Monday, October 7, 2019

To homedir or not to homedir.....

... that is the question.   Here's the answer:  WHY NOT!

What the heck am I talking about?  Well, its the lesser-used NetApp ONTAP homedir feature.  What the heck does it do?   Make home directory provisioning, configuration and management so much simpler!

So, that's a pretty bold blanket statement, but the benefits of using the homedir feature in ONTAP is just so overwhelming, there's really no downside (besides the initial configuration and user provisioning process modification) to enabling and using it.  In essence, it's really a best practice when using ONTAP for home directory serving.

What is this homedir function you talk about?   Well it's a feature in ONTAP that created shares and exports on the fly based on the client's usernames that are presented to ONTAP during the mount or drive map process.  This makes it so much easier to provision users, home directories, permissions, quotas, and everything in between. Take the guess work out of it all!

Does it help?
Yes!  There is actually a recent Microsoft Windows bug rolling around in build 1803 that can cause some performance issues.  When you use that pesky little search bar in Windows Explorer and search a mapped drive, and that mapped drive is actually a folder within an actual share, then Windows does some real deep searching all the way back to the root of the share.   WHAAA???  There are other stupid things happening with the Windows clients too that can cause some weird performance issues when there is a lot of file enumeration going on.  Most of this client behavior is happening on the home drive, or even worse, a roaming profile drive.  This is because when you create a home directory share, you create a single folder, share that folder, create everyone's home directory off that folder, then have the users map the folder level.  (something like mapping H: to  \\server\homedirfolder\username).  No I'm not going to get into the minutia of the behavior since MS has done some work to fix it, but it's there nonetheless. Let's all use this awesome ONTAP feature to mitigate these issues.

Do I really need to know how it works?
Maybe.   It's actually not that complicated.  When a user connects to the "homedir", ONTAP just looks into a few volumes specified for that user's name on a directory and then creates a hidden share on the fly and lets the user attach to it.  That's it.  It's that simple.  Nothing more, nothing less.

Why do I want it?
There's a few things that make this so much more simple than the traditional way of creating a "homedir" share and mapping sub-directories to it.

First of all, it's simpler to expand.  What if the volume serving your homedir is full?  What if it needs more performance?  What if we need to create more volumes?  Split it up?  You can see the problems there.  Let me give you a quick demo.

ONTAP System Manager is showing me that I only have 4 homedir volumes in the searchpath.  I want to add another.  Let's say we're bringing on more staff.

Let's just add the volume to the search path....
And voila!!!  It's there!









That was easy!   As long as all the homedir volumes are in the same SVM, then you can add as many volumes as you want to the search path.

Why else do I want this?  Well, the only thing you have to do when provisioning a new user is to create the user's homedir folder in one of the volumes of the search path.  No need to create a new share... no need to create a new volume.... no need to do anything else except create the folder and apply the permissions!  You can even automate this with PowerShell!  You can even balance the amount of homedirs in each volume with the PowerShell script!!!!

I'm Sold!  How do I implement this?
It's easy.  Just create the homedir share and add volumes to the search path.  With System manager... its an all-in-one process!!!
Create the home directory share.

Here's where you can get creative.
For the name, this is what you will be putting into AD for the home dir path.  There is a caveat though.   If you create a non-unique name and have more than 1 user log into a machine at the same time, then there can be issues.  Why?  MUP cache.  What???   Yes. I said MUP cache.  What in the blazes is that?  Well, when the client mounts the home directory (let's just call it \\svm\cifshomedir), what is going on under the covers is some DFS magic to actually point it in the right direction.  The clients cache this DFS magic.  Unfortunately, that caching happens at the machine level.  So when user jimbobbillyjo logs into the Windows machine and has their homedrive connected, then the client machine's DFS cache says that \\svm\cifshomedir is actually \\svm\jimbobbillyjo$.   Now when user georgemcf logs into the same machine (like with a user switch) then when it tries to map \\svm\cifshomedir, then it's actually trying to mount \\svm\jimbobbillyjo$.  That won't work for poor georgemcf.
In order to just bypass all that nonsense, use the appropriate abbreviation in the name.  %w will be the most common, then you can use %username% in the drive mapping in AD.

So what do I need for AD?
Just set up the homedir.  There are several schools of thought.  
* Home Folder:  This is the most obvious.  ADUC gives you a drive letter and path.  This will also give you some variables once logged in like %HOMEDRIVE%, %HOMEPATH% and %HOMESHARE% that you can use to do more with.
   For automation, you can use variables.  I would use \\svm-name\%username%.   Then ADUC will translate that to username.


* Roaming Profile:  Its the exact same as the Home Folder above, but its called the Profile path in ADUC. 

* GPO for mapped drives:  This is more of a fan favorite. No need to set something for every computer account.  If this is a domain-wide GPO, then everyone gets the drive mapped.  This is where you need to use the variables though.
  The downside?  You don't get any of the cute variables.


Tuesday, August 13, 2019

FlexCache now FREE!

Recently NetApp reintroduced FlexCache into ONTAP where both the origin and the cache can run on ONTAP 9.5 or higher.  That did come with a license; term & capacity based.  Well, the great folks at NetApp have decided that it should be part of the ONTAP package.  That means that its now freeeeeeeeeeee. 

Hold your horses.  That doesn't mean that you can now go creating FlexCache volumes all over the place in ONTAP.  There's no magic that can do that.  That just means you still need to get a license, but it costs $0.00!  Go bug your NetApp account team to go get you one.  I
n a future ONTAP version, you will be able to create FlexCache volumes without a license.  This may even be a P release!  (All the more reason to upgrade to P releases)

You want to kick the tires?  Go on over to https://www.netapp.com/us/info/what-is-flex-cache.aspx and see what you can do.

Thursday, April 11, 2019

LDAPS is dead! Long live LDAPS!

So, as a TME for NFS, Name Services and SMB, I always get the question...

Does ONTAP support LDAPs??

StartTLS is insecure compared to LDAPS, right?

Well, let me tell you something........


LDAPS is sooo 90's.  There!  I said it!  90's?  really?   Yep!   RFC1777 was published in 1995!  And guess what?  There was no standard written for LDAP over SSL!  This was just assumed and taken from HTTPS at the time. The LDAP vendors took it, and rolled with it.

Enter LDAPv3.

RFC2251 was started and completed in 1997.  That didn't have any additional verbiage for on-the-wire encryption, but when RFC2830 was written in 2000, it made an extension for LDAPv3 specifically for StartTLS.  RFC4511 combined them into one LDAP v3 standard in 2006.  Once LDAP v3 was ratified and made it into mainstream in the early 2000's, LDAP vendors started to deprecate the LDAPS encryption method for StartTLS.

Deprecate.   That's a big word.   But what that means is that to "be usable but regarded as obsolete and best avoided, typically due to having been superseded."  Don't believe me?   Check it out:
https://www.openldap.org/faq/data/cache/605.html
https://directory.apache.org/api/user-guide/5.1-ldaps.html
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Protocol_overview
I can go on....  Just do a Google search for LDAPS deprecated and see.

Clustered Data ONTAP started without any LDAPS support in favor of StartTLS because of the above reasons.  All LDAP vendors had to support the StartTLS extension because it was part of the standard.  Also, because LDAPS was deprecated, it could be yanked at any time.

But....  StartTLS is not as secure as LDAPS!!  It runs over a plaintext port!

Well, if you leave your LDAP install wide open, sure.  Your LDAP is still insecure.  But there are countermeasures that you can deploy to make sure StartTLS is secure.
  1.  Make sure that StartTLS is enabled.  DUH.
    This requires certificates.   Certificates are hard, but learn them.  They make things secure.  For internal, self-signed certs are OK as long as the domains and permutations of them are accounted for.
  2. Prevent queries without StartTLS.
    Now that StartTLS is enabled, you can set up LDAP servers to prevent LDAP commands unless the connection is StartTLS upgraded.  This can be done on a DIT (directory information tree) basis. 
  3. Prevent LDAP binds without StartTLS
    There is also a way to prevent BINDs from happening in plaintext.  Consult your LDAP vendor's documentation on how to do this.
  4. Prevent LDAP clients to send plaintext creds
    You still want to prevent your clients from sending their credentials in plaintext.  This means setting the minimum bind level at SASL.  The credentials passed will also be encrypted.
Doing all this will ensure that the LDAP communication is always secure.

How do you configure LDAP to work with StartTLS in ONTAP?  Easy.  Install the root certificate for the LDAP server's enterprise and then change the LDAP client config for -use-start-tls true and you are set to go.
Here's how your traffic looks: 
I don't see any holes in there.  Application data means its encrypted and is all buttoned up!  

What about ONTAP and LDAPS?   Well...  low and behold......   9.5 introduced the ability to do LDAPS.   Even though its deprecated and there are alternatives, the ability to do LDAPS was granted.
How do we do it?
Change the port in the ldap config to port 636.  Make sure -use-start-tls is turned to false and the same enterprise root cert is installed into ONTAP.  Is this more secure? Less secure?  Who knows.  Not my debate.
Here's what your traffic looks like:

You decide.  They look almost identical to me except for the LDAP START_TLS packets at the beginning.