Home > Storage > PowerScale (Isilon) > Product Documentation > Protocols > Dell PowerScale: Solution Design and Considerations for SMB Environments > Access zones
Access zones provide a method to logically partition cluster access and allocate resources to self-contained units, thereby providing a shared tenant, or multi-tenant, environment. Access zones support configuration settings for authentication and identity management services on a cluster, so you can configure authentication providers and provision protocol directories such as SMB shares on a zone-by-zone basis. As a general common practice, reserve the System zone for configuration access, and create additional zones for data access. In the following sections, we will focus on the consideration for directory services, access zone separation and Kerberos authentication.
An access zone can authenticate users with only one Active Directory domain. Although you can add more than one of the other directory services to a zone, a common practice is to limit each zone to no more than one of each of the directory services. For example, your access zone could contain one Active Directory, one LDAP and one File provider.
OneFS supports overlapping data between access zones for cases where your workflows require shared data for consolidation consideration; however, this adds complexity to the access zone configuration that might lead to future issues with client access. As a general guideline, overlapping access zones should only occur if data must be shared between zones. If sharing data, it is recommended that the access zones share the same authentication providers. Shared providers ensure that users will have consistent identity information when accessing the same data through different access zones.
In case you cannot configure the same authentication providers for access zones with shared data, Dell Technologies recommends the following common practices:
Kerberos is a network authentication provider that works on the basis of tickets to allow communication over a non-secure network to prove their identity to one another in a secure manner. OneFS supports two kinds of Kerberos implementation on PowerScale clusters
If you configure an Active Directory provider, support for Microsoft Kerberos authentication is provided automatically. If your workflow requires using the SMB protocol, use Microsoft Kerberos.
For using Microsoft KDC/Kerberos with AD users and PowerScale, several considerations and recommendations are listed below:
See Kerberos Authentication and the white paper Integrating OneFS with Kerberos Environment for Protocols for more details about how to configure Kerberos on PowerScale.