[gpfsug-discuss] CES and mmuserauth command

Christof Schmitt christof.schmitt at us.ibm.com
Fri Aug 26 00:49:12 BST 2016 

To clarify and expand on some of these:

--servers takes the AD Domain Controller that is contacted first during 
configuration. Later and during normal operations the list of DCs is 
retrieved from DNS and the fastest (or closest one according to the AD 
sites) is used. The initially one used does not have a special role.

--idmap-role allows dedicating one cluster as a master, and a second 
cluster (e.g. a AFM replication target) as "subordinate". Only the master 
will allocate idmap ranges which can then be imported to the subordiate to 
have consistent id mappings.

--idmap-range-size and --idmap-range are used for the internal idmap 
allocation which is used for every domain that is not explicitly using 
another domain. "man idmap_autorid" explains the approach taken. As long 
as the default does not overlap with any other ids, that can be used.

The "netbios" name is used to create the machine account for the cluster 
when joining the AD domain. That is how the AD administrator will identify 
the CES cluster. It is also important in SMB deployments when Kerberos 
should be used with SMB: The same names as the netbios name has to be 
defined in DNS for the public CES IP addresses. When the name matches, 
then SMB clients can acquire a Kerberos ticket from AD to establish a SMB 
connection.

When joinging the AD domain, --user-name, --password and --server are only 
used to initially identify and logon to the AD and to create the machine 
account for the cluster. Once that is done, that information is no longer 
used, and e.g. the account from --user-name could be deleted, the password 
changed or the specified DC could be removed from the domain (as long as 
other DCs are remaining).

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)



From:   Jan-Frode Myklebust <janfrode at tanso.net>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   08/23/2016 08:15 AM
Subject:        Re: [gpfsug-discuss] CES and mmuserauth command
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Sorry to see no authoritative answers yet.. I'm doing lots of CES 
installations, but have not quite yet gotten the full understanding of 
this..

Simple stuff first:

--servers You can only have one with AD.

--enable-kerberos shouldn't be used, as that's only for LDAP according to 
the documentation. Guess kerberos is implied with AD.

--idmap-role -- I've been using "master". Man-page says

        ID map role of a stand‐alone or singular system deployment must 
be selected "master"


What the idmap options seems to be doing is configure the idmap options 
for Samba. Maybe best explained by: 

          https://wiki.samba.org/index.php/Idmap_config_ad


Your suggested options will then give you the samba idmap configuration:

  idmap config * : rangesize = 1000000
  idmap config * : range = 3000000-3500000
  idmap config * : read only = no
  idmap:cache = no
  idmap config * : backend = autorid

  idmap config DOMAIN : schema_mode = rfc2307
  idmap config DOMAIN : range = 500-2000000
  idmap config DOMAIN : backend = ad

Most likely you want to replace DOMAIN by your AD domain name.. So the 
--idmap options sets some defaults, that you probably won't care about, 
since all your users are likely covered by the specific "idmap config 
DOMAIN" config.

Hope this helps somewhat, now I'll follow up with something I'm wondering 
myself...:

Is the netbios name just a name, without any connection to anything in AD?

Is the --user-name/--password a one-time used account that's only 
necessary when executing the mmuserauth command, or will it also be for 
communication between CES and AD while the services are running?



  -jf




On Mon, Aug 22, 2016 at 1:59 PM, Sobey, Richard A <r.sobey at imperial.ac.uk> 
wrote:
Hi all,
 
We’re just about to start testing a new CES 4.2.0 cluster and at the stage 
of “joining” the cluster to our AD. What’s the bare minimum we need to get 
going with this? My Windows guy (who is more Linux but whatever) has 
suggested the following:
 
mmuserauth service create --type ad --data-access-method file
--netbios-name store --user-name USERNAME --password 
--enable-nfs-kerberos --enable-kerberos
--servers list,of,servers
--idmap-range-size 1000000 --idmap-range 3000000 - 3500000 
--unixmap-domains 'DOMAIN(500 - 2000000)'
 
He has also asked what the following is:
 
--idmap-role ???
--idmap-range-size ??
 
All our LDAP GID/UIDs are coming from a system outside of GPFS so do we 
leave this blank, or say master Or, now I’ve re-read and mmuserauth page, 
is this purely for when you have AFM relationships and one GPFS cluster 
(the subordinate / the second cluster) gets its UIDs and GIDs from another 
GPFS cluster (the master / the first one)?
 
For idmap-range-size is this essentially the highest number of users and 
groups you can have defined within Spectrum Scale? (I love how I’m using 
GPFS and SS interchangeably.. forgive me!)
 
Many thanks
 
Richard
 
 
Richard Sobey
Storage Area Network (SAN) Analyst
Technical Operations, ICT
Imperial College London
South Kensington
403, City & Guilds Building
London SW7 2AZ
Tel: +44 (0)20 7594 6915
Email: r.sobey at imperial.ac.uk
http://www.imperial.ac.uk/admin-services/ict/
 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list