[gpfsug-discuss] CES file authentication - bind account deleted?
Sobey, Richard A
r.sobey at imperial.ac.uk
Tue Sep 4 14:44:28 BST 2018
Ah, thanks Markus, that’s what I was looking for.
Andrew yes, the service account has been created now, I am more interested in the “what if” we didn’t change things. I suppose this is the result of ~4 years of technical debt on our part!
Thanks,
Richard
From: gpfsug-discuss-bounces at spectrumscale.org <gpfsug-discuss-bounces at spectrumscale.org> On Behalf Of Markus Rohwedder
Sent: 04 September 2018 14:41
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Cc: gpfsug-discuss-bounces at spectrumscale.org
Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Hello.
the user name should not matter for operations beyon domain join.
mmuserauth man page:
--user-name userName
....
In case of --type ad with
--data-access-method file, the specified username
is used to join the cluster to AD domain. It results in
creating a machine account for the cluster based on the
--netbios-name specified in the command. After
successful configuration, the cluster connects with its
machine account, and not the user used during the domain
join. So the specified username after domain join has no
role to play in communication with the AD domain
controller and can be even deleted from the AD server.
The cluster can still keep using AD for authentication
via the machine account created.
Mit freundlichen Grüßen / Kind regards
Dr. Markus Rohwedder
Spectrum Scale GUI Development
________________________________
Phone:
+49 7034 6430190
IBM Deutschland Research & Development
[cid:image002.png at 01D4445D.C716BB30]
E-Mail:
rohwedder at de.ibm.com<mailto:rohwedder at de.ibm.com>
Am Weiher 24
65451 Kelsterbach
Germany
________________________________
[Inactive hide details for "Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,]"Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,
From: "Andrew Beattie" <abeattie at au1.ibm.com<mailto:abeattie at au1.ibm.com>>
To: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Cc: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Date: 04.09.2018 15:18
Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>
________________________________
Hi Richard,
If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get deleted?
If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid.
Andrew Beattie
Software Defined Storage - IT Specialist
Phone: 614-2133-7927
E-mail: abeattie at au1.ibm.com<mailto:abeattie at au1.ibm.com>
----- Original message -----
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk<mailto:r.sobey at imperial.ac.uk>>
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>
To: "'gpfsug-discuss at spectrumscale.org'" <gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>>
Cc:
Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
Date: Tue, Sep 4, 2018 8:45 AM
Hi all,
I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider:
FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS true
SERVERS domaincontroller.ic.ac.uk
USER_NAME joebloggs at IC.AC.UK<mailto:joebloggs at IC.AC.UK>
NETBIOS_NAME store
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS IC(500 - 2000000)
LDAPMAP_DOMAINS none
If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES?
Thanks
Richard
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 166 bytes
Desc: image001.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4659 bytes
Desc: image002.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 105 bytes
Desc: image003.gif
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.gif>
More information about the gpfsug-discuss
mailing list