done by the DO or DM.
|
|
|
|
|
|
Go to the **Configure the licence** page and click the **Extend My Storage Duration** button:
|
|
|
|
|
|
![](screenshots/image045.png)
|
|
|
|
|
|
In the pop-up dialogue box, you will see your storage capacity shown. Use the drop-down menu to select how long you wish to extend it for, and click the **Get Quote** button:
|
|
|
|
|
|
![](screenshots/image046.png)
|
|
|
|
|
|
You will be redirected to the payment page. Enter your purchase order number (or click the **Voucher** link to enter a voucher code – see page 9), click the checkbox to accept the Terms & Conditions, and click the **Pay** button:
|
|
|
|
|
|
![](screenshots/image047.png)
|
|
|
|
|
|
After the payment process passed you will be redirected to the **Configure the licence** page, where you will see the **Duration Extension** license listed:
|
|
|
|
|
|
![](screenshots/image048.png)
|
|
|
|
|
|
### Increasing the size of a Storage Project
|
|
|
|
|
|
Once the DO or DM has bought an extended licence (see page 35), the DPM can increase the size of their Storage Project.
|
|
|
|
|
|
From the **My Account** page, click the name of the Storage Project you want to modify. This will open the **Configure the storage** page.
|
|
|
|
|
|
Adjust the **Project size** slider to show the number of TB you want to increase to:
|
|
|
|
|
|
![](screenshots/image050.png)
|
|
|
|
|
|
Click the **Save** button. You will see a confirmation message on the screen:
|
|
|
|
|
|
![](screenshots/image051.png)
|
|
|
|
|
|
A few seconds later, the DO receives an email confirming that the project size has been increased:
|
|
|
|
|
|
![](screenshots/image052.png)
|
|
|
|
|
|
The DO, DM or DPM can now enable or disable the SMB encryption for accessing the Storage Project by ticking the **SMB encryption** checkbox and clicking the **Save** button:
|
|
|
|
|
|
![](screenshots/image053.png)
|
|
|
|
|
|
SMB encryption will be enabled/disabled and a confirmation message will appear on the screen, e.g.:
|
|
|
|
|
|
![](screenshots/image054.png)
|
|
|
|
|
|
## NFSv4 / Kerberos Client configuration
|
|
|
|
|
|
Once you set up an NFS share through the SSGW portal, you need to configure your client to be able to mount and access the share using Kerberos authentication.
|
|
|
|
|
|
### Ownership and permissions of the IFS NFS share
|
|
|
|
|
|
Any NFSv4 share created by the IFS service has Owner and Group initially set to the user root and the group root respectively and it is configured with the following permissions:
|
|
|
|
|
|
```bash
|
|
|
A::OWNER@:rwaDxtTnNcCy
|
|
|
A:g:GROUP@:rwaDxtTnNcy
|
|
|
A::EVERYONE@:rwaDxtTnNcy
|
|
|
```
|
|
|
|
|
|
To learn about the NFSv4 permissions, please see the [NFSv4 ACLs documentation](https://linux.die.net/man/5/nfs4_acl).
|
|
|
|
|
|
In an IFS storage account, Data Owner (DO) and Data Managers' (DMs) Kerberos identities are mapped to the UNIX user root. So, they are the Owner of all the NFS shares created in the same account. Obviously, if a DO or DM is deleted, their krb-unix name mapping will be dropped. And if a new DO is assigned or a new DM is added, they will automatically get the krb-unix name mapping to root. In addition, machine accounts trying to mount or access the share are mapped to the predefined UNIX user pcuser (User ID: 65535, Primary Group ID: 65535). Otherwise, implicit krb-unix name mapping takes place. Note that the UNIX users root and pcuser are defined locally in the Vserver namespace. [Vserver](https://library.netapp.com/ecmdocs/ECMP1136871/html/GUID-E643017F-041B-4ECC-BEA1-E4D80E26A47E.html) is the NetApp (our backend storage system) object that is associated to a given storage account.
|
|
|
|
|
|
Example: wh999@DOMAIN is a DO, wh998@DOMAIN is a DM. machine$@DOMAIN is a machine account (Computer) and foo@DOMAIN is a User. Here is how they will be mapped:
|
|
|
|
|
|
```bash
|
|
|
wh999@DOMAIN → root
|
|
|
wh998@DOMAIN → root
|
|
|
machine$@DOMAIN → pcuser
|
|
|
foo@DOMAIN → foo (foo user should exist in the LDAP server).
|
|
|
```
|
|
|
|
|
|
Only Kerberos 5, Kerberos 5i, and Kerberos 5p are allowed as authentication methods to access the NFS share. Otherwise, access will be denied.
|
|
|
|
|
|
### Mounting the NFS share
|
|
|
|
|
|
We've set up an NFS share in a test Vserver called **ifs_dev_4**. The share path is **/ifs_dev_4_vol/ifs_dev_4_vol_44 and is** accessible through the NFS interface **[ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk](http://ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk)**.
|
|
|
|
|
|
The following configuration has been tested on Ubuntu 18.04 LTS and RHEL 7.7 (Maipo). Note that it could be slightly different on other OS versions.
|
|
|
|
|
|
#### Mounting the share using Kerberos user credentials
|
|
|
|
|
|
Start rpc.gssd daemon with option -n. See rpc.gssd man page.
|
|
|
|
|
|
```bash
|
|
|
rpc.gssd -n
|
|
|
```
|
|
|
|
|
|
Get a Kerberos ticket:
|
|
|
|
|
|
```bash
|
|
|
kinit ifsuser1
|
|
|
Password for ifsuser1@BLUE.CAM.AC.UK:
|
|
|
```
|
|
|
|
|
|
Before mounting the share, please set the attribute **msDS-SupportedEncryptionTypes** of the NFS Service SPN to **0x18**. Or contact us to do so.
|
|
|
|
|
|
```bash
|
|
|
mount -o sec=krb5 ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 /mnt/nfs4/
|
|
|
```
|
|
|
|
|
|
The share is now mounted:
|
|
|
|
|
|
```bash
|
|
|
df -h /mnt/nfs4/
|
|
|
Filesystem Size Used Avail Use% Mounted on
|
|
|
ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 1.0T 893G 132G 88% /mnt/nfs4
|
|
|
```
|
|
|
|
|
|
Check the share owner and permissions:
|
|
|
|
|
|
```bash
|
|
|
ll /mnt/nfs4/
|
|
|
total 8
|
|
|
drwxrwxrwx 2 root root 4096 Feb 18 12:43 ./
|
|
|
drwxr-xr-x 7 root root 4096 Feb 17 12:16 ../
|
|
|
```
|
|
|
|
|
|
#### Mounting the share using Kerberos machine's credentials
|
|
|
|
|
|
You need to join your machine to the Kerberos Realm. Run the realm join command and specify the Organisational Unit (OU) in which the machine account will be created and the user account that has privileges to do that.
|
|
|
|
|
|
```bash
|
|
|
realm join --computer-ou OU=IFS-Test,OU=Servers,OU=uis,OU=Inst,DC=blue,DC=cam,DC=ac,DC=uk -U uis-ifs-service-test blue.cam.ac.uk --membership-software=adcli -v
|
|
|
* Resolving: _ldap._tcp.blue.cam.ac.uk
|
|
|
* Performing LDAP DSE lookup on: 128.232.130.164
|
|
|
* Performing LDAP DSE lookup on: 128.232.130.163
|
|
|
* Successfully discovered: blue.cam.ac.uk
|
|
|
Password for uis-ifs-service-test:
|
|
|
* Unconditionally checking packages
|
|
|
* Resolving required packages
|
|
|
...
|
|
|
* /usr/sbin/update-rc.d sssd enable
|
|
|
* /usr/sbin/service sssd restart
|
|
|
* Successfully enrolled machine in realm
|
|
|
After joining the Realm, /etc/krb5.keytab will be created on your machine.
|
|
|
Make sure sssd is up and running:
|
|
|
systemctl status sssd
|
|
|
? sssd.service - System Security Services Daemon
|
|
|
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
|
|
|
Active: active (running) since Fri 2020-02-21 10:10:16 UTC; 1min 42s ago
|
|
|
Main PID: 5252 (sssd)
|
|
|
Tasks: 4 (limit: 2317)
|
|
|
Memory: 44.3M
|
|
|
CGroup: /system.slice/sssd.service
|
|
|
+-5252 /usr/sbin/sssd -i --logger=files
|
|
|
+-5276 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain blue.cam.ac.uk --uid 0 --gid 0 --logger=files
|
|
|
+-5281 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files
|
|
|
+-5282 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files
|
|
|
```
|
|
|
|
|
|
The mount command now uses the credentials in krb5.keytab file.
|
|
|
|
|
|
```bash
|
|
|
mount -o sec=krb5 ifs-dev-4-nfs.ifs.uis.private.cam.ac.uk:/ifs_dev_4_vol/ifs_dev_4_vol_44 /mnt/nfs4/
|
|
|
```
|
|
|
|
|
|
### Configure LDAP Client
|
|
|
|
|
|
Here are two ways to set up LDAP client on your local machine (the NFS client).
|
|
|
|
|
|
**Using nscd and nslcd**
|
|
|
|
|
|
Install nscd:
|
|
|
|
|
|
```bash
|
|
|
sudo apt install nscd # Ubuntu
|
|
|
yum install nscd # RHEL
|
|
|
```
|
|
|
|
|
|
Install nslcd:
|
|
|
|
|
|
```bash
|
|
|
sudo apt install nslcd # Ubuntu
|
|
|
yum install nslcd # RHEL
|
|
|
```
|
|
|
|
|
|
You'll get prompted to enter the LDAP server connection details in nslcd installation process. Or you can set them up directly in /etc/nslcd.conf as described below.
|
|
|
|
|
|
In /etc/nslcd.conf, update LDAP Server URI:
|
|
|
|
|
|
```bash
|
|
|
uri ldap://dc3.blue.cam.ac.uk/
|
|
|
LDAP Search Domain:
|
|
|
# The search base that will be used for all queries.
|
|
|
base OU=IFS-Test,OU=Servers,ou=UIS,ou=Inst,dc=blue,dc=cam,dc=ac,dc=uk
|
|
|
Update /etc/nsswitch.conf to use ldap:
|
|
|
passwd: compat systemd ldap
|
|
|
group: compat systemd ldap
|
|
|
shadow: compat ldap
|
|
|
Set bindn and bindpw in /etc/nslcd.conf. Restrict access to the file as it contains the bind password.
|
|
|
# The DN to bind with for normal lookups.
|
|
|
binddn cn=ifsuser1,OU=IFS-Test,OU=Servers,ou=UIS,ou=Inst,dc=blue,dc=cam,dc=ac,dc=uk
|
|
|
bindpw password
|
|
|
```
|
|
|
|
|
|
Add LDAP search filters for object class User and Group in /etc/nslcd.conf
|
|
|
|
|
|
```bash
|
|
|
filter passwd (objectClass=User)
|
|
|
filter group (objectClass=Group)
|
|
|
```
|
|
|
|
|
|
Start (or restart) nscd and enable it on boot up:
|
|
|
|
|
|
```bash
|
|
|
systemctl start nscd
|
|
|
systemctl enable nscd
|
|
|
```
|
|
|
|
|
|
Start (or restart) nslcd and enable it on boot up:
|
|
|
|
|
|
```bash
|
|
|
systemctl start nslcd
|
|
|
systemctl enable nslcd
|
|
|
```
|
|
|
|
|
|
Try to get UID and GID of user ifsuser1:
|
|
|
|
|
|
```bash
|
|
|
getent passwd ifsuser1
|
|
|
ifsuser1:*:50001:10001:ifsuser1:/home/ifsuser1:
|
|
|
getent group ifsgroup1
|
|
|
ifsgroup1:*:10001:
|
|
|
```
|
|
|
|
|
|
**Using sssd**
|
|
|
|
|
|
Start sssd daemon, this requires that your local machine be joined to the AD.
|
|
|
|
|
|
```bash
|
|
|
systemctl start sssd
|
|
|
```
|
|
|
|
|
|
Update /etc/nsswitch.conf with the sssd source.
|
|
|
|
|
|
```bash
|
|
|
passwd: compat systemd ldap sss
|
|
|
group: compat systemd ldap sss
|
|
|
shadow: compat ldap sss
|
|
|
```
|
|
|
|
|
|
Set the attribute use_fully_qualified_names to False in /etc/sssd/sssd.conf.
|
|
|
|
|
|
```bash
|
|
|
use_fully_qualified_names = True
|
|
|
```
|
|
|
|
|
|
Restart sssd.
|
|
|
|
|
|
```bash
|
|
|
systemctl restart sssd
|
|
|
```
|
|
|
|
|
|
Test:
|
|
|
|
|
|
```bash
|
|
|
getent passwd ifsuser1
|
|
|
ifsuser1@blue.cam.ac.uk:*:307004846:1445400513:ifsuser1:/home/ifsuser1@blue.cam.ac.uk:/bin/bash
|
|
|
getent group ifsgroup1
|
|
|
ifsgroup1@blue.cam.ac.uk:*:307004899
|
|
|
```
|
|
|
|
|
|
### Troubleshooting
|
|
|
|
|
|
#### Problem: Listing the content of the NFS share shows wrong UID/GID:
|
|
|
|
|
|
```bash
|
|
|
ll /mnt/nfs4/
|
|
|
total 8
|
|
|
drwxrwxrwx 2 root root 4096 Feb 25 15:48 ./
|
|
|
drwxr-xr-x 3 root root 4096 Feb 21 13:53 ../
|
|
|
-rw-r--r-- 1 nobody 4294967294 0 Feb 25 15:48 file1.txt
|
|
|
```
|
|
|
|
|
|
#### Resolution
|
|
|
|
|
|
Check if LDAP client is configured properly (as described in the sections below).
|
|
|
|
|
|
In case nscd and nslcd are used, clear the nscd cache and restart the two services:
|
|
|
|
|
|
```bash
|
|
|
nscd -i passwd
|
|
|
nscd -i group
|
|
|
systemctl restart nscd
|
|
|
systemctl restart nslcd
|
|
|
```
|
|
|
|
|
|
You may also need to clear the sssd cache:
|
|
|
|
|
|
```bash
|
|
|
sss_cache -E
|
|
|
```
|
|
|
|
|
|
Listing /mnt/nfs4 directory again:
|
|
|
|
|
|
```bash
|
|
|
ll /mnt/nfs4/
|
|
|
total 8
|
|
|
drwxrwxrwx 2 root root 4096 Feb 25 15:48 ./
|
|
|
drwxr-xr-x 3 root root 4096 Feb 21 13:53 ../
|
|
|
-rw-r--r-- 1 ifsuser1 ifsgroup1 0 Feb 25 15:48 file1.txt
|
|
|
```
|
|
|
|
|
|
If nfs4_setfact cannot be found to configure the ACLs on the share, install nfs4-acl-tools package on Ubuntu (or its equivalent on RHEL). |
|
|
\ No newline at end of file |