Authentication limitations

Consider the following authentication limitations when you configure and manage the IBM Spectrum Scale system:

Object access limitations

The following limitations exist for Active Directory (AD)-based authentication for object access:
  • Only single AD server is used. If the configured AD server is down, the Keystone authentication fails.
  • Does not support multiple AD Domains.
  • Only Windows 2008 R2 and later are supported.
  • Authentication is supported only for read access to the AD server. You cannot create a new user and modify or delete an existing user from the IBM Spectrum Scale system. Only the AD server administrator can do these tasks.
The following limitations exist for Lightweight Directory Access Protocol (LDAP)-based authentication for object access:
  • Only single LDAP server is used. If the configured LDAP server is down, the Keystone authentication fails.
  • Only LDAP servers compatible with LDAP RFC 4511 are supported.
  • Authentication is supported only for read access to the LDAP server. You cannot create a new user and modify or delete an existing user from the IBM Spectrum Scale system. Only the LDAP server administrator can do these tasks.

File access limitations

AD based authentication

NFS with server-side group lookup and Active Directory authentication is only supported for Kerberized NFS access. The reason behind this is that obtaining the group membership of a user on a CES node is only possible after authenticating the user authenticated on that node. With SMB, each new session is authenticated initially, which is sufficient to provide that information. With NFS, only Kerberized access can reliably provide the required information when using the Active Directory.

The following limitations exist for AD with automatic ID mapping:
  • No support is provided for migrating the internally generated user and group ID maps to an external ID mapping server. If data is stored on the IBM Spectrum Scale system with AD and automatic ID mapping, adding RFC2307 later requires the UIDs and GIDs that are used internally by the IBM Spectrum Scale system match the UIDs and GIDs stored in RFC2307. Matching is not possible if conflicting UIDs and GIDs are already stored in RFC2307. To avoid potential conflicts, configure the IBM Spectrum Scale system by using AD and RFC2307 from the beginning.
  • Although AD along with automatic ID mapping can be used to have the same ID maps between systems that are in AFM relationship, this configuration is not a complete replacement for RFC2307. This configuration can be used in a predominantly SMB only setup, where NFS users are not already present in the environment. If NFS users are preexisting in the customer environment and these users intend to access the data with SMB users, then RFC2307 is mandatory.
  • When AD-based authentication is used, SMB protocol access is kerberized by default. Access the system by using the netbios name that is specified in the command.
The following limitations exist for AD with RFC2307:
  • Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains.
  • To access the IBM Spectrum Scale system, users and groups must have a valid UID/GID assigned to them in AD. For user access, the windows group membership is evaluated on the IBM Spectrum Scale system. Hence, accessing a user's primary group is considered as the Microsoft Windows Primary group and not the UNIX primary group that is listed in the UNIX attribute tab in the user's properties. Therefore, the user's primary Microsoft Windows group must be assigned with a valid GID.
  • The mmuserauth service create command does not check the two-way trust between the native domain and the RFC2307 domain that is required for ID mapping services to function properly. The customer is responsible for configuring the two-way trust relationship between these domains. The customer is responsible for assigning UIDs to users and GIDs to groups. The command does not return an error if a UID or GID is not assigned.

LDAP-based authentication

The following limitations exist for LDAP-based authentication:
  • Users with the same user name from different organizational units under the specified baseDN in the LDAP server are denied access to SMB shares irrespective of the LDAP user suffix and LDAP group suffix values configured on the system.
  • If multiple LDAP servers are specified during configuration, at any point in time, only one LDAP server is used.
  • LDAP referrals are not supported.
  • ACL management through windows clients is not supported.
  • Only LDAP servers that implement RFC2307 schema are supported.

General limitations for file access

The following general limitations exist:
  • When the SMB service is stopped on a protocol node, with any AD-based authentication method, the NFS-based access is also affected on that protocol node.
  • When Microsoft Active Directory (AD) is used as an authentication system, the IBM Spectrum Scale system supports only the NetBIOS logon name for authentication and not the User Principle Name (UPN). Active Directory replaces some of the special characters that are used in the UPN with the underscore character (hexadecimal value 0x5F) for the related NetBIOS logon name of the user. For the complete list of the special characters that are replaced in the NetBIOS logon name, see Microsoft Active Directory documentation. Follow these steps to locate the NetBIOS logon name for an Active Directory domain user:
    1. From the Windows Start menu, select Administrative Tools > Active Directory Users and Computers.
    2. Right-click the Active Directory Domain user for which you require the NetBIOS logon name.
    3. Select Properties > Account Tab and check the value of the User logon name field (pre-Windows 2000).
  • Authentication configuration commands restart the IBM Spectrum Scale protocol services such as SMB and NFS. The protocol services resume a few seconds after an authentication configuration command completes.
  • For file data access, switching or migrating from one authentication method to another is not supported, because it might lead to loss of access to the data on the system.
  • The IBM Spectrum Scale system does not support authentication servers (AD, LDAP, and NIS) that are running on virtual machines that are stored on an SMB or NFS export. The IBM Spectrum Scale system requires the authentication server to be running while you are configuring authentication and while the server is handling connection requests over protocols. The virtualizer cannot boot the authentication server unless the protocols are configured for authentication and data is ready to be served over the exports.
  • The length of a user name or a group name of the users and group of users who need to access the data cannot be more than 32 characters.
  • The NFSV4 clients must be configured with the same authentication and ID mapping server as the IBM Spectrum Scale system. The IBM Spectrum Scale system does not support an NFSV4 client that is configured with different authentication and ID mapping servers.
  • AIX® clients follow a different methodology to integrate with AD, and hence, NFSV4-based access from AIX clients to IBM Spectrum Scale is not supported when CES services are configured for AD and variations of AD-based authentication schemes.
  • Based on the hardware platform that the protocol nodes are configured on, consider the group ID resolution in relation to the limitation that is described in the IBM Spectrum Scale FAQ. For more information, see IBM Spectrum Scale FAQs.
  • With regard to AD-based authentication scheme, the following considerations apply to configuring an NFS server to look up group membership information for an accessing NFS user:
    • The server-side group lookup functionality, which is enabled by setting the MANAGE_GIDS flag in the NFS configuration, works only after the user makes a valid authentication connection over CIFS.
    • You must make a valid authentication connection to the protocol node that serves the public IP from which the NFS export is to be mounted.
    • If the group membership of the user on an AD server changes, you must make a new valid CIFS connection to the protocol node that serves the public IP from which the NFS export is to be mounted. This new connection reflects the changes on the protocol node of the CES cluster.
    • It is a good practice to make a valid authentication connection over CIFS to all the protocol nodes that participate in group membership evaluations. This practice results in uniform membership evaluations on all the protocol nodes of the CES cluster.
  • To use NFSV4 ID mapping, you must set the NFS ID map domain on the IBM Spectrum Scale protocol nodes and you must configure the same NFS ID map domain on every NFS client. The following example demonstrates how to configure NFSV4 ID mapping.
    1. Issue the mmnfs config list command.

      The system displays the following output, which shows that the ID map domain is not set:

                Idmapd Configuration
          ====================
          ====================
    2. Enter the following command to set the NFS ID map domain:
      mmnfs config change IDMAPD_DOMAIN=MY_IDMAP_DOMAIN
    3. Issue the mmnfs config list command to verify that the ID map domain is set.

      The system displays this output:

      Idmapd Configuration
=======================
DOMAIN: MY_IDMAP_DOMAIN
=======================
Parent topic: Managing protocol user authentication
Related concepts:
Setting up authentication servers to configure protocol user access
Configuring authentication and ID mapping for file access
Managing user-defined authentication
Configuring authentication for object access
Deleting the authentication and the ID mapping configuration
Listing the authentication configuration
Verifying the authentication services configured in the system
Modifying the authentication method