Skip to main content

Configuring audit clients for Active Directory

Contributors netapp-lhalbert

Perform this procedure for each Admin Node in a StorageGRID deployment from which you want to retrieve audit messages.

What you'll need
  • You must have the Passwords.txt file with the root/admin account password (available in the SAID package).

  • You must have the CIFS Active Directory username and password.

  • You must have the Configuration.txt file (available in the SAID package).

Note Audit export through CIFS/Samba has been deprecated and will be removed in a future StorageGRID release.
Steps
  1. Log in to the primary Admin Node:

    1. Enter the following command: ssh admin@primary_Admin_Node_IP

    2. Enter the password listed in the Passwords.txt file.

    3. Enter the following command to switch to root: su -

    4. Enter the password listed in the Passwords.txt file.

      When you are logged in as root, the prompt changes from $ to #.

  2. Confirm that all services have a state of Running or Verified: storagegrid-status

    If all services are not Running or Verified, resolve issues before continuing.

  3. Return to the command line, press Ctrl+C.

  4. Start the CIFS configuration utility: config_cifs.rb

    ---------------------------------------------------------------------
    | Shares                 | Authentication         | Config          |
    ---------------------------------------------------------------------
    | add-audit-share        | set-authentication     | validate-config |
    | enable-disable-share   | set-netbios-name       | help            |
    | add-user-to-share      | join-domain            | exit            |
    | remove-user-from-share | add-password-server    |                 |
    | modify-group           | remove-password-server |                 |
    |                        | add-wins-server        |                 |
    |                        | remove-wins-server     |                 |
    ---------------------------------------------------------------------
  5. Set the authentication for Active Directory: set-authentication

    In most deployments, you must set the authentication before adding the audit client. If authentication has already been set, an advisory message appears. If authentication has already been set, go to the next step.

    1. When prompted for Workgroup or Active Directory installation: ad

    2. When prompted, enter the name of the AD domain (short domain name).

    3. When prompted, enter the domain controller's IP address or DNS hostname.

    4. When prompted, enter the full domain realm name.

      Use uppercase letters.

    5. When prompted to enable winbind support, type y.

      Winbind is used to resolve user and group information from AD servers.

    6. When prompted, enter the NetBIOS name.

    7. When prompted, press Enter.

      The CIFS configuration utility is displayed.

  6. Join the domain:

    1. If not already started, start the CIFS configuration utility: config_cifs.rb

    2. Join the domain: join-domain

    3. You are prompted to test if the Admin Node is currently a valid member of the domain. If this Admin Node has not previously joined the domain, enter: no

    4. When prompted, provide the Administrator's username: administrator_username

      where administrator_username is the CIFS Active Directory username, not the StorageGRID username.

    5. When prompted, provide the Administrator's password: administrator_password

      were administrator_password is the CIFS Active Directory username, not the StorageGRID password.

    6. When prompted, press Enter.

      The CIFS configuration utility is displayed.

  7. Verify that you have correctly joined the domain:

    1. Join the domain: join-domain

    2. When prompted to test if the server is currently a valid member of the domain, enter: y

      If you receive the message “Join is OK,” you have successfully joined the domain. If you do not get this response, try setting authentication and joining the domain again.

    3. When prompted, press Enter.

      The CIFS configuration utility is displayed.

  8. Add an audit client: add-audit-share

    1. When prompted to add a user or group, enter: user

    2. When prompted to enter the audit user name, enter the audit user name.

    3. When prompted, press Enter.

      The CIFS configuration utility is displayed.

  9. If more than one user or group is permitted to access the audit share, add additional users: add-user-to-share

    A numbered list of enabled shares is displayed.

    1. Enter the number of the audit-export share.

    2. When prompted to add a user or group, enter: group

      You are prompted for the audit group name.

    3. When prompted for the audit group name, enter the name of the audit user group.

    4. When prompted, press Enter.

      The CIFS configuration utility is displayed.

    5. Repeat this step for each additional user or group that has access to the audit share.

  10. Optionally, verify your configuration: validate-config

    The services are checked and displayed. You can safely ignore the following messages:

    • Can't find include file /etc/samba/includes/cifs-interfaces.inc

    • Can't find include file /etc/samba/includes/cifs-filesystem.inc

    • Can't find include file /etc/samba/includes/cifs-interfaces.inc

    • Can't find include file /etc/samba/includes/cifs-custom-config.inc

    • Can't find include file /etc/samba/includes/cifs-shares.inc

    • rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

      Important Do not combine the setting 'security=ads' with the 'password server' parameter. (by default Samba will discover the correct DC to contact automatically).
      1. When prompted, press Enter to display the audit client configuration.

      2. When prompted, press Enter.

        The CIFS configuration utility is displayed.

  11. Close the CIFS configuration utility: exit

  12. If the StorageGRID deployment is a single site, go to the next step.

    or

    Optionally, if the StorageGRID deployment includes Admin Nodes at other sites, enable these audit shares as required:

    1. Remotely log in to a site's Admin Node:

      1. Enter the following command: ssh admin@grid_node_IP

      2. Enter the password listed in the Passwords.txt file.

      3. Enter the following command to switch to root: su -

      4. Enter the password listed in the Passwords.txt file.

    2. Repeat these steps to configure the audit shares for each Admin Node.

    3. Close the remote secure shell login to the Admin Node: exit

  13. Log out of the command shell: exit

Related information

Upgrade software