[gpfsug-discuss] SS 4.2.1 + CES NFS / SMB

Andy Parker1 andy_parker1 at uk.ibm.com
Thu Nov 17 15:17:48 GMT 2016


>>Currently I am looking to reconfigure and address the AD server's  LDAP 
and Kerberos components natively and so hopefully remove the need 
>>for 'SSSD'.  So we plan to configure using mmuserauth -type LDAP and 
provide all the required parameters in steady of -type AD.   
>>Not 100% sure this will work, but this is what we are about to try. 

Just to report back,  you cannot just use --type ldap and point it at the 
AD  ldap server (389 / 636).  Its fails because mmuserauth expects the
Samba schema and other pre-reqs to be in place.  We do not wish to mess to 
much with our AD schema so we will  drop this approach.

Summary:
Looks like we have the following options on our 'SS' CES  nodes with AD 
RFC2307 in place:
SMB  to all windows clients
NFS3 access to all RFC2307 clients
NFS4 access to Linux clients only

Using the OpenLDAP / MIT Kerberos Servers approach would create to much of 
an over head for our team to manage 1000's of users.  Using AD pretty much 
looks after
this for us today and we have tooling in place namely IBM's Identity 
Manager to automate the user management.   Our only change needed on the 
AD 
was to enable UNIX Services RFC2307 to allow the ID-MAPPING.

Rgds AndyP


 Andy Parker
Cloud & Development Platforms (C&DP) 



Andy_Parker1 at uk.ibm.com
Desk: DW1B14 




Tel: 37-245326 (01962-815326)
Post: MP100, IBM Hursley Park, Winchester, SO21 2JN






From:   Andy Parker1/UK/IBM at IBMGB
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Cc:     Jo Woods/UK/IBM at IBMGB
Date:   17/11/2016 11:57
Subject:        Re: [gpfsug-discuss] SS 4.2.1 + CES NFS / SMB
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



>>S Scale CES side RHEL and SLES are supported as of date. 

Thanks for the update, the SLES & RHEL are the supported platforms for the 
SES Servers agreed.   

My question was possibly not fair / clear,  I was trying to establish what 
NFS clients are supported to connect to the CES devices. 

I configured 'SS' with mmuserauth for  AD and RFC2307 support,  making a 
dangerous assumption that the RFC2307 would mean 
I would be able to use any RFC2307 compliant client NFS  for NFS V3 & V4. 

This was true for NFS V3  and we connected AIX & Linux  with no issues. 
However our aim is to remove NFSv3  and provide only 
NFSv4 + kerberos support.  With NFS V4  only Linux clients worked OK due 
to the use of 'SSSD'.  So we are broken for NFSV4 in 
our diverse environment  ( AIX*, SOLARIS*, HPUX*)  for the ID mapping at 
NFSV4 becomes broken. 

Currently I am looking to reconfigure and address the AD server's  LDAP 
and Kerberos components natively and so hopefully remove the need 
for 'SSSD'.  So we plan to configure using mmuserauth -type LDAP and 
provide all the required parameters in steady of -type AD.   
Not 100% sure this will work, but this is what we are about to try. 

Rgds Andy 



 Andy Parker 
Cloud & Development Platforms (C&DP) 



Andy_Parker1 at uk.ibm.com
Desk: DW1B14 


Tel: 37-245326 (01962-815326) 
Post: MP100, IBM Hursley Park, Winchester, SO21 2JN






From:        Ravi K Komanduri/India/IBM 
To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>, 
Andy Parker1 <andy_parker1 at uk.ibm.com> 
Date:        17/11/2016 11:20 
Subject:        Re: [gpfsug-discuss] SS 4.2.1 + CES NFS / SMB 


 Andy 

>> Does anyone know if the SpectrumScale CES (NFS/SMB) has a supported 
operating systems list published.  I checked here but nothing found. 

S Scale CES side RHEL and SLES are supported as of date. 

Refer to the S Scale FAQ link (
http://www.ibm.com/support/knowledgecenter/STXKQY/ibmspectrumscale_welcome.html
) 


With Regards,
Ravi K Komanduri





From:        Andy Parker1 <andy_parker1 at uk.ibm.com> 
To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org> 
Date:        11/15/2016 09:05 PM 
Subject:        Re: [gpfsug-discuss] SS 4.2.1 + CES NFS / SMB 
Sent by:        gpfsug-discuss-bounces at spectrumscale.org 



Thanks for the responses,  using iptrace on AIX I was able to confirm that 
indeed the following is passed and cannot be matched by the AIX NFSV4 
client.   
SPECTRUMSCALE\testuser1 at virtual1.com .  This is in the response packet 
sent back from the CES server to the AIX NFSV4 client. 

Sent by Spectrum CES     SPECTRUMSCALE\testuser1 at virtual1.com 
Expected by AIX NFSV4   testuser1 at virtual1.com 
!!!!!!!! NO MATCH !!!!!!! 

00000200     00000180 00000001 00000024 53504543     |...........$SPEC| 
00000210     5452554d 5343414c 455c7465 73747573     |TRUMSCALE\testus| 
00000220     65723140 76697274 75616c31 2e636f6d     |er1 at virtual1.com| 
00000230     0000001f 53504543 5452554d 5343414c     |....SPECTRUMSCAL| 
00000240     455c7465 73744076 69727475 616c312e     |E\test at virtual1.| 
00000250     636f6d00 00000000 00000000 00000000     |com.............| 

Out of interest I setup an AIX 7.1 NFSV4  Server and AIX 7.1 NFSV4 client 
both authenticating against the AD LDAP.  This worked 
fine.  I suspect this is because the AIX LDAP (Posix) does attribute 
mapping so we only see the UID not DOMAIN\uid .. 

vi /etc/security/ldap/ldap.cfg 
<extract> 
# AIX-LDAP attribute map path. 
userattrmappath:/etc/security/ldap/sfur2user.map 
groupattrmappath:/etc/security/ldap/sfur2group.map 

# grep -i uid sfur2user.map 
username        SEC_CHAR        uid                     s       na yes 
id              SEC_INT         uidNumber               s       na yes 

I wonder if Solaris 10/11 and HP-UX 11 are also not supported using NFSv4. 
 Does anyone know if the SpectrumScale CES (NFS/SMB) has a supported 
operating systems list published.  I checked here but nothing found. 

http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1adm_authenticationlimitations.htm 


# Going Forward 

Initially we want to provide only NFS and SMB CesNode services.  So we 
based our decision to use AD + RFC2307   
based on this table, believing that it would provide what we need today 
and future proof us a little by potentially allowing 
expansion to OBJ in the future.   

http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1ins_authconcept.htm 


NFSv4 is pretty mandatory in our design, we want to get rid of using 
Netgroup's and NFS V3 UID/GID mapping which as weak security. 
Ideally on day one we would want NFSV4 and Kerberos to provide better 
security for our clients.  Its also likely that in the future corporate 
security policies may ban netgroup's for NFS authorization so using NFSv4 
+ kerberos would position my department well for future changes. 

Based on the table I guess I need to setup LDAP / TLS / Kerberos as the 
authentication service which will cover all bases expect OBJECT. 

Thanks again for everyone's comments, this was my first post and the 
responses were all very welcome. 

Rgds Andy 
 Andy Parker 
Cloud & Development Platforms (C&DP) 



Andy_Parker1 at uk.ibm.com
Desk: DW1B14 

Tel: 37-245326 (01962-815326) 
Post: MP100, IBM Hursley Park, Winchester, SO21 2JN






From:        "Chetan R Kulkarni" <chetkulk at in.ibm.com> 
To:        gpfsug-discuss at spectrumscale.org 
Date:        15/11/2016 06:01 
Subject:        [gpfsug-discuss]  SS 4.2.1 + CES NFS / SMB 
Sent by:        gpfsug-discuss-bounces at spectrumscale.org 



>> Summary / Question:
>> Can anybody explain why I do not see userID / Group names when  viewing 

>> via a NFS4 client and ideally how to fix this.

This is not supported by Spectrum Scale (i.e. NFSv4 mount/access on AIX 
clients with AD+RFC2307 file authentication). 

Reason being AIX client integrates with AD like LDAP i.e. AIX client can't 
resolve the user in format "DOMAIN\user".
NFSv4 server returns user in "DOMAIN\user" format and as AIX client 
doesn't understand "DOMAIN\user"; it translates to "nobody". Hence you see 
"nobody" under AIX NFSv4 mount.

Please note that; with RHEL clients we see correct ownership under NFSv4 
mounts. This is because RHEL clients integrate with AD as pure AD client 
(using winbind or SSSD) i.e. users resolve successfully in "DOMAIN\user" 
format on RHEL clients.

Thanks,
Chetan._______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20161117/964bbbe5/attachment.htm>


More information about the gpfsug-discuss mailing list