[gpfsug-discuss] Active Directory Authentification

Mon May 20 00:24:15 BST 2019

Hi Walid,

Without knowing any specifics of your environment, the below command is what I have used, successfully across multiple clusters at 4.2.x.  The binding account you specify needs to be able to add computers to the domain.

mmuserauth service create --data-access-method file --type ad --servers some_dc.foo.bar --user-name some_ad_bind_account --idmap-role master --netbios-name some_ad_computer_name --unixmap-domains "DOMAIN_NETBIOS_NAME(10000-9999999)"

10000-9999999 is the acceptable range of UID / GID for AD accounts.

Thanks,
Will

From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of "L.walid (PowerM)" <l.walid at powerm.ma>
Reply-To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: Sunday, May 19, 2019 at 14:30
To: "gpfsug-discuss at spectrumscale.org" <gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] Active Directory Authentification

Caution: External Sender

Hi,

I'm planning to integrate Active Directory with our Spectrum Scale, but it seems i'm missing out something, please note that i'm on a 2 protocol nodes with only service SMB running Spectrum Scale 5.0.3.0 (latest version). I've tried from the gui the two ways, connect to Active Directory, and the other to LDAP.

Connect to LDAP :
mmuserauth service create --data-access-method 'file' --type 'LDAP' --servers 'powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpowermdomain.powerm.ma%3A389&data=01%7C01%7Cwill.schmied%40stjude.org%7C5f5f690cddd748100dde08d6dc906f79%7C22340fa892264871b677d3b3e377af72%7C0&sdata=93WuDa2hnFQNGoSTzw%2F4pBQE0fIN29v0Fu9Jti8mYFo%3D&reserved=0>' --user-name 'cn=walid,cn=users,dc=powerm,dc=ma' --pwd-file 'auth_pass.txt' --netbios-name 'scaleces' --base-dn 'cn=users,dc=powerm,dc=ma'
7:26 PM
Either failed to create a samba domain entry on LDAP server if not present or could not read the already existing samba domain entry from the LDAP server
7:26 PM
Detailed message:smbldap_search_domain_info: Adding domain info for SCALECES failed with NT_STATUS_UNSUCCESSFUL
7:26 PM
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
7:26 PM
pdb backend ldapsam:"ldap://powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpowermdomain.powerm.ma%3A389&data=01%7C01%7Cwill.schmied%40stjude.org%7C5f5f690cddd748100dde08d6dc906f79%7C22340fa892264871b677d3b3e377af72%7C0&sdata=93WuDa2hnFQNGoSTzw%2F4pBQE0fIN29v0Fu9Jti8mYFo%3D&reserved=0>" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
7:26 PM
WARNING: Could not open passdb
7:26 PM
File authentication configuration failed.
7:26 PM
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
7:26 PM
Operation Failed
7:26 PM
Error: Either failed to create a samba domain entry on LDAP server if not present or could not read the already existing samba domain entry from the LDAP server
Detailed message:smbldap_search_domain_info: Adding domain info for SCALECES failed with NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
pdb backend ldapsam:"ldap://powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpowermdomain.powerm.ma%3A389&data=01%7C01%7Cwill.schmied%40stjude.org%7C5f5f690cddd748100dde08d6dc906f79%7C22340fa892264871b677d3b3e377af72%7C0&sdata=93WuDa2hnFQNGoSTzw%2F4pBQE0fIN29v0Fu9Jti8mYFo%3D&reserved=0>" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
WARNING: Could not open passdb
File authentication configuration failed.
mmuserauth service create: Command failed. Examine previous error messages to determine cause.

Connect to Active Directory :
mmuserauth service create --data-access-method 'file' --type 'AD' --servers '192.168.56.5' --user-name 'walid' --pwd-file 'auth_pass.txt' --netbios-name 'scaleces' --idmap-role 'MASTER' --ldapmap-domains 'powerm.ma<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpowerm.ma&data=01%7C01%7Cwill.schmied%40stjude.org%7C5f5f690cddd748100dde08d6dc906f79%7C22340fa892264871b677d3b3e377af72%7C0&sdata=tJKajnPMlWowHIAHnoxbceVIbE4t19KiLCaohZRwwYQ%3D&reserved=0>(type=stand-alone:ldap_srv=192.168.56.5:range=-9000000000000000-4294967296:usr_dn=cn=users,dc=powerm,dc=ma:grp_dn=cn=users,dc=powerm,dc=ma:bind_dn=cn=walid,cn=users,dc=powerm,dc=ma:bind_dn_pwd=P at ssword)'
7:29 PM
mmuserauth service create: Invalid parameter passed for --ldapmap-domain
7:29 PM
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
7:29 PM
Operation Failed
7:29 PM
Error: mmuserauth service create: Invalid parameter passed for --ldapmap-domain
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
--
Best regards,

Walid Largou
Senior IT Specialist

Power Maroc

Mobile : +212 62<tel:+212%20661%2015%2021%2055>1 31 98 71

Email: l.walid at powerm.ma<mailto:y.largou at powerm.ma>
320 Bd Zertouni 6th Floor, Casablanca, Morocco

https://www.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.powerm.ma%2F&data=01%7C01%7Cwill.schmied%40stjude.org%7C5f5f690cddd748100dde08d6dc906f79%7C22340fa892264871b677d3b3e377af72%7C0&sdata=qpwCQkujjr3Sq0wCySyjRMGZrp94mvRQAK0iGlh7DqQ%3D&reserved=0>

[cid:A8AE246E-9B75-4FE9-AE84-3DC9C8753FEA]
This message is confidential .Its contents do not constitute a commitment by Power Maroc S.A.R.L except where provided for in a written agreement between you and Power Maroc S.A.R.L. Any authorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately.

________________________________

Email Disclaimer: www.stjude.org/emaildisclaimer
Consultation Disclaimer: www.stjude.org/consultationdisclaimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20190519/9b579ecf/attachment.htm>