[gpfsug-discuss] Integration with Active Directory
Monty Poppe
poppe at us.ibm.com
Thu Feb 25 17:01:00 GMT 2016
All CES nodes should operate consistently across the cluster. Here are a
few tips on debugging:
/usr/lpp/mmfs/bin/wbinfo -p to ensure winbind is running properly
/usr/lpp/mmfs/bin/wbinfo -P (capital P), to ensure winbind can communicate
with AD server
ensure the first nameserver in /etc/resolv.conf points to your AD server
(check all nodes)
mmuserauth service check --server-reachability for a more thorough
validation that all nodes can communicate to the authentication server
If you need to look at samba logs (/var/adm/ras/log.smbd &
log.wb-<domainname>) to see what's going on, change samba log levels
issue: /usr/lpp/mmfs/bin/net conf setparm global 'log level' 3. Don't
forget to set back to 0 or 1 when you are done!
If you're willing to go with a later release, AD authentication with LDAP
ID mapping has been added as a feature in the 4.2 release. (
https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en
)
Monty Poppe
Spectrum Scale Test
poppe at us.ibm.com
512-286-8047 T/L 363-8047
From: "Simon Thompson (Research Computing - IT Services)"
<S.J.Thompson at bham.ac.uk>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 02/25/2016 07:19 AM
Subject: Re: [gpfsug-discuss] Integration with Active Directory
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Hi Gethyn,
From what I recall, CTDB used underneath is used to share the secret and
only the primary named machine is joined, but CTDB and CES should work
this backend part out for you.
I do have a question though, do you want to have consistent UIDs across
other systems? For example if you plan to use NFS to other *nix systems,
then you probably want to think about LDAP mapping and using custom auth
(we do this as out AD doesn't contain UIDs either).
Simon
From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of "Longworth,
Gethyn" <Gethyn.Longworth at Rolls-Royce.com>
Reply-To: "gpfsug-discuss at spectrumscale.org" <
gpfsug-discuss at spectrumscale.org>
Date: Thursday, 25 February 2016 at 10:42
To: "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] Integration with Active Directory
Hi all,
I’m new to both GPFS and to this mailing list, so I thought I’d introduce
myself and one of the issues I am having.
I am a consultant to Rolls-Royce Aerospace currently working on a large
facilities project, part of my remit is to deliver a data system. We
selected GPFS (sorry Spectrum Scale…) for this three clusters, with two of
the clusters using storage provided by Spectrum Accelerate, and the other
by a pair of IBM SANs and a tape library back up.
My current issue is to do with integration into Active Directory. I’ve
configured my three node test cluster with two protocol nodes and a quorum
(version 4.2.0.1 on RHEL 7.1) as the master for an automated id mapping
system (we can’t use RFC2307, as our IT department don’t understand what
this is), but the problem I’m having is to do with domain joins. The
documentation suggests that using the CES cluster hostname to register in
the domain will allow all nodes in the cluster to share the identity
mapping, but only one of my protocol nodes will authenticate – I can run
“id” on that node with a domain account and it provides the correct answer
– whereas the other will not and denies any knowledge of the domain or
user. From a GPFS point of view, this results in a degraded CES, SMB, NFS
and AUTH state. My small amount of AD knowledge says that this is
expected – a single entry (e.g. the cluster name) can only have one SID.
So I guess that my question is, what have I missed? Is there something in
AD that I need to configure to make this work? Does one of the nodes in
the cluster end up as the master and the other a subordinate? How do I
configure that within the confines of mmuserauth?
As I said I am a bit new to this, and am essentially learning on the fly,
so any pointers that you can provide would be appreciated!
Cheers,
Gethyn Longworth
MEng CEng MIET | Consultant Systems Engineer | AEROSPACE
P Please consider the environment before printing this email
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20160225/d6578b21/attachment.htm>
More information about the gpfsug-discuss
mailing list