[gpfsug-discuss] CES file authentication - bind account deleted?

Markus Rohwedder rohwedder at de.ibm.com
Tue Sep 4 14:40:33 BST 2018 

Hello.

the user name should not matter  for operations beyon domain join.

mmuserauth man page:

--user-name userName

....

         In case of --type ad with
         --data-access-method file, the specified username
         is used to join the cluster to AD domain. It results in
         creating a machine account for the cluster based on the
         --netbios-name specified in the command. After
         successful configuration, the cluster connects with its
         machine account, and not the user used during the domain
         join. So the specified username after domain join has no
         role to play in communication with the AD domain
         controller and can be even deleted from the AD server.
         The cluster can still keep using AD for authentication
         via the machine account created.


Mit freundlichen Grüßen / Kind regards

Dr. Markus Rohwedder

Spectrum Scale GUI Development
                                                                                   
                                                                                   
                                                                                   
                                                                                   
                                                                                   
 Phone:  +49 7034 6430190      IBM Deutschland Research &                          
                              Development                                          
                                                                                   
 E-Mail: rohwedder at de.ibm.com  Am Weiher 24                                        
                                                                                   
                               65451 Kelsterbach                                   
                                                                                   
                               Germany                                             
                                                                                   
                                                                                   
                                                                                   
                                                                                   
                                                                                   





From:	"Andrew Beattie" <abeattie at au1.ibm.com>
To:	gpfsug-discuss at spectrumscale.org
Cc:	gpfsug-discuss at spectrumscale.org
Date:	04.09.2018 15:18
Subject:	Re: [gpfsug-discuss] CES file authentication - bind account
            deleted?
Sent by:	gpfsug-discuss-bounces at spectrumscale.org



Hi Richard,

If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get
deleted?

If you choose to use an  user account of a Sys Admin who has Domain admin
privileges and they leave the company and their account is deleted, you
would almost certainly have issues with the Scale cluster trying to
validate users permissions and having scale get an error from AD when the
credentials that it uses are no longer valid.


Andrew Beattie
Software Defined Storage  - IT Specialist
Phone: 614-2133-7927
E-mail: abeattie at au1.ibm.com


 ----- Original message -----
 From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
 Sent by: gpfsug-discuss-bounces at spectrumscale.org
 To: "'gpfsug-discuss at spectrumscale.org'"
 <gpfsug-discuss at spectrumscale.org>
 Cc:
 Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
 Date: Tue, Sep 4, 2018 8:45 AM



 Hi all,





 I don’t like using long subject lines as a rule so it probably doesn’t
 make sense, but consider:





 FILE access configuration : AD


 PARAMETERS               VALUES


 -------------------------------------------------


 ENABLE_NFS_KERBEROS      true


 SERVERS                  domaincontroller.ic.ac.uk


 USER_NAME                joebloggs at IC.AC.UK


 NETBIOS_NAME             store


 IDMAP_ROLE               master


 IDMAP_RANGE              10000000-299999999


 IDMAP_RANGE_SIZE         1000000


 UNIXMAP_DOMAINS          IC(500 - 2000000)


 LDAPMAP_DOMAINS          none





 If “joebloggs” was to leave the organization and that account deleted from
 Active Directory, what is the impact on file authentication in CES?





 Thanks


 Richard


 _______________________________________________
 gpfsug-discuss mailing list
 gpfsug-discuss at spectrumscale.org
 http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1A629793.gif
Type: image/gif
Size: 4659 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/411306e1/attachment-0002.gif>

More information about the gpfsug-discuss mailing list