[gpfsug-discuss] SMB and AD authentication

Christof Schmitt christof.schmitt at us.ibm.com
Mon Feb 27 19:59:46 GMT 2017


--unixmap-domains 'sirius(10000-20000)'

specifies that for the domain SIRIUS, all uid and gids are stored as 
rfc2307 attributes in the user and group objects in AD. If "id 
Sirius\\administrator" does not work, that might already point to missing 
data in AD. The requirement is that the user has a uidNumber defined, and 
the user's primary group in AD has to have a gidNumber defined. Note that 
a gidNumber defined for the user is not read by Spectrum Scale at this 
point. All uidNumber and gidNumber attributes have to fall in the defined 
range (10000-20000).

If verifying the above points does not help, then a winbindd trace might 
help to point to the missing step:

/usr/lpp/mmfs/bin/smbcontrol winbindd debug 10

id Sirius\\administrator

/usr/lpp/mmfs/bin/smbcontrol winbindd debug 1

/var/adm/ras/log.winbindd-idmap is the log file for the idmap queries; it 
might show a failing ldap query in this case.

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)



From:   "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   02/27/2017 12:41 PM
Subject:        [gpfsug-discuss] SMB and AD authentication
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



For some reason, I just can’t seem to get this to work.  I have configured 
my protocol nodes to authenticate to AD using the following 
 
mmuserauth service create --type ad --data-access-method file --servers 
192.168.88.3 --user-name administrator --netbios-name scale --idmap-role 
master --password ********* --idmap-range-size 1000000 --idmap-range 
10000000-299999999 --enable-nfs-kerberos --unixmap-domains 
'sirius(10000-20000)'
 
 
All goes well, I see the nodes in AD and all of the wbinfo commands show 
good (id Sirius\\administrator doesn’t work though), but when I try to 
mount an SMB share (after doing all the necessary mmsmb export stuff) I 
get permission denied.  I’m curious if I missed a step (followed the docs 
pretty much to the letter).  I’m trying Administrator, mark.bush, and a 
dummy aduser I created.  None seem to gain access to the share. 
 
Protocol gurus help!  Any ideas are appreciated.
 
 

Mark R. Bush| Storage Architect
Mobile: 210-237-8415 
Twitter: @bushmr | LinkedIn: /markreedbush
10100 Reunion Place, Suite 500, San Antonio, TX 78216
www.siriuscom.com |mark.bush at siriuscom.com 
 
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain 
information that is non-public, proprietary, privileged, confidential, and 
exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any use, dissemination, 
distribution, or copying of this communication is strictly prohibited. 
This message may be viewed by parties at Sirius Computer Solutions other 
than those named in the message header. This message does not contain an 
official representation of Sirius Computer Solutions. If you have received 
this communication in error, notify Sirius Computer Solutions immediately 
and (i) destroy this message if a facsimile or (ii) delete this message 
immediately if this is an electronic communication. Thank you. 
Sirius Computer Solutions _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss






More information about the gpfsug-discuss mailing list