With Kerberos authentication, you can log on to your Windows
cluster from the command prompt or submit workload as the current OS user, without having to enter
your user credentials. You can also log on as a specific Active Directory (AD) user by using the AD
user name and password.
Procedure
Note: The AD user in IBM® Spectrum Symphony is not case sensitive as in Windows. While the Admin user is a special
user for IBM Spectrum Symphony, you
cannot use it to represent another user with a different case, for example,
admin.
-
Log on to a host as the AD user who is mapped to the Admin user, as
defined in the KERBEROS_ADMIN parameter, and run commands directly from the
command prompt. The host must be in the same domain as this AD user.
With the mapping to the
Admin user, the AD user inherits the cluster
administrator role of the
Admin user. For example, log on to a host in the
ad1 domain as the
egoadmin user
(
ad1\egoadmin) and run commands to view resource groups, system services, and
applications:
egosh rg
egosh service list
soamview app
To run commands that accept a username and password as another user who is not the current OS
user, for example, enter:
soamview app -u ad1\mguser -x passwordmguser
-
Check whether all expected users and user groups are loaded successfully to the system:
-
Assign permissions for AD users to run commands or applications.
For example, to set AD user
mguser in domain
ad1 as
a read-only cluster administrator and AD user
appuser in domain
ad2 as a consumer administrator,
enter:
egosh user assignrole -u ad1\mguser -r "Cluster Admin (Read only)"
egosh user assignrole -u ad2\appuser -r "Consumer Admin"
Note: User names or user group names that are identical but under different domains are treated the
same for user authorization purposes. After you assign a role to a user, for example, the consumer
administrator role to ad2\appuser, if appuser exists in
domain ad2, ad2\appuser shares the same role as
ad1\appuser. In this example, ad2\appuser and
ad1\appuser both are consumer administrators.
-
Log on to a compute host as an AD user and run commands directly from the command prompt.
For example, log on to a compute host in the
ad1 domain as user
mguser (
ad1\mguser) and run commands to view system
services and applications:
egosh service list
soamview app
-
Log on to a client host as an AD user and submit workload. On client hosts, you can submit
application workload with or without single sign-on:
- With single sign-on, an AD user can run workload as the current Windows user without entering the user principal and password; the current
logged-on Windows user is the logon user. To use single
sign-on with applications other than the built-in ones, set the user name and password to
when initializing the security callback with the callback functions. For
example, the callback function for C++ applications is DefaultSecurityCallback.
- Without single sign-on, an AD user can run workload as a specified user, by entering a user
principal and password that differs from the current Windows user.
For example, log on to a client host in the domain
ad2 as
appuser (
ad2\appuser) and submit workload for the
symping application:
symping -u "" -x ""
To run
symping as another user who is not the current OS user, for example,
enter:
symping -u ad1\egoadmin -x passwordegoadmin