Topic
  • 1 reply
  • Latest Post - ‏2018-11-27T22:41:11Z by christofschmitt
RobLogie
RobLogie
6 Posts

Pinned topic Using Active Directory to login to a Linix GPFS server

‏2018-11-22T20:40:06Z |

Hi

We have Spectrum Scale version 4.2.3.10 running successfully running on a number of redhat 7.5 servers.  We have successfully used mmuserauth to enable access to GPFS SMB shares from a Windows AD environment and all is working well

 

However, we would also like to integrate the Linux GPFS servers with the AD domain for authentication of user logins to the linux GPFS servers.  This is so people can use their AD accounts to login to the linux GPFS servers for maintenance etc.

 

We where initially told this could be done by using the linux realm command to join the AD domain which is one of the usual ways to enable access on a Linux box not running GPFS.  However when we tried this on a GPFS environment with SMB shares it broke the SMB shares. (In hindsight it makes sense a server cannot join a AD domain twice !)

 

Does anyone know how to successfully configure a Linux GPFS server with SMB shares to also use AD for user login authentication ?

 

Thanks in Advance  !

 

Rob  

  • christofschmitt
    christofschmitt
    18 Posts

    Re: Using Active Directory to login to a Linix GPFS server

    ‏2018-11-27T22:41:11Z  

    > We have Spectrum Scale version 4.2.3.10 running successfully running
    > on a number of redhat 7.5 servers.  We have successfully used
    > mmuserauth to enable access to GPFS SMB shares from a Windows AD
    > environment and all is working well
    >
    > However, we would also like to integrate the Linux GPFS servers with
    > the AD domain for authentication of user logins to the linux GPFS
    > servers.  This is so people can use their AD accounts to login to the
    > linux GPFS servers for maintenance etc.

    The challenge here is that mmuserauth explicitly targets
    authentication for protocol services. We do not configure the PAM
    module for login authentication. Even if we would, this would only
    apply to protocol nodes, as the required services are only running
    there. And third, this would be outside of the normal support.

    > We where initially told this could be done by using the linux realm
    > command to join the AD domain which is one of the usual ways to enable
    > access on a Linux box not running GPFS.  However when we tried this on
    > a GPFS environment with SMB shares it broke the SMB shares. (In
    > hindsight it makes sense a server cannot join a AD domain twice !)

    That might actually be the best way forward. The important point is
    that joining an Active Directory domain involves creating a computer
    account in Active Directory. "mmuserauth service create --type ad ..."
    creates an account based on provided "netbios-name" and that account
    is used from all protocol nodes.

    The realm command also creates a computer account. If the name chosen
    here is the same as the "netbios-name" from "mmuserauth", then the
    last command will overwrite the password and effectively locking out
    the other component. Without having additional details, my guess would
    be that this "broke the SMB shares".

    As the "realm" command is not cluster aware, one sensible approach
    would be configuring realm for each node, based on the actual
    hostname. Then run "mmuserauth" and choose a name different than all
    the hostnames for the "netbios-name" to avoid conflicts. This would
    avoid the conflict between the two components.

    The other consideration would be the handling of id mappings. realm
    configures sssd in the background, while "mmuserauth" is using winbind
    which is required for the SMB service. Each user should always map to
    the same uid and each group to the same gid. One approach would be
    storing uids and gids in the Active Directory user and group
    attributes. mmuserauth can be configured with --unixmap-domains to
    query those. In "man sssd-ad" this seems to be called "POSIX
    attributes" and they can be queried by setting "ldap_id_mapping =
    False".


    Christof