[gpfsug-discuss] CES file authentication - bind account deleted?
Markus Rohwedder
rohwedder at de.ibm.com
Tue Sep 4 14:40:33 BST 2018
Hello.
the user name should not matter for operations beyon domain join.
mmuserauth man page:
--user-name userName
....
In case of --type ad with
--data-access-method file, the specified username
is used to join the cluster to AD domain. It results in
creating a machine account for the cluster based on the
--netbios-name specified in the command. After
successful configuration, the cluster connects with its
machine account, and not the user used during the domain
join. So the specified username after domain join has no
role to play in communication with the AD domain
controller and can be even deleted from the AD server.
The cluster can still keep using AD for authentication
via the machine account created.
Mit freundlichen Grüßen / Kind regards
Dr. Markus Rohwedder
Spectrum Scale GUI Development
Phone: +49 7034 6430190 IBM Deutschland Research &
Development
E-Mail: rohwedder at de.ibm.com Am Weiher 24
65451 Kelsterbach
Germany
From: "Andrew Beattie" <abeattie at au1.ibm.com>
To: gpfsug-discuss at spectrumscale.org
Cc: gpfsug-discuss at spectrumscale.org
Date: 04.09.2018 15:18
Subject: Re: [gpfsug-discuss] CES file authentication - bind account
deleted?
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Hi Richard,
If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get
deleted?
If you choose to use an user account of a Sys Admin who has Domain admin
privileges and they leave the company and their account is deleted, you
would almost certainly have issues with the Scale cluster trying to
validate users permissions and having scale get an error from AD when the
credentials that it uses are no longer valid.
Andrew Beattie
Software Defined Storage - IT Specialist
Phone: 614-2133-7927
E-mail: abeattie at au1.ibm.com
----- Original message -----
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
Sent by: gpfsug-discuss-bounces at spectrumscale.org
To: "'gpfsug-discuss at spectrumscale.org'"
<gpfsug-discuss at spectrumscale.org>
Cc:
Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
Date: Tue, Sep 4, 2018 8:45 AM
Hi all,
I don’t like using long subject lines as a rule so it probably doesn’t
make sense, but consider:
FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS true
SERVERS domaincontroller.ic.ac.uk
USER_NAME joebloggs at IC.AC.UK
NETBIOS_NAME store
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS IC(500 - 2000000)
LDAPMAP_DOMAINS none
If “joebloggs” was to leave the organization and that account deleted from
Active Directory, what is the impact on file authentication in CES?
Thanks
Richard
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1A629793.gif
Type: image/gif
Size: 4659 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment-0002.gif>
More information about the gpfsug-discuss
mailing list