Installation manual

Configuring Front-End Services

Configuring CIFS

CLI Storage-Management Guide 11-27

To enable Kerberos authentication by the CIFS service, you must join the CIFS

service to the Active-Directory (AD) domain. This process is similar to adding client

computers to the AD domain: this action causes the DC to declare the CIFS service as

Trusted for Delegation. The CIFS service uses this authority to access back-end filers

on behalf of its clients.

Use the gbl-cifs

domain-join command as follows:

domain-join domain-name [ou “organizational-unit”]

where

domain-name (1-256 characters) identifies the DC domain. This domain

must be defined in the AD forest; see “Adding an Active-Directory Forest

(Kerberos)” on page 3-10.

organizational-unit (optional, 1-512 characters) is the organizational unit

(OU) to join. An OU is a group of similar accounts or machines that is

managed by a particular administrator. The default is “Computers” at the

root of the domain. If the OU does not exist, the domain-join operation fails.

The CLI prompts for the username and password. Enter a username with the

following permissions in the domain:

• “Add workstations to domain” and

• “Enable computer and user accounts to be trusted for delegation.”

The user account must have the following additional permissions in the OU:

• “Create computer objects” and

• “Delete computer objects.”

For example, the following command sequence enables the CIFS service at

“ac1.medarch.org,” then joins the domain under username “acoadmin:”

Trusting an Acopia server for delegation poses no security threat to your network.

Kerberos authentication was designed with delegation in mind to provide a clean way

of carrying identity through n-tiered application systems. For more information, refer

to IETF RFC 1510 or the Microsoft white paper on Kerberos authentication

(http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp).