[gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group
Engeli Willi (ID SD)
willi.engeli at id.ethz.ch
Thu Mar 30 15:23:40 BST 2017
>-Last time I checked simply adding a normal computer object to the domain
didn't add the account of the adding user to the local administrators group
and CES is no exception.
We have been using before a competitor Product as a NAS system. With that
system, we were able to define virtual NAS Servers, each one joined as an
independent object to AD. When joined, we found the 'Domain Admin' group and
the joining user as member of local administrators group of that virtual
server.
Since out AD is quite big, it is structured into many OU. We as the Storage
OU have OU admin rights, but we are not member of "Domain Admin" group.
Looking Back, we were able by ourselves to add the required groups as needed
to the local Administrators group of the NAS server.
Why is this important? Since we have quit a mix of OS accessing our shares,
some of the create exclusive access rights at the time they create profiles
etc. At the end of the lifecycle, one needs to delete those files via the
SMB / NFSV4 protocol, which is difficult if not having access rights. On the
other hand, we have seen situations, where one OS corrupted the ACL and
could not access anymore. Also this needs to be handled by us, giving us a
hard time not being member of the administrators group. I.e. the MS tool
subinacl does check the privileges before trying to modify ACLs, and if not
being member of the Administrators group, not all required privileges are
granted.
>-Is it a political reason why you cannot ask your Domain Admin team to add
you to the admin group for your CES cluster object? From there you can
manage it yourself.
Yes and no. We have a clear boundary, where we need to be able to manage the
AD Objects, and for security reason it seems to make sense to not use Domain
Admin Accounts for such kind of work (statement of our AD Group).
So much for the Situation, did I missed something?
Willi
-----Ursprüngliche Nachricht-----
Von: gpfsug-discuss-bounces at spectrumscale.org
[mailto:gpfsug-discuss-bounces at spectrumscale.org] Im Auftrag von
gpfsug-discuss-request at spectrumscale.org
Gesendet: Donnerstag, 30. März 2017 16:02
An: gpfsug-discuss at spectrumscale.org
Betreff: gpfsug-discuss Digest, Vol 62, Issue 77
Send gpfsug-discuss mailing list submissions to
gpfsug-discuss at spectrumscale.org
To subscribe or unsubscribe via the World Wide Web, visit
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
or, via email, send a message with subject or body 'help' to
gpfsug-discuss-request at spectrumscale.org
You can reach the person managing the list at
gpfsug-discuss-owner at spectrumscale.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of gpfsug-discuss digest..."
Today's Topics:
1. Spectrum Scale CES adds only Domain Admin to local
Administrators group (Engeli Willi (ID SD))
2. Re: Spectrum Scale CES adds only Domain Admin to local
Administrators group (Sobey, Richard A)
3. Re: Spectrum Scale CES adds only Domain Admin to local
Administrators group (Laurence Horrocks-Barlow)
----------------------------------------------------------------------
Message: 1
Date: Thu, 30 Mar 2017 13:29:26 +0000
From: "Engeli Willi (ID SD)" <willi.engeli at id.ethz.ch>
To: "gpfsug-discuss at spectrumscale.org"
<gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to
local Administrators group
Message-ID:
<D13CE1B679C6DC45A6A0DD4C2F8159F93E4AE1DB at MBX216.d.ethz.ch>
Content-Type: text/plain; charset="us-ascii"
Hi everybody,
In our organization, the management of AD is strictly separated from
management of storage. Since we install spectrum scale with protocol SMB and
NFS support, we need to join the systems to AD, and have at least the
joining user added as well to the local administrators group.
Any idea of how to achieve this? Asking our Domain Admin is not the correct
method to add other groups, this needs to be in our hands.
Regards Willi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at
tachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5461 bytes
Desc: not available
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at
tachment-0001.p7s>
------------------------------
Message: 2
Date: Thu, 30 Mar 2017 13:53:15 +0000
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain
Admin to local Administrators group
Message-ID:
<AMSPR06MB4057F08111EDB6EE5584F3EDF340 at AMSPR06MB405.eurprd06.prod.outlook.co
m>
Content-Type: text/plain; charset="us-ascii"
Last time I checked simply adding a normal computer object to the domain
didn't add the account of the adding user to the local administrators group
and CES is no exception.
Is it a political reason why you cannot ask your Domain Admin team to add
you to the admin group for your CES cluster object? From there you can
manage it yourself.
Richard
From: gpfsug-discuss-bounces at spectrumscale.org
[mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Engeli Willi
(ID SD)
Sent: 30 March 2017 14:29
To: gpfsug-discuss at spectrumscale.org
Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local
Administrators group
Hi everybody,
In our organization, the management of AD is strictly separated from
management of storage. Since we install spectrum scale with protocol SMB and
NFS support, we need to join the systems to AD, and have at least the
joining user added as well to the local administrators group.
Any idea of how to achieve this? Asking our Domain Admin is not the correct
method to add other groups, this needs to be in our hands.
Regards Willi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/385d486f/at
tachment-0001.html>
------------------------------
Message: 3
Date: Thu, 30 Mar 2017 15:02:19 +0100
From: Laurence Horrocks-Barlow <laurence at qsplace.co.uk>
To: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain
Admin to local Administrators group
Message-ID: <2329870e-00f8-258c-187d-feec9589df93 at qsplace.co.uk>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hi Willi,
Could you just expand on your issue?
Are you requiring CES to bind to AD to allow authenticated users to access
your NFS/SMB shares. However you require the ability to add additional
groups to these users on the CES system?
Or are you trying to use your own account that can join the domain as a
local admin on a CES node?
-- Lauz
On 30/03/2017 14:53, Sobey, Richard A wrote:
>
> Last time I checked simply adding a normal computer object to the
> domain didn?t add the account of the adding user to the local
> administrators group and CES is no exception.
>
> Is it a political reason why you cannot ask your Domain Admin team to
> add you to the admin group for your CES cluster object? From there you
> can manage it yourself.
>
> Richard
>
> *From:*gpfsug-discuss-bounces at spectrumscale.org
> [mailto:gpfsug-discuss-bounces at spectrumscale.org] *On Behalf Of
> *Engeli Willi (ID SD)
> *Sent:* 30 March 2017 14:29
> *To:* gpfsug-discuss at spectrumscale.org
> *Subject:* [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin
> to local Administrators group
>
> Hi everybody,
>
> In our organization, the management of AD is strictly separated from
> management of storage. Since we install spectrum scale with protocol
> SMB and NFS support, we need to join the systems to AD, and have at
> least the joining user added as well to the local administrators group.
>
> Any idea of how to achieve this? Asking our Domain Admin is not the
> correct method to add other groups, this needs to be in our hands.
>
> Regards Willi
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/fe1f178a/at
tachment.html>
------------------------------
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
End of gpfsug-discuss Digest, Vol 62, Issue 77
**********************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170330/1b2c2acb/attachment.bin>
More information about the gpfsug-discuss
mailing list