[gpfsug-discuss] CES and mmuserauth command

Jan-Frode Myklebust janfrode at tanso.net
Tue Aug 23 13:15:24 BST 2016


Sorry to see no authoritative answers yet.. I'm doing lots of CES
installations, but have not quite yet gotten the full understanding of
this..

Simple stuff first:

--servers You can only have one with AD.

--enable-kerberos shouldn't be used, as that's only for LDAP according to
the documentation. Guess kerberos is implied with AD.

--idmap-role -- I've been using "master". Man-page says

        ID map role of a stand‐alone or singular system deployment must be
selected "master"


What the idmap options seems to be doing is configure the idmap options for
Samba. Maybe best explained by:

          https://wiki.samba.org/index.php/Idmap_config_ad


Your suggested options will then give you the samba idmap configuration:

  idmap config * : rangesize = 1000000
  idmap config * : range = 3000000-3500000
  idmap config * : read only = no
  idmap:cache = no
  idmap config * : backend = autorid

  idmap config DOMAIN : schema_mode = rfc2307
  idmap config DOMAIN : range = 500-2000000
  idmap config DOMAIN : backend = ad

Most likely you want to replace DOMAIN by your AD domain name.. So the
--idmap options sets some defaults, that you probably won't care about,
since all your users are likely covered by the specific "idmap config
DOMAIN" config.

Hope this helps somewhat, now I'll follow up with something I'm wondering
myself...:

Is the netbios name just a name, without any connection to anything in AD?

Is the --user-name/--password a one-time used account that's only necessary
when executing the mmuserauth command, or will it also be for communication
between CES and AD while the services are running?



  -jf




On Mon, Aug 22, 2016 at 1:59 PM, Sobey, Richard A <r.sobey at imperial.ac.uk>
wrote:

> Hi all,
>
>
>
> We’re just about to start testing a new CES 4.2.0 cluster and at the stage
> of “joining” the cluster to our AD. What’s the bare minimum we need to get
> going with this? My Windows guy (who is more Linux but whatever) has
> suggested the following:
>
>
>
> mmuserauth service create --type ad --data-access-method file
>
> --netbios-name store --user-name USERNAME --password
>
> --enable-nfs-kerberos --enable-kerberos
>
> --servers list,of,servers
>
> --idmap-range-size 1000000 --idmap-range 3000000 - 3500000
> --unixmap-domains 'DOMAIN(500 - 2000000)'
>
>
>
> He has also asked what the following is:
>
>
>
> --idmap-role ???
>
> --idmap-range-size ??
>
>
>
> All our LDAP GID/UIDs are coming from a system outside of GPFS so do we
> leave this blank, or say master Or, now I’ve re-read and mmuserauth page,
> is this purely for when you have AFM relationships and one GPFS cluster
> (the subordinate / the second cluster) gets its UIDs and GIDs from another
> GPFS cluster (the master / the first one)?
>
>
>
> For idmap-range-size is this essentially the highest number of users and
> groups you can have defined within Spectrum Scale? (I love how I’m using
> GPFS and SS interchangeably.. forgive me!)
>
>
>
> Many thanks
>
>
>
> Richard
>
>
>
>
>
> Richard Sobey
>
> Storage Area Network (SAN) Analyst
> Technical Operations, ICT
> Imperial College London
> South Kensington
> 403, City & Guilds Building
> London SW7 2AZ
> Tel: +44 (0)20 7594 6915
> Email: r.sobey at imperial.ac.uk
> http://www.imperial.ac.uk/admin-services/ict/
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20160823/82e159b6/attachment.htm>


More information about the gpfsug-discuss mailing list