[gpfsug-discuss] CES file authentication - bind account deleted?

Sobey, Richard A r.sobey at imperial.ac.uk
Tue Sep 4 14:44:28 BST 2018


Ah, thanks Markus, that’s what I was looking for.

Andrew yes, the service account has been created now, I am more interested in the “what if” we didn’t change things. I suppose this is the result of ~4 years of technical debt on our part!

Thanks,
Richard


From: gpfsug-discuss-bounces at spectrumscale.org <gpfsug-discuss-bounces at spectrumscale.org> On Behalf Of Markus Rohwedder
Sent: 04 September 2018 14:41
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Cc: gpfsug-discuss-bounces at spectrumscale.org
Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted?


Hello.

the user name should not matter for operations beyon domain join.

mmuserauth man page:

--user-name userName

....

In case of --type ad with
--data-access-method file, the specified username
is used to join the cluster to AD domain. It results in
creating a machine account for the cluster based on the
--netbios-name specified in the command. After
successful configuration, the cluster connects with its
machine account, and not the user used during the domain
join. So the specified username after domain join has no
role to play in communication with the AD domain
controller and can be even deleted from the AD server.
The cluster can still keep using AD for authentication
via the machine account created.


Mit freundlichen Grüßen / Kind regards

Dr. Markus Rohwedder

Spectrum Scale GUI Development

________________________________



Phone:

+49 7034 6430190

IBM Deutschland Research & Development

[cid:image002.png at 01D4445D.C716BB30]

E-Mail:

rohwedder at de.ibm.com<mailto:rohwedder at de.ibm.com>

Am Weiher 24





65451 Kelsterbach





Germany

________________________________




[Inactive hide details for "Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,]"Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,

From: "Andrew Beattie" <abeattie at au1.ibm.com<mailto:abeattie at au1.ibm.com>>
To: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Cc: gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>
Date: 04.09.2018 15:18
Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>

________________________________



Hi Richard,

If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get deleted?

If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid.


Andrew Beattie
Software Defined Storage - IT Specialist
Phone: 614-2133-7927
E-mail: abeattie at au1.ibm.com<mailto:abeattie at au1.ibm.com>


----- Original message -----
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk<mailto:r.sobey at imperial.ac.uk>>
Sent by: gpfsug-discuss-bounces at spectrumscale.org<mailto:gpfsug-discuss-bounces at spectrumscale.org>
To: "'gpfsug-discuss at spectrumscale.org'" <gpfsug-discuss at spectrumscale.org<mailto:gpfsug-discuss at spectrumscale.org>>
Cc:
Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
Date: Tue, Sep 4, 2018 8:45 AM

Hi all,

I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider:

FILE access configuration : AD

PARAMETERS VALUES

-------------------------------------------------

ENABLE_NFS_KERBEROS true

SERVERS domaincontroller.ic.ac.uk

USER_NAME joebloggs at IC.AC.UK<mailto:joebloggs at IC.AC.UK>

NETBIOS_NAME store

IDMAP_ROLE master

IDMAP_RANGE 10000000-299999999

IDMAP_RANGE_SIZE 1000000

UNIXMAP_DOMAINS IC(500 - 2000000)

LDAPMAP_DOMAINS none

If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES?

Thanks

Richard

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 166 bytes
Desc: image001.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4659 bytes
Desc: image002.png
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 105 bytes
Desc: image003.gif
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180904/4eaba69c/attachment.gif>


More information about the gpfsug-discuss mailing list