[gpfsug-discuss] Exporting remote GPFS mounts on a non-ces SMB share

valleru at cbio.mskcc.org valleru at cbio.mskcc.org
Fri Mar 8 16:42:17 GMT 2019


Thank you Simon.

I do remember reading your page about few years back, when i was researching this issue.
When you mentioned Custom Auth. I assumed it to be user-defined authentication from CES. However, looks like i need to hack it a bit to get SMB working with AD?

I did not feel comfortable hacking the SMB from the CES cluster, and thus i was trying to bring up SMB outside the CES cluster. I almost hack with everything in the cluster but i leave GPFS and any of its configuration in the supported config, because if things break - i felt it might mess up things real bad.
I wish we do not have to hack our way out of this, and IBM supported this config out of the box.

I do not understand the current requirements from CES with respect to AD or user defined authentication where either both SMB and NFS should be AD/LDAP authenticated or both of them user defined.

I believe many places do use just ssh-key as authentication for linux machines including the cloud instances, while SMB obviously cannot be used with ssh-key authentication and has to be used either with LDAP or AD authentication.

Did anyone try to raise this as a feature request?

Even if i do figure to hack this thing and make sure that updating CES won’t mess it up badly. I think i will have to do few things to get the SIDs to Uids match as you mentioned.
We do not use passwords to authenticate to LDAP and I do not want to be creating another set of passwords apart from AD which is already existing, and users authenticate to it when they login to machines.

I was thinking to bring up something like Redhat IDM that could sync with AD and get all the usernames/sids and password hashes. I could then enter my current LDAP uids/gids in the Redhat IDM. IDM will automatically create uids/gids for usernames that do not have them i believe.
In this way, when SMB authenticates with Redhat IDM - users can use there current AD kerberos tickets or the same passwords and i do not have to change the passwords.
It will also automatically sync with AD and create UIDs/GIDs and thus i don’t have to manually script something to create one for every person in AD.
I however need to see if i could get to make this work with institutional AD and it might not be as smooth.

So which of the below cases will IBM most probably support? :)

1. Run SMB outside the CES cluster with the above configuration.
2. Hack SMB inside the CES cluster

Is it that running SMB outside the CES cluster with R/W has a possibility of corrupting the GPFS filesystem?
We do not necessarily need HA with SMB and so apart from HA - What does IBM SMB do that would prevent such corruption from happening?

The reason i was expecting the usernames to be same in LDAP and AD is because - if they are, then SMB will do uid mapping by default. i.e SMB will automatically map windows sids to ldap uids. I will not have to bring up Redhat IDM if this was the case. But unfortunately we have many users who have different ldap usernames from AD usernames - so i guess the practical way would be to use Redhat IDM to map windows sids to ldap uids.

I have read about mmname2uid and mmuid2name that Andrew mentioned but looks like it is made to work between 2 gpfs clusters with different uids. Not exactly to make SMB map windows SIDs to ldap uids.

Regards,
Lohit

On Mar 8, 2019, 2:41 AM -0600, Simon Thompson <S.J.Thompson at bham.ac.uk>, wrote:
> Hi Lohit,
>
> Custom auth sounds like it would work.
>
> NFS uses the “system” ldap, SMB can use LDAP or AD, or you can fudge it and actually use both. We came at this very early in CES and I think some of this is better in mixed mode now, but we do something vaguely related to what you need.
>
> What you’d need is data in your ldap server to map windows usernames and SIDs to Unix IDs. So for example we have in our mmsmb config:
> idmap config * : backend           ldap
> idmap config * : bind_path_group   ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> idmap config * : ldap_base_dn      ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> idmap config * : ldap_server       stand-alone
> idmap config * : ldap_url          ldap://localhost
> idmap config * : ldap_user_dn      uid=nslcd,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> idmap config * : range             1000-9999999
> idmap config * : rangesize         1000000
> idmap config * : read only         yes
>
> You then need entries in the LDAP server, it could be a different server or somewhere else in the schema, but basically LDAP entries that map windows username/sid to underlying UID, e.g:
>
> dn: uid=USERNAME,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> uid: USERNAME
> objectClass: top
> objectClass: posixAccount
> objectClass: account
> objectClass: shadowAccount
> loginShell: /bin/bash
> uidNumber: 605436
> shadowMax: 99999
> gidNumber: 100
> homeDirectory: /rds/homes/u/USERNAME
> cn: USERS DISPLAY NAME
> structuralObjectClass: account
> entryUUID: 85a18df0-88bd-1037-9152-418eb0c7777
> creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> createTimestamp: 20180108124516Z
> entryCSN: 20180108124516.623983Z#000000#001#000000
> modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> modifyTimestamp: 20180108124516Z
>
> dn: sambaSID=S-1-5-21-1390067357-308236825-725345543-498888,ou=SidMap,dc=rds
> ,dc=adf,dc=bham,dc=ac,dc=uk
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> sambaSID: S-1-5-21-1390067357-308236825-725345543-498888
> uidNumber: 605436
> structuralObjectClass: sambaSidEntry
> entryUUID: 85efa490-88bd-1037-9153-418eb0c9999
> creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> createTimestamp: 20180108124517Z
> entryCSN: 20180108124517.135744Z#000000#001#000000
> modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk
> modifyTimestamp: 20180108124517Z
>
> I don’t think SMB actually cares about the username matching, what it needs to be able to do is resolve the Windows SID presented to the Unix UID underneath which is how it then accesses files. i.e. it doesn’t really matter what the username in the middle is …
>
> Supported config? No. Works for what you need? Probably ...
>
> I wrote this: https://www.roamingzebra.co.uk/2015/07/smb-protocol-support-with-spectrum.html back in 2015 about what we were doing, probably much of it stands, but you might want to look at proper supported mixed mode. That is our plan at some point.
>
> Simon
>
> From: "valleru at cbio.mskcc.org" <valleru at cbio.mskcc.org>
> Date: Friday, 8 March 2019 at 00:08
> To: "Simon Thompson (IT Research Support)" <S.J.Thompson at bham.ac.uk>
> Subject: Re: [gpfsug-discuss] Exporting remote GPFS mounts on a non-ces SMB share
>
> Thank you Simon.
>
> First issue:
> I believe what i would need is a combination of user-defined authentication and ad authentication.
>
> User-defined authentication to help me export NFS and have the linux clients authenticate users with ssh keys.
> AD based authentication to help me export SMB with AD authentication/kerberos to mount filesystem on windows connected to just AD.
>
> At first look, it looked like CES either supports user-defined authentication or AD based authentication - which would not work. We do not use kerberos or ldap passwords for accessing the HPC clusters.
>
> Second issue:
> AD username to LDAP username mapping. I could bring up another AD/LDAP server that has the AD usernames and LDAP uids just for SMB authentication but i would need to do this for all the users in the agency.
> I will try and research if this way is easier or the mmNametoUID.
>
>
> Regards,
> Lohit
>
> On Mar 7, 2019, 5:00 PM -0600, Simon Thompson <S.J.Thompson at bham.ac.uk>, wrote:
>
> >
> > custom Auth mode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190308/65ee865d/attachment.htm>


More information about the gpfsug-discuss mailing list