AD authentication with RFC2307 ID mapping for overlapping unixmap domain ranges
You can configure IBM Storage Scale system authentication with Active Directory (AD) and RFC2307 ID mapping where ID ranges of multiple unixmap domains intersect.
In the RFC2307 ID mapping method, the user and group IDs are stored and managed in the AD server
and these IDs are used by the IBM Storage Scale system during
file access. The RFC2307 ID mapping method is used when you want to have multiprotocol
access.
Note: Make sure that users and groups across all AD domains have unique UIDs and GIDs to
avoid ID collisions.
The following steps provide an example of how to configure the IBM
Storage Scale system with AD and RFC2307 ID mapping for
overlapping ID ranges of unixmap domains:
- Issue the following command as shown in this
example:
The system displays this output:# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser --netbios-name specscale --idmap-role master --unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" --enable-overlapping-unixmap-rangesEnter Active Directory User 'adUser' password: Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs or/and data access issues. See man mmuserauth for further details. File authentication configuration completed successfully. - Issue this command to verify the authentication
configuration:
The system displays the following output:# mmuserauth service list# mmuserauth service list FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME specscale$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win) LDAPMAP_DOMAINS none - Verify the user name resolution on the system. Confirm that the resolution is showing IDs that
are pulled from RFC2307 attributes on the AD server.
# id DOMAIN1\\administrator uid=2001(DOMAIN1\administrator) gid=2101(DOMAIN1\domain users) groups=2101(DOMAIN1\domain users)# id DOMAIN2\\administrator uid=3001(DOMAIN2\administrator) gid=3101(DOMAIN2\domain users) groups=3101(DOMAIN2\domain users)
Configuring AD using Kerberos with RFC2307 ID mapping for overlapping unixmap ranges
- Issue the following command as shown in this
example:
The system displays this output:# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser --netbios-name specscale --idmap-role master --enable-nfs-kerberos --unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" --enable-overlapping-unixmap-rangesEnter Active Directory User 'adUser' password: Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs or/and data access issues. See man mmuserauth for further details. File authentication configuration completed successfully. - Issue this command to verify the authentication configuration:
The system displays the following output:# mmuserauth service list# mmuserauth service list FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS true SERVERS "*" USER_NAME specscale$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win) LDAPMAP_DOMAINS none - Verify the user name resolution on the system. Confirm that the resolution is showing IDs that
are pulled from RFC2307 attributes on the AD
server.
# id DOMAIN1\\administrator uid=2001(DOMAIN1\administrator) gid=2101(DOMAIN1\domain users) groups=2101(DOMAIN1\domain users)# id DOMAIN2\\administrator uid=3001(DOMAIN2\administrator) gid=3101(DOMAIN2\domain users) groups=3101(DOMAIN2\domain users)