Authentication limitations

Consider the following authentication limitations when you configure and manage the IBM Spectrum Scale™ system:

Object access limitations

For Active Directory (AD)-based authentication for object access:

Only single AD server is used. If the configured AD server is down, the Keystone authentication fails.
Does not support multiple AD Domains.
Only Windows 2008 R2 and later are supported.
Only read access to the AD server is supported. That is, you are not authorized to create a new user and modify or delete an existing user from the IBM Spectrum Scale system. Only the AD server administrator can do these tasks.

For Lightweight Directory Access Protocol (LDAP)-based authentication for object access:

Only single LDAP server is used. If the configured LDAP server is down, the Keystone authentication fails.
Only LDAP servers compatible with LDAP RFC 4511 are supported.
Only read access to the LDAP server is supported. That is, you are not authorized to create a new user and modify or delete an existing user from the IBM Spectrum Scale system. Only the LDAP server administrator can do these tasks.

File access limitations

AD based authentication

For AD with automatic ID mapping:

No support for migrating the internally generated user and group ID maps to external ID mapping server. If data is stored on the IBM Spectrum Scale system with AD and automatic ID mapping, adding RFC2307 later requires the UIDs and GIDs that are used internally by the IBM Spectrum Scale system match the UIDs and GIDs stored in RFC2307. This is not possible if conflicting UIDs and GIDs are already stored in RFC2307. To avoid potential conflicts, configure the IBM Spectrum Scale system by using AD and RFC2307 right from the beginning.
Although AD along with automatic ID mapping can be used to have same ID maps between systems that are in AFM relationship, this configuration does not serve as a complete replacement of RFC2307. This configuration can be used in a predominantly SMB only setup, where NFS users are not already present in the environment. If NFS users are preexisting in the customer environment and these users intend to access the data with SMB users, then RFC2307 is mandatory.
When AD-based authentication is used, SMB protocol access is kerberized by default. Access the system by using the netbios name that is specified in the command.
Kerberized NFSv3-based access is not supported with AD as an authentication server.

For AD with RFC2307:

Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains.
To access the IBM Spectrum Scale system, users and groups must have a valid UID/GID assigned to them in AD. For user access, the windows group membership are evaluated on the IBM Spectrum Scale system. Hence, accessing a user's primary group is considered as the Microsoft Windows Primary group and not the UNIX primary group that is listed in the UNIX attribute tab in the user's properties. Therefore, the user's primary Microsoft Windows group must be assigned with a valid GID.
The mmuserauth service create command does not check the two-way trust between the native domain and the RFC2307 domain that is required for ID mapping services to function properly. The customer is responsible for configuring the two-way trust relationship between these domains. The customer is responsible for assigning UIDs to users and GIDs to groups. The command does not return an error if a UID or GID is not assigned.
Multiprotocol access of protocol exports is only allowed between NFSV4 and SMB. That is, you cannot access the same export by using both NFSV3 and SMB protocols.
Kerberized NFSv3-based access is not supported by AD as an authentication server.

LDAP based authentication

Users with the same user name from different organizational units under the specified baseDN in the LDAP server are denied access to SMB shares irrespective of the LDAP user suffix and LDAP group suffix values configured on the system.
If multiple LDAP servers are specified during configuration, at any point in time, only one LDAP server is used.
LDAP referrals are not supported.
ACL management through windows clients is not supported.
Only LDAP servers that implement RFC2307 schema are supported.

General limitations for file access Start of change

When the SMB service is stopped on a protocol node, with AD with RFC2307 authentication as the authentication method, the NFS based access also gets affected on that protocol node.
When using Microsoft Active Directory (AD) as an authentication system, the IBM Spectrum Scale system supports only the NetBIOS logon name for authentication and not the User Principle Name (UPN). Active Directory replaces some of the special characters that are used in the UPN with the underscore character (hexadecimal value 0x5F) for the related NetBIOS logon name of the user. For the complete list of the special characters that are replaced in the NetBIOS logon name, see Microsoft Active Directory documentation. Follow these steps to locate the NetBIOS logon name for an Active Directory domain user:
1. From the Windows Start menu, select Administrative Tools > Active Directory Users and Computers
2. Right-click the Active Directory Domain user for which you require the NetBIOS logon name
3. Select Properties > Account Tab and check the value of the User logon name (pre-Windows 2000): field
Authentication configuration commands restart the IBM Spectrum Scale protocol services such as SMB and NFS. The protocol services resume a few seconds after an authentication configuration command completes.
For file data access, switching or migrating from one authentication method to another is not supported, since it may lead to loss of access to the data on the system.
The IBM Spectrum Scale system does not support authentication servers (AD, LDAP, and NIS) that are running on virtual machines that are stored on an SMB or NFS export. The IBM Spectrum Scale system requires the authentication server to be running, while configuring authentication and while serving connection requests over protocols. The virtualizer cannot boot the authentication server unless the protocols are configured for authentication and data is ready to be served over the exports.
The length of a user name or a group name of the users and group of users who need to access the data cannot be more than 32 characters
The NFSV4 clients must be configured with the same authentication and ID mapping server as that of the IBM Spectrum Scale system. The IBM Spectrum Scale system does not support an NFSV4 client configured with different authentication and ID mapping servers.
Based on the hardware platform the protocol nodes are configured on, consider the group ID resolution as per the limitation described in the IBM Spectrum Scale FAQ. For more information, see IBM Spectrum Scale FAQs.
In order to use NFSV4 ID mapping, the NFS ID map domain needs to be set on the IBM Spectrum Scale protocol nodes and the same NFS ID map domain must be configured on every NFS client. Below is an example of how to configure NFSV4 ID mapping.
1. Issue the mmnfs configuration list command.
  The system will display this output showing that the ID map domain is not set:
```
          IDMAPD Configuration
          ====================
          ====================
          
```
2. Enter the following command to set the NFS ID map domain:
```
mmnfs configuration change IDMAPD_DOMAIN=MY_IDMAP_DOMAIN
```
3. Issue the mmnfs configuration list command to verify that the ID map domain is set.
  The system displays this output:
```
IDMAPD Configuration
=======================
DOMAIN: MY_IDMAP_DOMAIN
=======================
```