[gpfsug-discuss] SMB support and config

Kristy Kallback-Rose kallbac at iu.edu
Wed Jul 22 11:50:58 BST 2015


Yes interested, please post. We’ll probably keep running Samba separately, as we do today, for quite some time, but will be facing this transition at some point so we can be supported by IBM for Samba.

On Jul 10, 2015, at 8:06 AM, Simon Thompson (Research Computing - IT Services) <S.J.Thompson at bham.ac.uk> wrote:

> So IBM came back and said what I was doing wasn’t supported.
> 
> They did say that you can use “user defined” authentication. Which I’ve
> got working now on my environment (figured what I was doing wrong, and you
> can’t use mmsmb to do some of the bits I need for it to work for user
> defined mode for me...). But I still think it needs a patch to one of the
> files for CES for use in user defined authentication. (Right now it
> appears to remove all my “user defined” settings from nsswitch.conf when
> you stop CES/GPFS on a node). I’ve supplied my patch to IBM which works
> for my case, we’ll see what they do about it…
> 
> (If people are interested, I’ll gather my notes into a blog post).
> 
> Simon
> 
> On 06/07/2015 23:06, "Kallback-Rose, Kristy A" <kallbac at iu.edu> wrote:
> 
>> Just to chime in as another interested party, we do something fairly
>> similar but use sssd instead of nslcd. Very interested to see how
>> accommodating the IBM Samba is to local configuration needs.
>> 
>> Best,
>> Kristy
>> 
>> On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT
>> Services) <S.J.Thompson at bham.ac.uk> wrote:
>> 
>>> Hi,
>>> 
>>> (sorry, lots of questions about this stuff at the moment!)
>>> 
>>> I¹m currently looking at removing the sernet smb configs we had
>>> previously
>>> and moving to IBM SMB. I¹ve removed all the old packages and only now
>>> have
>>> gpfs.smb installed on the systems.
>>> 
>>> I¹m struggling to get the config tools to work for our environment.
>>> 
>>> We have MS Windows AD Domain for authentication. For various reasons,
>>> however doesn¹t hold the UIDs/GIDs, which are instead held in a
>>> different
>>> LDAP directory.
>>> 
>>> In the past, we¹d configure the Linux servers running Samba so that
>>> NSLCD
>>> was configured to get details from the LDAP server. (e.g. getent passwd
>>> would return the data for an AD user). The Linux boxes would also be
>>> configured to use KRB5 authentication where users were allowed to ssh
>>> etc
>>> in for password authentication.
>>> 
>>> So as far as Samba was concerned, it would do ³security = ADS² and then
>>> we¹d also have "idmap config * : backend = tdb2²
>>> 
>>> I.e. Use Domain for authentication, but look locally for ID mapping
>>> data.
>>> 
>>> Now I can configured IBM SMB to use ADS for authentication:
>>> 
>>> mmuserauth service create  --type ad --data-access-method file
>>> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
>>> --idmap-role subordinate
>>> 
>>> 
>>> However I can¹t see anyway for me to manipulate the config so that it
>>> doesn¹t use autorid. Using this we end up with:
>>> 
>>> mmsmb config list | grep -i idmap
>>> idmap config * : backend         autorid
>>> idmap config * : range           10000000-299999999
>>> idmap config * : rangesize       1000000
>>> idmap config * : read only       yes
>>> idmap:cache                      no
>>> 
>>> 
>>> It also adds:
>>> 
>>> mmsmb config list | grep -i auth
>>> auth methods                     guest sam winbind
>>> 
>>> (though I don¹t think that is a problem).
>>> 
>>> 
>>> I also can¹t change the idmap using the mmsmb command (I think would
>>> look
>>> like this):
>>> # mmsmb config change --option="idmap config * : backend=tdb2"
>>> idmap config * : backend=tdb2: [E] Unsupported smb option. More
>>> information about smb options is availabe in the man page.
>>> 
>>> 
>>> 
>>> I can¹t see anything in the docs at:
>>> 
>>> http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spe
>>> ct
>>> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm
>>> 
>>> That give me a clue how to do what I want.
>>> 
>>> I¹d be happy to do some mixture of AD for authentication and LDAP for
>>> lookups (rather than just falling back to ³local² from nslcd), but I
>>> can¹t
>>> see a way to do this, and ³manual² seems to stop ADS authentication in
>>> Samba.
>>> 
>>> Anyone got any suggestions?
>>> 
>>> 
>>> Thanks
>>> 
>>> Simon
>>> 
>>> 
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at gpfsug.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>> 
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at gpfsug.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20150722/20087a28/attachment.sig>


More information about the gpfsug-discuss mailing list