[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Integrating Windows into Xsan

Subject: Re: Integrating Windows into Xsan
From: techtalk <email@hidden>
Date: Tue, 7 Feb 2006 15:15:11 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden

Brian,

Thank you for your very informative response.

I spoke with the ADIC reps at MacWorld and they too said that their upcoming version of StorNext would work better at supporting LDAP.

I work with VFX companies and the "open" permission thing is not as big a deal (as long as you have backups). As everyone is working with everyone else (3D with 2D compositors, Editors with 3D, etc). So as long as there is a way to maintain open perms between PC/Win users and Mac users, then I will be happy.

Currently, I am using Finder and Terminal umask settings (002) to keep things as open as possible (read/writable by all in same group). I occasionally force a permissions sweep for new or foreign files (sudo chmod -R a+rwx *) and this does the trick for us. We do not maintain any restrictive and complicated ACLs or permission structures (as Xsan does not heed them anyway).

The whole reason for this foray into StorNext is that a client wants their windows (3d) users to access the files in a better fashion that the current set up. Their Xsan is for the Shake production and render farm, while all the 3d users are windows AD users hooked up to a win2003 server. When they've shared files in the past, apparently the mac users would use SMB to share files from a Mac to the win server. With local accounts on the mac the perms were never really right. But I didn't set this up, I just walked into their workflow. They think putting the win server on the Xsan they share files better. And they might be right. But without AD accounts on the mac then the file perm may never jive. We'll see.

:)

Mat X
System Administrator

Anthem Visual Effects, Inc.
200 - 110 Cambie Street
Vancouver, BC V6B 2M8
Phone: 604-669-9936
Fax: 604-669-9926


On 7-Feb-06, at 2:28 PM, Brian Leverson wrote:

Mat,
Do you anticipate having any cross-platform users, i.e. users who want to operate on the same Xsan volume files in both OS X Xsan and Windows SNFS environments? If so, you will have to address the problem of mapping your OS X user (Unix) info to your Windows ADIC SNFS SAN server. Without this mapping, file ownership/privileges for files created in a Windows session on an Xsan volume will NOT be accessible by the same users from the OS X environment. You will find that these files are assigned nobody/nobody (60001/60001) OS X (Unix) ownership. One solution is to assign world read/write access to any Xsan volume files, but most sites will be uncomfortable with this option.

Query your ADIC sales rep closely about SNFS/SNFX capabilities in your Xsan environment. The current ADIC SNFS release (2.6.1) supports only PCNFS or NIS protocols for user info mapping between Windows and non-Windows environments, including OS X (See StorNext File System Client Properties). While both protocols can be implemented under OS X, they are outdated and most security- conscious administrators will be reluctant use them. I have verified that the NIS option works, I've found that each Windows username must be manually mapped to an OS X (Unix) username. With several hundred users in my group, mapping each manually is ridiculous.

It is rumored that the next SNFS release (2.7) will support LDAP (Kerberos?) lookups. LDAP access is preferable to PCNFS/NIS, but there is still the issue of where the OS X UID/GID is stored. You may still find that your Windows AD schema must be extended to include OS X (Unix) user attributes.
Thanks,
--
Brian Leverson, Systems Manager
University of Washington		e-mail: email@hidden
Dept of Aeronautics and Astronautics	phone:  (206)543-6736
Box 352400				FAX:    (206)543-0217
Seattle, WA  98195-2400			Office: Gugg 309D
"Man is the best computer we can put aboard a spacecraft...and the only one that can be mass produced with unskilled labor." -- Wernher von Braun
On Tue, 7 Feb 2006, Mathieu Mauser wrote:
Thomas,
Maybe one of those cute golden triangles of authentication...
mac -> OD  and OD ->AD
And yes, apple training is good, and yes, maybe I should hire a contractor to do this for me. I met a bunch of smart kids at Macworld.
:)
-x
On Tue, Feb
07, 2006 at 10:43:18AM -0800, Thomas Weyer wrote:
Xsan does NOT support ACLs.
In terms of Dir Integration you have a number of options.  Get all
servers to Auth to a single dir server (OD/Mac or AD/Win) or use a
hybrid solution with a Master Dir Server and then Local Dir server
for the other platform (again this can be standard LDAP (aka OD) or
AD/Windows).
This is covers a bit in the Mac OS X Server Doc as well as thru training offered by Apple, or installation/Professional services if you just want to contract it out to someone and not have to deal with it yourself.
--Tom
____________________________________________________________________ ______ Thomas Weyer email: email@hidden Sr Consulting Engineer- Servers & Storage voice: (408) 974-5017 Field Engineering, U.S. Education fax:
Apple
1 Infinite Loop
http://www.apple.com/education
Cupertino, CA, 95014, USA                      http://www.apple.com
At 10:16 AM -0800 2/7/06, techtalk wrote:
Jason,
Yes, it seems somewhat necessary that I will have to get the Macs to authenticate against AD to share the privileges scheme and authority, the same as the win users understand.

But I hope that's all that needs to be done. I'm not looking forward to "extending schemas" or getting some kind of extra Unix LDAP functionality to work on Windows, besides what AD supports out of the box.
If Xsan does not support Mac OS X ACLs, then I don't see if
supporting Windows ACLs, right?
:)
Mat X
System Administrator
Anthem Visual Effects, Inc.
200 - 110 Cambie Street
Vancouver, BC V6B 2M8
Phone: 604-669-9936
Fax: 604-669-9926
On 7-Feb-06, at 9:17 AM, Jason Thorpe wrote:
On Feb 7, 2006, at 8:20 AM, mat x mauser wrote:
Hi Everyone.
I am looking at my first Windows (2003 server) integration into Xsan using StorNext. This specific Xsan setup is currently running Panther 10.3.9 (client an server) and Xsan 1.1. Besides RTFM (the Xsan Admin 1.1 manual) and checking which version of StorNext is compatible with Xsan, I am curious how the whole users and privileges thing will play out. The windows users are using AD accounts, but the Mac ppl are using local accounts (bad, i know!). I might switch the Mac users to OD or AD accounts and see what happens (fun!). Any gotchas? Or real world advice from anyone doing this now?
1- The Mac and Windows systems will need to be bound to a common
directory system.
2- You will need to verify with ADIC StorNext's Windows<->Unix
integration support for your environment.
-- thorpej
_______________________________________________ Do not post admin requests to the list. They will be ignored. Xsan-Users mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/xsan-users/techtalk% 40anthemfx.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xsan-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xsan-users/email@hidden
This email sent to email@hidden
--
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xsan-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xsan-users/email@hidden
This email sent to email@hidden
--
Mat X
http://matx.ca/ _______________________________________________ Do not post admin requests to the list. They will be ignored. Xsan-Users mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/xsan-users/brian% 40aa.washington.edu
This email sent to email@hidden
_______________________________________________ Do not post admin requests to the list. They will be ignored. Xsan-Users mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/xsan-users/techtalk% 40anthemfx.com
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xsan-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/xsan-users/email@hidden

This email sent to email@hidden

References:
	>Integrating Windows into Xsan (From: mat x mauser <email@hidden>)
	>Re: Integrating Windows into Xsan (From: Jason Thorpe <email@hidden>)
	>Re: Integrating Windows into Xsan (From: techtalk <email@hidden>)
	>Re: Integrating Windows into Xsan (From: Thomas Weyer <email@hidden>)
	>Re: Integrating Windows into Xsan (From: Mathieu Mauser <email@hidden>)
	>Re: Integrating Windows into Xsan (From: Brian Leverson <email@hidden>)

Prev by Date: Re: Integrating Windows into Xsan
Next by Date: Re: Integrating Windows into Xsan
Previous by thread: Re: Integrating Windows into Xsan
Next by thread: Re: Integrating Windows into Xsan
Index(es):
- Date
- Thread

Home