[ NOTE: machine translation with the help of DeepL translator without additional proofreading and spell checking ]
A system with which the performance grows linearly with the amount of data? FlashBlade is the solution. The elastic scale-out architecture enables incredible throughput of up to 320 Gb/s (8x 40 Gb/s), all software defined, with the ability to create virtual nets to isolate diverse traffic.
FlashBlade is not a pure object storage. Besides S3, NFS shares and SMB shares can be easily provisioned. SMB functionality can be fully integrated with ActiveDirectory infrastructure and access permissions can be organized and managed with existing AD user accounts. How to set this up and manage it is described in this blog post.
ATTENTION: the communication of the flash systems and its VIP (virtual ip address) and the domain controllers must be possible - observe networks - route if necessary. Also the communication on port 389 or if necessary 636 (LDAP, LDAPS), 445 (SMB), 111 (SUNRPC), 2049 (MSVCMON) must be possible!
This blog and its screenshots were created on a Windows Server 2016 German and a FlashBlade with Purity 2.2.10.
Step 1: Preparing the ActiveDirectory
To keep the administration effort for system adjustments low and to exclude possible problems already, it is recommended to invest a little time in advance. The use of multi-global administration/user accounts is not recommended!
Create LDAP function user
For the users of the LDAP integration, a domain user with read permission to the ActiveDirectory is required.
For this purpose, we create a dedicated LDAP user with the user name "ldap.lookup FunctionUser". By default, each new user is automatically a member of the "Domain Users" group, which is sufficient. To be on the safe side, check "User cannot change password" and "Password never expires" in the "Account" tab.
I went one step further and for blog series reasons decided to create another separate organizational unit "FunctionUsers". The LDAP function user is a member of this group.
Make a note of the user data created for the future.
NOTE: the following step 2 can be skipped if the Flash system has already been configured with the correct DNS settings. Check for functionality!
Step 2: Setup DNS settings
For the domain integration to work, the DNS settings must be correct.
In Purity, go to Settings > Network and adjust the settings if necessary.
ATTENTION: Take effects into account when making system adjustments in productive operation! If necessary, contact Pure Storage Support!
(as the test system is not property of PUREFLASH.blog and contains confidential data, the above screenshot had to be pixelated).
Step 3: Configure LDAP integration
In Purity, switch to Settings > Users > Tab: SMB - select "Configuration".
"Service Name" - is an immutable/predefined field.
"Enabled" slider - via this slider the LDAP connection can be simply paused-disconnected. Of course, associated functions are no longer available afterwards - at least temporarily!
TIP: if you are unsure about the next entries, you can use the ADSI editor for help. This can be found on every domain controller or with installed Windows RSAT tools. The 3rd-party "ADExplorer" from Sysinternals is also a good alternative.
"URIs" - the LDAP path is required for connection. If not known, this can be found out via the ADSI editor. Open ADSI editor > select "Connect ..." > copy path.
In our example "ldap://pfblog-dc01.pureflash.blog".
"Base DN" - the "Base DN" represents the organizational unit in which our NTFS AD groups and users reside.
In our example "OU=BlogUsers,DC=PUREFLASH,DC=blog".
"Bind User" - The "Bind User" is the configured "ldap.lookup FunctionUser" which performs the AD lookups.
In our example "CN=ldap.lookup FunctionUser,OU=FunctionUsers,DC=PUREFLASH,DC=blog".
"Bind Password" - Enter password, as pre-assigned in our example.
Clicking the "Save" button automatically creates an ActiveDirectory computer object. This can be found by default in the "Common Name" computer (=CN).
Step 4: Create File System
Now we get down to the nitty gritty: we obviously need an SMB file system. Theoretically, you could create a file system with several protocols (SMB, NFS, S3 ...) at the same time. However, I advise against this for various reasons. Dedicated file systems according to protocols have no negative influence on worse data reduction values during deduplication and compression.
Therefore, there is no direct disadvantage that speaks against this configuration.
In Purity, click on Storage > File Systems > "+".
INFO: to set up a file system, the logged-in user must at least be a member of the "storage_admin" role.
"Name" - the File System Name becomes the Share Name.
In our example I call this "PUREFLASHblog-CIFS".
"Provisioned Size" - the provided share is provisioned as "thin" in the standard and only occupies the memory actually used. When the 90% capacity limit is reached, an alert is automatically generated in Purity.
If you leave this field without a value or enter 0, the provisioned size will be infinite until the actual memory is used.
"Hard Limit" - this setting can be enabled only for defined capacity values. When the system detects that the file system has exceeded its provisioned size, all future writes are stopped until usage drops below the provisioned size. This occurs within minutes of reaching the provisioned size. Note that the provisioned size can be exceeded during this detection time if a hard limit is enabled.
"Snapshot" - default active. If you do not want to be able to snapshot this file system, you have to deactivate it here.
"Fast Remove" - The fast-remove feature allows you to quickly remove large directories by transferring this work to the server. When the fast-remove feature is enabled, a special pseudo-directory named .fast-remove is created in the root directory of the NFS mount.
Protocols - "SMB" - the target file system should be an SMB share.
"SMB Adapter Enabled" - Activation of the SMB adapter.
"Access Control" - Shared: The shared ACL mode is set as default and shares UNIX-like ACL permissions with the NFS protocol. In shared mode, both protocol ACL permissions must match. When one protocol creates files or changes permissions, they must match the other protocol's permission settings. For example, if an administrator attempts to change a file's SMB ACL permissions for reading and writing, the attempt requests an action to perform a match with the file's NFS ACL permissions. If the NFS ACL permissions for that file are read-only, the attempt fails.
Native: Native ACL mode supports UNIX-like ACLs and Windows ACLs. In native mode, because SMB natively supports both ACLs while NFS supports only UNIX ACLs, sharing ACLs between SMB and NFS is restricted. See the list of limitations for sharing ACLs in native mode:
Permissions created or modified in SMB are not applied to NFS permissions. For example, if user X's access permissions for file Y are removed using SMB, user X still has access to file Y using NFS.
Permissions changed in NFS do not affect the ACLs used by SMBs.
NFS permissions do not apply to directories and files created by SMB or to permissions set by SMB.
If an SMB directory or file is not assigned an ACL, an ACL from NFS permissions is applied to it.
If an NFS directory or file does not have an ACL applied to it, SMB ACLs are not applied to that NFS directory or file.
UNIX and Windows ACLs grant full permissions by default.
This completes the creation of the file system and the share.
INFO: The name of the file system may only contain alphanumeric, underscores and hyphens with a maximum of 63 characters.
Step 5: Call Share
Der Share wird direkt nach der Erstellung des File Systems erstellt.
The UNC path can be used to display all shares. These shares are always accessible via the \\data-interface IP\.
In our example the data-interface IP is 10.100.112.123. The share is directly accessible via "\10.100.112.123\PUREFLASHblog-CIFS".
ATTENTION: To access the shares, the respective IP address of the defined data interface must always be used!
Step 6: Edit share permissions
UPDATED (06/03/2020) - RESTRICTING THE MAIN SHARE IN THE SMB TREE IS NO LONGER SUPPORTED. THE SHARE PERMISSIONS MUST BE SET WITHIN THE SUBFOLDERS OF THE SHARE.
To edit the share permissions, connect to the computer management (CMD > compmgmt.msc) and connect to the data-interface IP address. Ideally, a DNS entry has also been created here.
The respective share can be edited via System > Shared Folders > Shares.
After creating the SMB share, the respective share has full access rights for everyone. This is not optimal and should be adapted to your previously considered authorization concept.
INFO: to edit the share settings, the AD user must be at least a member of the "storage_admin" role.