[gpfsug-discuss] SMB support and config

Simon Thompson (Research Computing - IT Services) S.J.Thompson at bham.ac.uk
Fri Jul 10 13:06:01 BST 2015 

So IBM came back and said what I was doing wasn’t supported.

They did say that you can use “user defined” authentication. Which I’ve
got working now on my environment (figured what I was doing wrong, and you
can’t use mmsmb to do some of the bits I need for it to work for user
defined mode for me...). But I still think it needs a patch to one of the
files for CES for use in user defined authentication. (Right now it
appears to remove all my “user defined” settings from nsswitch.conf when
you stop CES/GPFS on a node). I’ve supplied my patch to IBM which works
for my case, we’ll see what they do about it…

(If people are interested, I’ll gather my notes into a blog post).

Simon

On 06/07/2015 23:06, "Kallback-Rose, Kristy A" <kallbac at iu.edu> wrote:

>Just to chime in as another interested party, we do something fairly
>similar but use sssd instead of nslcd. Very interested to see how
>accommodating the IBM Samba is to local configuration needs.
>
>Best,
>Kristy
>
>On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT
>Services) <S.J.Thompson at bham.ac.uk> wrote:
>
>> Hi,
>> 
>> (sorry, lots of questions about this stuff at the moment!)
>> 
>> I¹m currently looking at removing the sernet smb configs we had
>>previously
>> and moving to IBM SMB. I¹ve removed all the old packages and only now
>>have
>> gpfs.smb installed on the systems.
>> 
>> I¹m struggling to get the config tools to work for our environment.
>> 
>> We have MS Windows AD Domain for authentication. For various reasons,
>> however doesn¹t hold the UIDs/GIDs, which are instead held in a
>>different
>> LDAP directory.
>> 
>> In the past, we¹d configure the Linux servers running Samba so that
>>NSLCD
>> was configured to get details from the LDAP server. (e.g. getent passwd
>> would return the data for an AD user). The Linux boxes would also be
>> configured to use KRB5 authentication where users were allowed to ssh
>>etc
>> in for password authentication.
>> 
>> So as far as Samba was concerned, it would do ³security = ADS² and then
>> we¹d also have "idmap config * : backend = tdb2²
>> 
>> I.e. Use Domain for authentication, but look locally for ID mapping
>>data.
>> 
>> Now I can configured IBM SMB to use ADS for authentication:
>> 
>> mmuserauth service create  --type ad --data-access-method file
>> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
>> --idmap-role subordinate
>> 
>> 
>> However I can¹t see anyway for me to manipulate the config so that it
>> doesn¹t use autorid. Using this we end up with:
>> 
>> mmsmb config list | grep -i idmap
>> idmap config * : backend         autorid
>> idmap config * : range           10000000-299999999
>> idmap config * : rangesize       1000000
>> idmap config * : read only       yes
>> idmap:cache                      no
>> 
>> 
>> It also adds:
>> 
>> mmsmb config list | grep -i auth
>> auth methods                     guest sam winbind
>> 
>> (though I don¹t think that is a problem).
>> 
>> 
>> I also can¹t change the idmap using the mmsmb command (I think would
>>look
>> like this):
>> # mmsmb config change --option="idmap config * : backend=tdb2"
>> idmap config * : backend=tdb2: [E] Unsupported smb option. More
>> information about smb options is availabe in the man page.
>> 
>> 
>> 
>> I can¹t see anything in the docs at:
>> 
>>http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spe
>>ct
>> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm
>> 
>> That give me a clue how to do what I want.
>> 
>> I¹d be happy to do some mixture of AD for authentication and LDAP for
>> lookups (rather than just falling back to ³local² from nslcd), but I
>>can¹t
>> see a way to do this, and ³manual² seems to stop ADS authentication in
>> Samba.
>> 
>> Anyone got any suggestions?
>> 
>> 
>> Thanks
>> 
>> Simon
>> 
>> 
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at gpfsug.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>_______________________________________________
>gpfsug-discuss mailing list
>gpfsug-discuss at gpfsug.org
>http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list