[gpfsug-discuss] SMB support and config
Simon Thompson (Research Computing - IT Services)
S.J.Thompson at bham.ac.uk
Tue Jul 7 12:39:24 BST 2015
So based on what I’m seeing ...
When you run mmstartup, the start process edits /etc/nsswitch.conf.
I’ve managed to make it work in my environment, but I had to edit the file
/usr/lpp/mmfs/bin/mmcesop to make it put ldap instead of winbind when it
starts up.
I also had to do some studious use of "net conf delparm” … Which is
probably not a good idea.
I did try using:
mmuserauth service create --type userdefined --data-access-method file
And the setting the "security = ADS” parameters by hand with "net conf”
(can’t do it with mmsmb), and a manual “net ads join" but I couldn’t get
it to authenticate clients properly. I can’t work out why just at the
moment.
But even then when mmshutdown runs, it still goes ahead and edits
/etc/nsswitch.conf
I’ve got a ticket open with IBM at the moment via our integrator to see
what they say.
But I’m not sure I like something going off and poking things like
/etc/nsswitch.conf at startup/shutdown. I can sorta see that at config
time, but when service start etc, I’m not sure I really like that idea!
Simon
On 06/07/2015 23:06, "Kallback-Rose, Kristy A" <kallbac at iu.edu> wrote:
>Just to chime in as another interested party, we do something fairly
>similar but use sssd instead of nslcd. Very interested to see how
>accommodating the IBM Samba is to local configuration needs.
>
>Best,
>Kristy
>
>On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT
>Services) <S.J.Thompson at bham.ac.uk> wrote:
>
>> Hi,
>>
>> (sorry, lots of questions about this stuff at the moment!)
>>
>> I¹m currently looking at removing the sernet smb configs we had
>>previously
>> and moving to IBM SMB. I¹ve removed all the old packages and only now
>>have
>> gpfs.smb installed on the systems.
>>
>> I¹m struggling to get the config tools to work for our environment.
>>
>> We have MS Windows AD Domain for authentication. For various reasons,
>> however doesn¹t hold the UIDs/GIDs, which are instead held in a
>>different
>> LDAP directory.
>>
>> In the past, we¹d configure the Linux servers running Samba so that
>>NSLCD
>> was configured to get details from the LDAP server. (e.g. getent passwd
>> would return the data for an AD user). The Linux boxes would also be
>> configured to use KRB5 authentication where users were allowed to ssh
>>etc
>> in for password authentication.
>>
>> So as far as Samba was concerned, it would do ³security = ADS² and then
>> we¹d also have "idmap config * : backend = tdb2²
>>
>> I.e. Use Domain for authentication, but look locally for ID mapping
>>data.
>>
>> Now I can configured IBM SMB to use ADS for authentication:
>>
>> mmuserauth service create --type ad --data-access-method file
>> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
>> --idmap-role subordinate
>>
>>
>> However I can¹t see anyway for me to manipulate the config so that it
>> doesn¹t use autorid. Using this we end up with:
>>
>> mmsmb config list | grep -i idmap
>> idmap config * : backend autorid
>> idmap config * : range 10000000-299999999
>> idmap config * : rangesize 1000000
>> idmap config * : read only yes
>> idmap:cache no
>>
>>
>> It also adds:
>>
>> mmsmb config list | grep -i auth
>> auth methods guest sam winbind
>>
>> (though I don¹t think that is a problem).
>>
>>
>> I also can¹t change the idmap using the mmsmb command (I think would
>>look
>> like this):
>> # mmsmb config change --option="idmap config * : backend=tdb2"
>> idmap config * : backend=tdb2: [E] Unsupported smb option. More
>> information about smb options is availabe in the man page.
>>
>>
>>
>> I can¹t see anything in the docs at:
>>
>>http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spe
>>ct
>> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm
>>
>> That give me a clue how to do what I want.
>>
>> I¹d be happy to do some mixture of AD for authentication and LDAP for
>> lookups (rather than just falling back to ³local² from nslcd), but I
>>can¹t
>> see a way to do this, and ³manual² seems to stop ADS authentication in
>> Samba.
>>
>> Anyone got any suggestions?
>>
>>
>> Thanks
>>
>> Simon
>>
>>
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at gpfsug.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>_______________________________________________
>gpfsug-discuss mailing list
>gpfsug-discuss at gpfsug.org
>http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list