[gpfsug-discuss] Integration with Active Directory

Monty Poppe poppe at us.ibm.com
Thu Feb 25 17:01:00 GMT 2016 

All CES nodes should operate consistently across the cluster. Here are a 
few tips on debugging:

/usr/lpp/mmfs/bin/wbinfo -p to ensure winbind is running properly
/usr/lpp/mmfs/bin/wbinfo -P (capital P), to ensure winbind can communicate 
with AD server
ensure the first nameserver in /etc/resolv.conf points to your AD server 
(check all nodes)
mmuserauth service check --server-reachability  for a more thorough 
validation that all nodes can communicate to the authentication server

If you need to look at samba logs (/var/adm/ras/log.smbd & 
log.wb-<domainname>) to see what's going on, change samba log levels 
issue: /usr/lpp/mmfs/bin/net conf setparm global 'log level' 3.  Don't 
forget to set back to 0 or 1 when you are done!

If you're willing to go with a later release, AD authentication with LDAP 
ID mapping has been added as a feature in the 4.2 release. (
https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en
)


Monty Poppe
Spectrum Scale Test
poppe at us.ibm.com
512-286-8047 T/L 363-8047



From:   "Simon Thompson (Research Computing - IT Services)" 
<S.J.Thompson at bham.ac.uk>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   02/25/2016 07:19 AM
Subject:        Re: [gpfsug-discuss] Integration with Active Directory
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



Hi Gethyn,

From what I recall, CTDB used underneath is used to share the secret and 
only the primary named machine is joined, but CTDB and CES should work 
this backend part out for you.

I do have a question though, do you want to have consistent UIDs across 
other systems? For example if you plan to use NFS to other *nix systems, 
then you probably want to think about LDAP mapping and using custom auth 
(we do this as out AD doesn't contain UIDs either).

Simon

From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of "Longworth, 
Gethyn" <Gethyn.Longworth at Rolls-Royce.com>
Reply-To: "gpfsug-discuss at spectrumscale.org" <
gpfsug-discuss at spectrumscale.org>
Date: Thursday, 25 February 2016 at 10:42
To: "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] Integration with Active Directory

Hi all,
 
I’m new to both GPFS and to this mailing list, so I thought I’d introduce 
myself and one of the issues I am having.
 
I am a consultant to Rolls-Royce Aerospace currently working on a large 
facilities project, part of my remit is to deliver a data system.  We 
selected GPFS (sorry Spectrum Scale…) for this three clusters, with two of 
the clusters using storage provided by Spectrum Accelerate, and the other 
by a pair of IBM SANs and a tape library back up.
 
My current issue is to do with integration into Active Directory.  I’ve 
configured my three node test cluster with two protocol nodes and a quorum 
(version 4.2.0.1 on RHEL 7.1) as the master for an automated id mapping 
system (we can’t use RFC2307, as our IT department don’t understand what 
this is), but the problem I’m having is to do with domain joins.  The 
documentation suggests that using the CES cluster hostname to register in 
the domain will allow all nodes in the cluster to share the identity 
mapping, but only one of my protocol nodes will authenticate – I can run 
“id” on that node with a domain account and it provides the correct answer 
– whereas the other will not and denies any knowledge of the domain or 
user.  From a GPFS point of view, this results in a degraded CES, SMB, NFS 
and AUTH state.  My small amount of AD knowledge says that this is 
expected – a single entry (e.g. the cluster name) can only have one SID.
 
So I guess that my question is, what have I missed?  Is there something in 
AD that I need to configure to make this work?  Does one of the nodes in 
the cluster end up as the master and the other a subordinate?  How do I 
configure that within the confines of mmuserauth?
 
As I said I am a bit new to this, and am essentially learning on the fly, 
so any pointers that you can provide would be appreciated!
 
Cheers,
 
Gethyn Longworth
MEng CEng MIET | Consultant Systems Engineer | AEROSPACE
 
P Please consider the environment before printing this email
 _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20160225/d6578b21/attachment.htm>

More information about the gpfsug-discuss mailing list