[gpfsug-discuss] SMB and AD authentication
Christof Schmitt
christof.schmitt at us.ibm.com
Mon Feb 27 19:59:46 GMT 2017
--unixmap-domains 'sirius(10000-20000)'
specifies that for the domain SIRIUS, all uid and gids are stored as
rfc2307 attributes in the user and group objects in AD. If "id
Sirius\\administrator" does not work, that might already point to missing
data in AD. The requirement is that the user has a uidNumber defined, and
the user's primary group in AD has to have a gidNumber defined. Note that
a gidNumber defined for the user is not read by Spectrum Scale at this
point. All uidNumber and gidNumber attributes have to fall in the defined
range (10000-20000).
If verifying the above points does not help, then a winbindd trace might
help to point to the missing step:
/usr/lpp/mmfs/bin/smbcontrol winbindd debug 10
id Sirius\\administrator
/usr/lpp/mmfs/bin/smbcontrol winbindd debug 1
/var/adm/ras/log.winbindd-idmap is the log file for the idmap queries; it
might show a failing ldap query in this case.
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
From: "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 02/27/2017 12:41 PM
Subject: [gpfsug-discuss] SMB and AD authentication
Sent by: gpfsug-discuss-bounces at spectrumscale.org
For some reason, I just can’t seem to get this to work. I have configured
my protocol nodes to authenticate to AD using the following
mmuserauth service create --type ad --data-access-method file --servers
192.168.88.3 --user-name administrator --netbios-name scale --idmap-role
master --password ********* --idmap-range-size 1000000 --idmap-range
10000000-299999999 --enable-nfs-kerberos --unixmap-domains
'sirius(10000-20000)'
All goes well, I see the nodes in AD and all of the wbinfo commands show
good (id Sirius\\administrator doesn’t work though), but when I try to
mount an SMB share (after doing all the necessary mmsmb export stuff) I
get permission denied. I’m curious if I missed a step (followed the docs
pretty much to the letter). I’m trying Administrator, mark.bush, and a
dummy aduser I created. None seem to gain access to the share.
Protocol gurus help! Any ideas are appreciated.
Mark R. Bush| Storage Architect
Mobile: 210-237-8415
Twitter: @bushmr | LinkedIn: /markreedbush
10100 Reunion Place, Suite 500, San Antonio, TX 78216
www.siriuscom.com |mark.bush at siriuscom.com
This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
This message may be viewed by parties at Sirius Computer Solutions other
than those named in the message header. This message does not contain an
official representation of Sirius Computer Solutions. If you have received
this communication in error, notify Sirius Computer Solutions immediately
and (i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication. Thank you.
Sirius Computer Solutions _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list