[gpfsug-discuss] SMB support and config

Kallback-Rose, Kristy A kallbac at iu.edu
Mon Jul 6 23:06:00 BST 2015 

Just to chime in as another interested party, we do something fairly similar but use sssd instead of nslcd. Very interested to see how accommodating the IBM Samba is to local configuration needs.

Best,
Kristy

On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT Services) <S.J.Thompson at bham.ac.uk> wrote:

> Hi,
> 
> (sorry, lots of questions about this stuff at the moment!)
> 
> I¹m currently looking at removing the sernet smb configs we had previously
> and moving to IBM SMB. I¹ve removed all the old packages and only now have
> gpfs.smb installed on the systems.
> 
> I¹m struggling to get the config tools to work for our environment.
> 
> We have MS Windows AD Domain for authentication. For various reasons,
> however doesn¹t hold the UIDs/GIDs, which are instead held in a different
> LDAP directory.
> 
> In the past, we¹d configure the Linux servers running Samba so that NSLCD
> was configured to get details from the LDAP server. (e.g. getent passwd
> would return the data for an AD user). The Linux boxes would also be
> configured to use KRB5 authentication where users were allowed to ssh etc
> in for password authentication.
> 
> So as far as Samba was concerned, it would do ³security = ADS² and then
> we¹d also have "idmap config * : backend = tdb2²
> 
> I.e. Use Domain for authentication, but look locally for ID mapping data.
> 
> Now I can configured IBM SMB to use ADS for authentication:
> 
> mmuserauth service create  --type ad --data-access-method file
> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
> --idmap-role subordinate
> 
> 
> However I can¹t see anyway for me to manipulate the config so that it
> doesn¹t use autorid. Using this we end up with:
> 
> mmsmb config list | grep -i idmap
> idmap config * : backend         autorid
> idmap config * : range           10000000-299999999
> idmap config * : rangesize       1000000
> idmap config * : read only       yes
> idmap:cache                      no
> 
> 
> It also adds:
> 
> mmsmb config list | grep -i auth
> auth methods                     guest sam winbind
> 
> (though I don¹t think that is a problem).
> 
> 
> I also can¹t change the idmap using the mmsmb command (I think would look
> like this):
> # mmsmb config change --option="idmap config * : backend=tdb2"
> idmap config * : backend=tdb2: [E] Unsupported smb option. More
> information about smb options is availabe in the man page.
> 
> 
> 
> I can¹t see anything in the docs at:
> http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spect
> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm
> 
> That give me a clue how to do what I want.
> 
> I¹d be happy to do some mixture of AD for authentication and LDAP for
> lookups (rather than just falling back to ³local² from nslcd), but I can¹t
> see a way to do this, and ³manual² seems to stop ADS authentication in
> Samba.
> 
> Anyone got any suggestions?
> 
> 
> Thanks
> 
> Simon
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list