mmuserauth command

Manages the authentication configuration of file and object access protocols. The configuration allows protocol access methods to authenticate users who need to access data that is stored on the system over these protocols.

Synopsis

mmuserauth service create  --data-access-method{file|object}
              --type {ldap|local|ad|nis|userdefined}
              --servers[IP address/hostname]
              {[--pwd-file PasswordFile]--user-name | --enable-anonymous-bind} 
              [--base-dn]
              [--enable-server-tls][--enable-ks-ssl]
              [--enable-kerberos][--enable-nfs-kerberos]
              [--user-dn][--group-dn][--netgroup-dn]
              [--netbios-name]  [--domain]
              [--idmap-role{master|subordinate}][--idmap-range][--idmap-range-size]
              [--user-objectclass][--group-objectclass][--user-name-attrib]
              [--user-id-attrib][--user-mail-attrib][--user-filter]
              [ --ks-dns-name][--ks-ext-endpoint]
              [--kerberos-server][--kerberos-realm]
              [--unixmap-domains] [--enable-overlapping-unixmap-ranges] [--ldapmap-domains]

Or

mmuserauth service list [-Y] [ --data-access-method {file|object|all}]

Or

mmuserauth service check [ --data-access-method {file|object|all}] [-r|--rectify]
            [-N|--nodes {node-list|cesNodes}][--server-reachability]

Or

mmuserauth service remove  --data-access-method {file|object|all}[--idmapdelete]

Availability

Available on all IBM Storage Scale editions.

Description

Use the mmuserauth commands to create and manage IBM Storage Scale protocol authentication and ID mappings.

Parameters

service
Manages the authentication configuration of file and object access protocols with one of the following actions:
create
Configures authentication for file and object access protocols. The authentication method for file and object access protocols cannot be configured together. The mmuserauth service create command needs to be submitted separately for configuring authentication for the file and object access protocols each.
list
Displays the details of the authentication method that is configured for both file and object access protocols.
check
Verifies the authentication method configuration details for file and object access protocols. Validates the connectivity to the configured authentication servers. It also supports corrections to the configuration details on the erroneously configured protocol nodes.
remove
Removes the authentication method configuration of file and object access protocols and ID maps if any.

If you plan to remove both, authentication method configuration and ID maps, remove authentication method configuration followed by the removal of ID maps. That is, at first you need to submit the mmuserauth service remove command without the --idmapdelete option to remove the authentication method configuration and then submit the same command with the --idmapdelete option to remove ID maps.

CAUTION:
Deleting the authentication method configuration with the ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning.
--data-access-method {file|object}
Specifies the access protocols for which the authentication method needs to be configured. The IBM Storage Scale system supports file access protocols such as SMB and NFS along with Object access protocols to access data that is stored on the system.

The file data access method is meant for authorizing the users who access data over SMB and NFS protocols.

--type {ldap|local|ad|nis|userdefined}
Specifies the authentication method to be configured for accessing data over file and object access protocols.

ldap - Defines an external LDAP server as the authentication server. This authentication type is valid for both file and object access protocols.

ad - Defines an external Microsoft Active Directory server as the authentication server. This authentication type is valid for both file and object access protocols.

local - Defines an internal database stored on IBM Storage Scale protocol nodes for authenticating user accessing data over object access protocol. This authentication type is valid for Object access protocol only.

nis - Defines an external NIS server as the authentication server. This authentication type is only valid for NFS file access protocol only. The NIS configuration with an IPv6 address is not supported.
Note: NIS authentication is not supported for RHEL 9.

userdefined - Defines user-defined (system administrator defined) authentication method for data access. This authentication type is valid for both file and object access protocols.

--servers [AuthServer1[:Port],AuthServer2[:Port],AuthServer3[:Port] ...]
Specifies the host name or IP address of the authentication server that is used for file and object access protocols.

This option is only valid with --type {ldap|ad|nis}.

With --type ldap, the input value format is "serverName/serverIP:[port]".

Specifying the port value is optional. Default port is 389.

For example,

--servers ldapserver.mydomain.com:1389.

For file access protocol, multiple LDAP servers can be specified by using a comma as a separator.

For the object access protocol, only one authentication server must be specified. If multiple servers are specified by using a comma, only the first server in the list is considered as the authentication server for configuration.

With --type ad, the input value format is "serverName/serverIP".

For example,

--servers ldapserver.mydomain.com.

For the file access protocol, only one authentication server must be specified. Specifying multiple servers is invalid. The AD server accepted while configuration is used to fetch details required for validation and configuration of the authentication method. Post successful configuration, each CES node will query DNS to lookout available Domain Controllers serving the AD domain it is joined to. Among the returned list, the node binds with the best available domain controller.

For the object access protocol, only one authentication server must be specified. If multiple servers are specified by using a comma, only the first server in the list is considered as the authentication server.

With --type nis, the input value format is "serverName/serverIP".

For example,

--servers nisserver.mydomain.com.

Multiple NIS servers can be specified by using a comma separator. At least one of the specified servers must be available and reachable while configuring the authentication method. This is important for the verification of the specified NIS domain, against which the availability of either passwd.byname or netgroup map is validated.

When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.

For example,
--servers [2001:192::e61f:122:feb7:5df5]

--base-dn ldapBase
Specifies the LDAP base DN of the authentication server. This option is only valid with --type {ldap|ad} for --data-access-method object and --type ldap for --data-access-method file.
--enable-anonymous-bind
Specifies whether to enable anonymous binding with authentication server for various validation operations.
This option is valid for the following cases (if the authentication server supports anonymous binding):
  1. --type {ldap|ad} and --data-access-method {object}
  2. --type {ldap} and --data-access-method {file}
    Note: This case is supported for NFS shares only.
This option is mutually exclusive with --user-name and password combination.
--user-name userName
Specifies the user name to be used to perform operations against the authentication server. This option is only valid with --type {ldap|ad} and --data-access-method {file|object}.

This option combined with password is mutually exclusive with --enable-anonymous-bind. The specified user name must have sufficient permissions to read user and group attributes from the authentication server.

In case of --type {ad|ldap} with --data-access-method object, the user name must be specified in complete DN format.

In case of --type ad with --data-access-method file, the specified username is used to join the cluster to AD domain. It results in creating a machine account for the cluster based on the --netbios-name specified in the command. After successful configuration, the cluster connects with its machine account, and not the user used during the domain join. So the specified username after domain join has no role to play in communication with the AD domain controller and can be even deleted from the AD server. The cluster can still keep using AD for authentication via the machine account created.
--pwd-file PasswordFile
Specifies the file containing passwords of administrative users for authentication configuration of file and object access protocols. The password file must be saved under /var/mmfs/ssl/keyServ/tmp on the node from which you are running the command. If this option is omitted, the command prompts for a password. The password file is a security-sensitive file and hence, must have the following characteristics:
  • It must be a regular file.
  • It must be owned by the root user.
  • Only the root user must have permission to read or write it.
A password file for file protocol configuration must have the following format:
%fileauth:
password=userpassword
where:
fileauth
Stanza name for file protocol
password
Specifies the password of --user-name.
Note: With --type ad for file authentication, the specified password is only required during the domain joining period. After joining the domain, the password of the machine account of the cluster is used for accessing Active Directory.
A password file for object protocol configuration must have the following format:
%objectauth:
password=userpassword
ksAdminPwd=ksAdminPwdpassword
ksSwiftPwd=ksSwiftPwdpassword
where:
objectauth
Stanza name for object protocol
password
Specifies the password of --user-name.
ksAdminPwd
Specifies the Keystone Administrator's password.
ksSwiftPwd
Specifies the Swift service user's password.
Note: Passwords cannot contain any of the following characters: / : \ @ $ { } and space.
The passwords are stored in the associated Keystone and Swift configuration files. You can change these passwords by using the following commands:
  • To change the stored AD or LDAP password, issue the following command:
    # mmobj config change --ccrfile keystone.conf --section ldap --property password --value NewPassword
  • To change the stored password for the Swift user, issue the following command:
    # mmobj config change --ccrfile proxy-server.conf --section filter:authtoken --property password --value NewPassword
--enable-server-tls
Specifies whether to enable TLS communication with the authentication server. With --data-access-method object, this option is only valid with --type {ldap|ad}. With --data-access-method file, this option is only valid with --type {ldap}.

This option is disabled by default.

For file access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name ldap_cacert.pem on the node that the command is to be run.

For object access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name object_ldap_cacert.pem on the node that the command is to be run.

--enable-nfs-kerberos
Specifies whether to enable Kerberized logins for users gaining access by using the NFSv3 and NFSv4 file access protocols.

This option is only valid with --type {ad} and --data-access-method {file}.

This option is disabled by default.

Note: Kerberized NFSv3 and NFSv4 access is only supported for users from AD domains that are configured for fetching the UID/GID information from Active Directory (RFC2307 schema attributes). Such AD domain definition is specified by using the --unixmap-domains option.
--user-dn ldapUserDN
Specifies the LDAP group DN. Restricts search of groups within the specified sub-tree. For CIFS access, the value of this parameter is ignored and a search is performed on the baseDN.
This option is only valid with --type {ldap} and --data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.
--group-dn ldapGroupDN
Specifies the LDAP group suffix. Restricts search of groups within a specified sub-tree.
This option is only valid with --type {ldap} and --data-access-method {file}. If this parameter is not set, the system uses the value that is set for baseDN as the default value.
--netgroup-dn ldapGroupDN
Specifies the LDAP netgroup suffix. The system searches the netgroups based on this suffix. The value must be specified in complete DN format.
This option is only valid with --type {ldap}and --data-access-method {file}. Default value is baseDN.
--user-objectclass userObjectClass
Specifies the object class of user on the authentication server. Only users with specified object class along with other filter are treated as valid users.
If the --data-access-method is object, this option is only valid with --type {ldap|ad}.
If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, the default value is posixAccount and with --type ad the default value is organizationalPerson.
--group-objectclass groupObjectClass
Specifies the object class of group on the authentication server. This option is only valid with --type {ldap} and --data-access-method {file}.
--netbios-name netBiosName
Specifies the unique identifier of the resources on a network that are running NetBIOS. This option is only valid with --type {ad|ldap} and --data-access-method {file}.
The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
If AD is selected as the authentication method, the NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Storage Scale clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly. Consider the following points while planning for a naming strategy:
  • There must not be NetBIOS name collision between two IBM Storage Scale clusters that are configured against the same Active Directory server.
  • The domain join of the latter machines revokes the join of the former one.
  • The NetBIOS name and the domain name must not collide.
  • The NetBIOS name and the short name of the Domain Controllers hosting the domain must not collide.
--domain domainName
Specifies the name of the NIS domain. This option is only valid with --type {nis} and --data-access-method {file}.
The NIS domain that is specified must be served by one of the servers specified with --server. This option is mandatory when NIS-based authentication is configured for file access.
--idmap-role {master|subordinate}
Specifies the ID map role of the IBM Storage Scale system. ID map role of a stand-alone or singular system deployment must be selected "master". The value of the ID map role is important in AFM-based deployments.
This option is only valid with --type {ad} and --data-access-method {file}.
You can use AD with automatic ID mapping to set up two or more storage subsystems in AFM relationship. The two or more systems configured in a master-subordinate relationship provides a means to synchronize the UIDs and GIDs generated for NAS clients on one system with UIDs and GIDs on the other systems. In the AFM relationship, only one system can be configured as master and other systems must be configured as subordinates. The ID map role of master and subordinate systems are the following:
  • Master: System creates ID maps on its own.
  • Subordinate: System does not create ID maps on its own. ID maps must be exported from the master to the subordinate.
While using automatic ID mapping, in order to have same ID maps on systems sharing AFM relationship, you need to export the ID mappings from master to subordinate. The NAS file services are inactive on the subordinate system. If you need to export and import ID maps from one system to another, contact the IBM® Support Center.
--idmap-range lowerValue-higherValue
Specifies the range of values from which the IBM Storage Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. This option is only valid with --type {ad} and --data-access-method {file}. The default value is 10000000-299999999. The lower value of the range must be at least 1000. After configuring the IBM Storage Scale system with AD authentication, only the higher value can be increased (this essentially increases the number of ranges).
--idmap-range-size rangeSize
Specifies the total number of UIDs and GIDs that are assignable per domain. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, 290 domains can be mapped, each consisting of 1000000 IDs.
Choose a value for range size that allows for the highest anticipated RID value among all of the anticipated AD users and AD groups in all of the anticipated AD domains. Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Storage Scale system.
This option is only valid with --type {ad} and --data-access-method {file}. Default value is 1000000.
--unixmap-domains unixDomainMap
Specifies the AD domains for which user ID and group ID should be fetched from the AD server. This option is only valid with --type {ad} and --data-access-method {file}. The unixDomainMap takes value in this format: DOMAIN1(L1-H1:{win|unix})[;DOMAIN2(L2-H2:{win|unix})[;DOMAIN3(L3-H3:{win|unix})....]]
DOMAIN
Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the NetBIOS domain name. The UIDs and GIDs of the users and groups for the specified DOMAIN are read from the UNIX attributes that are populated in the RFC2307 schema extension of AD server. Any users or groups, from this domain, with missing UID/GID attributes are denied access. Use the L-H format to specify the ID range. All the users or groups from DOMAIN that need access to exports need to have their UIDs or GIDs in the specified range.
The specified range should not intersect with:
  • The range specified by using the --idmap-range option of the command.
  • The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option.

    However, you can use the --enable-overlapping-unixmap-ranges option to allow overlapping ID map ranges for multiple AD domains for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes).

  • The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in the --ldapmap-domains option.
The command reports a failure if you attempt to run the command with such configurations. This is intended to avoid ID collisions among users and groups from different domains.

win: Specifies the system to read the primary group set as Windows primary group of a user on the Active Directory.

unix: Specifies the system to read the primary group as set in "UNIX attributes" of a user on the Active Directory.

For example,
--unixmap-domains "MYDOMAIN1(20000-50000:unix);MYDOMAIN2(100000-200000:win)"
--enable-overlapping-unixmap-ranges
Allows overlapping ranges for multiple AD domains that are specified by using --unixmap-domains option. This option is only valid with --data-access-method {file} and --type {ad} along with --unixmap-domains.
Note: Ensure that UIDs and GIDs are unique among users and groups from different domains. ID collisions can cause data access issues and compromise data security.
--ldapmap-domains ldapDomainMap
Specifies the AD domains for which user ID and group ID should be fetched from a separate stand-alone LDAP server. This option is only valid with --type {ad} and --data-access-method {file}. ldapDomainMap takes value of the format as follows,
DOMAIN1 (type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]
:[bind_dn_pwd=bindDNpassword])[;DOMAIN2(type=stand-alone:ldap_srv=ldapServer:range=Range:usr_dn=userDN
:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])[;DOMAIN3(type=stand-alone:ldap_srv=ldapServer
:range=Range:usr_dn=userDN:grp_dn=groupDN:[bind_dn=bindDN]:[bind_dn_pwd=bindDNpassword])...]]
DOMAIN
Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the Pre-Win2K domain name. The UID and GID of the users and groups for the specified DOMAIN are read from the objects stored on LDAP server in RFC2307 schema attributes. Any users or groups, from this domain, with missing UID/GID attributes are denied access.
type
Defines the type of LDAP server to use.
Supported value: stand-alone.
range
Attribute takes value in the L-H format. Defines the user or group from DOMAIN that needs access to exports need to have their UIDs or GIDs in the specified range. The specified range should not intersect with,
  • The range specified using --idmap-range option of the command
  • The range specified for other AD DOMAIN for which ID mapping needs to be done from Active Directory (RFC2307 schema attributes) specified in --unixmap-domains option
  • The range specified for other AD DOMAIN for which ID mapping needs to be done from LDAP server specified in --ldapmap-domains option

    This is intended to avoid ID collisions among users and groups from different domains.

ldap_srv
Defines the name or IP address of the LDAP server to fetch the UID or GID for of a user or group records in RFC2307 schema format. The user and group objects should be in RFC2307 schema format. Specifying only single LDAP server is supported.
When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.
For example,
--servers [2001:192::e61f:122:feb7:5df5]
user_dn
Defines the bind tree on the LDAP server where user objects shall be found.
grp_dn
Defines the bind tree on the LDAP server where the group objects shall be found.
bind_dn
Optional attribute.

Defines the user DN that should be used for authentication against the LDAP server. If not specified, anonymous bind shall be performed against the LDAP server.

bind_dn_pwd
Optional attribute.
Defines the password of the user DN specified in bind_dn to be used for authentication against the LDAP server. Must be specified when bind_dn attribute is specified for binding with the LDAP server in the DOMAIN definition.
Password cannot contain these special characters such as semicolon (;) or colon (:).
For example,
--ldapmap-domains "MYDOMAIN1(type=stand-alone:range=10000-50000
:ldap_srv=myldapserver.mydomain.com :usr_dn=ou=People,dc=mydomain,dc=com
:grp_dn=ou=Groups,dc=mydomain,dc=com :bind_dn=cn=ldapuser,dc=mydomain,dc=com
:bind_dn_pwd=MYPASSWORD);MYDOMAIN2(type=stand-alone :range=70000-100000
:ldap_srv=myldapserver.example.com:usr_dn=ou=People,dc=example,dc=com
:grp_dn=ou=Groups,dc=example,dc=com)"
--enable-kerberos
Specifies whether to enable Kerberized logins for users who are gaining access by using file access protocols.

This option is only valid with --type {ldap} and --data-access-method {file}.

This option is disabled by default.

Note: Ensure that the legitimate keytab file is placed in the /var/mmfs/tmp directory and is named as krb5_scale.keytab on the node that the authentication method configuration command is to be run.
--kerberos-server kerberosServer
Specifies the Kerberos server. This option is only valid with --type {ldap} and --data-access-method {file}.
When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.
For example,
--servers [2001:192::e61f:122:feb7:5df5]
--kerberos-realm kerberosRealm
Indicates the Kerberos server authentication administrative domain. The realm name is usually the all-uppercase version of the domain name. This option is case-sensitive.
--user-name-attrib UserNameAttribute
Specifies the attribute to be used to search for user name on authentication server.
If the --data-access-method is object, this option is only valid with --type {ldap|ad}.
If the --data-access-method is file, this option is only valid with --type {ldap}. With --type ldap, default value is cn and with --type ad, the default value is sAMAccountName.
--user-id-attrib UserIDAttribute
Specifies the attribute to be used to search for user ID on the authentication server.
If --data-access-method is object, this option is only valid with --type {ldap|ad}.
If --data-access-method is file, this option is only valid with --type {ldap}. For --type ldap, default value is uid and for --type ad the default value is CN.
--user-mail-attrib UserMailAttribute
Specifies the attribute to be used to search for email on authentication server. If the --data-access-method is object, this option is only valid with --type {ldap|ad}. For --data-access-method file, this option is only valid with --type {ldap}. Default value is mail.
--user-filter userFilter
Specifies the additional filter to be used to search for user in the authentication server. The filter must be specified in LDAP filter format. This option is only valid with --type {ldap|ad} and --data-access-method {object}. By default, no filter is used.
--ks-dns-name keystoneDnsName
Specifies the DNS name for keystone service. The specified name must be resolved on all protocol nodes for proper functioning. This is optional with --data-access-method {object}. If the value is not specified for this parameter, the mmuserauth service create command uses the value that is used during the IBM Storage Scale system installation.
--ks-admin-user keystoneAdminName
Specifies the Keystone server administrative user. This user must be a valid user on authentication server if --type {ldap|ad} is specified. In case of --type local, new user is created, and admin role is assigned in Keystone. This option is mandatory with --data-access-method {object}.
For --type {ldap|ad}, do not specify user name in DN format for --ks-admin-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.
--enable-ks-ssl
Specifies whether the SSL communication must be enabled with the Keystone service. It enables a secured way to access the Keystone service over the HTTPS protocol. The default communication option with the Keystone service is over HTTP protocol, which has security risks.
This option is only valid with --data-access-method {object}.
By default, this option is disabled.

With --type local | ad | ldap, ensure that the valid certificate files are placed in the /var/mmfs/tmp directory on the node that the command has to be run:

The SSL certificate at: /var/mmfs/tmp/ssl_cert.pem
The private key at: /var/mmfs/tmp/ssl_key.pem
The CA certificate at: /var/mmfs/tmp/ssl_cacert.pem

With --type userdefined, ensure that the valid certificate files are placed in the /var/mmfs/tmp directory on the node that the command has to be run:

The CA certificate at: /var/mmfs/tmp/ssl_cacert.pem
--ks-swift-user keystoneSwiftName
Specifies the username to be used as swift user in proxy-server.conf. If AD or LDAP-based authentication is used, this user must be available in the AD or LDAP authentication server. If local authentication method is used, new user with this name is created in the local database This option is only valid with --data-access-method {object}.
For --type {ldap|ad}, do not specify user name in DN format for --ks-swift-user. The name must be the base or short name that is written against the specified user-id-attrib or user-name-attrib of user on the LDAP server.
--ks-ext-endpoint externalendpoint
Specifies the endpoint URL of external keystone. Only API v3 and HTTP are supported. This option is only valid with --data-access-method {object} and --type {userdefined}
--idmapdelete
Specifies whether to delete the current ID maps (SID to UID/GID mappings) from the ID mapping databases for the file access method and user-role-project-domain mappings stored in local keystone database for object access method.

This option is only valid with the mmuserauth service remove command. Unless the --data-access-method parameter is specified on the command line, ID maps for file and object access protocols are erased by default. To delete the ID maps of a particular access protocol, explicitly specify the --data-access-method parameter on command line along with the valid access protocol name.

The authentication method configuration and ID maps cannot be deleted together. The authentication method configuration must be deleted before the ID maps.

CAUTION:
Deleting ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning.
-N|--nodes{node-list|cesNodes}
Verifies the authentication configuration on each node. If the specified node is not protocol node, it is ignored. If protocol node is specified, then the system checks configuration on all protocol nodes. If you do not specify a node, the system checks the configuration of only the current node.
-Y
Displays the command output in a parseable format with a colon (:) as a field delimiter. Each column is described by a header.
Note: Fields that have a colon (:) are encoded to prevent confusion. For the set of characters that might be encoded, see the command documentation of mmclidecode. Use the mmclidecode command to decode the field.
-r|--rectify
Rectifies the authentication configurations and missing SSL and TLS certificates.
--server-reachability
Without this flag, the mmuserauth service check command only validates whether the authentication configuration files are consistent across the protocol nodes. Use this flag to ensure if the external authentication server is reachable by each protocol node.
Exit status
0
Successful completion.
nonzero
A failure has occurred.
Note: When you reconfigure Object protocol access, messages suggesting that a duplicate key value violates unique constraint might appear in the system log. Disregard these messages.

Security

You must have root authority to run the mmuserauth command.

The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.

Examples

  1. To configure Microsoft Active Directory (AD) based authentication with automatic ID mapping for file access, issue this command:
    # mmuserauth service create --type ad --data-access-method file --netbios-name
    specscale --user-name adUser --idmap-role master --servers myADserver 
    --idmap-range-size 1000000 --idmap-range 10000000-299999999
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.
    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
    # mmuserauth service list
    The system displays output similar to this:
    
    FILE access configuration : AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false
    SERVERS                  "*"
    USER_NAME                specscale$
    NETBIOS_NAME             specscale
    IDMAP_ROLE               master
    IDMAP_RANGE              10000000-299999999
    IDMAP_RANGE_SIZE         1000000
    UNIXMAP_DOMAINS          none
    LDAPMAP_DOMAINS          none
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  2. To configure Microsoft Active Directory (AD) based authentication with RFC2307 ID mapping for file access, issue this command:
    # mmuserauth service create  --type ad --data-access-method file
    --netbios-name specscale --user-name adUser --idmap-role master
    --servers myAdserver   --idmap-range-size 1000000
    --idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN(5000-20000:win)'
    
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    
    FILE access configuration : AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false
    SERVERS                  "*"
    USER_NAME                specscale$
    NETBIOS_NAME             specscale
    IDMAP_ROLE               master
    IDMAP_RANGE              10000000-299999999
    IDMAP_RANGE_SIZE         1000000
    UNIXMAP_DOMAINS          DOMAIN(5000-20000:win)
    LDAPMAP_DOMAINS          none
    
    OBJECT access not configured
    PARAMETERS               VALUES
    
  3. To configure Microsoft Active Directory (AD) based authentication with LDAP ID mapping for file access, issue this command:
    mmuserauth service create --data-access-method file --type ad --servers myADserver
    --user-name adUser  --netbios-name specscale --idmap-role master
    --ldapmap-domains "DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
    usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,
    dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    
    FILE access configuration : AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false
    SERVERS                  "*"
    USER_NAME                specscale$
    NETBIOS_NAME             specscale
    IDMAP_ROLE               master
    IDMAP_RANGE              10000000-299999999
    IDMAP_RANGE_SIZE         1000000
    UNIXMAP_DOMAINS          none
    LDAPMAP_DOMAINS          DOMAIN(type=stand-alone: range=1000-10000:
    ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn=
    ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com)
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  4. To configure Microsoft Active Directory (AD) based authentication with LDAP ID mapping for file access (anonymous binding with LDAP), issue this command:
    # mmuserauth service create --data-access-method file --type ad
    --servers myADserver --user-name adUser 
    --netbios-name specscale --idmap-role master --ldapmap-domains
    "DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
    usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)"
    
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    
    FILE access configuration : AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false
    SERVERS                  "*"
    USER_NAME                specscale$
    NETBIOS_NAME             specscale
    IDMAP_ROLE               master
    IDMAP_RANGE              10000000-299999999
    IDMAP_RANGE_SIZE         1000000
    UNIXMAP_DOMAINS          none
    LDAPMAP_DOMAINS          DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver:
    usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  5. To configure AD-based authentication with overlapping ID map ranges, issue this command:
    # mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser
     --netbios-name specscale --idmap-role master --unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" 
    --enable-overlapping-unixmap-ranges
    The system displays output similar to this:
    Enter Active Directory User 'adUser' password:
    Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs 
    or/and data access issues. See man mmuserauth for further details.
    
    File authentication configuration completed successfully.
    To verify the authentication configuration, the mmuserauth service list command as shown in the following example:
    # mmuserauth service list
    The system displays output similar to this:
    # mmuserauth service list
    FILE access configuration : AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_NFS_KERBEROS      false
    SERVERS                  "*"
    USER_NAME                specscale$
    NETBIOS_NAME             specscale
    IDMAP_ROLE               master
    IDMAP_RANGE              10000000-299999999
    IDMAP_RANGE_SIZE         1000000
    UNIXMAP_DOMAINS          DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win)
    LDAPMAP_DOMAINS          none
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  6. To configure LDAP-based authentication with TLS encryption for file access, issue this command:
    # mmuserauth service create --type ldap --data-access-method file
    --servers myLDAPserver --base-dn dc=example,dc=com
    --user-name cn=ldapuser,dc=example,dc=com 
    --netbios-name specscale --enable-server-tls
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.
    Note: Before issuing the mmuserauth service create command to configure LDAP with TLS, ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name "ldap_cacert.pem" specifically on the protocol node where the command is issued.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    
    FILE access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        true
    ENABLE_KERBEROS          false
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    NETBIOS_NAME             specscale
    BASE_DN                  dc=example,dc=com
    USER_DN                  none
    GROUP_DN                 none
    NETGROUP_DN              none
    USER_OBJECTCLASS         posixAccount
    GROUP_OBJECTCLASS        posixGroup
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    KERBEROS_SERVER          none
    KERBEROS_REALM           none
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
    
  7. To configure LDAP-based authentication with Kerberos for file access, issue this command:
    # mmuserauth service create --type ldap --data-access-method file
    --servers myLDAPserver --base-dn dc=example,dc=com
    --user-name cn=ldapuser,dc=example,dc=com 
    --netbios-name specscale --enable-kerberos
    --kerberos-server myKerberosServer  --kerberos-realm MYREAL.com
    
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.
    Note: Before issuing the mmuserauth service create command to configure LDAP with Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as krb5_scale.keytab specifically on the node where the command is run.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        false
    ENABLE_KERBEROS          true
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    NETBIOS_NAME             specscale
    BASE_DN                  dc=example,dc=com
    USER_DN                  none
    GROUP_DN                 none
    NETGROUP_DN              none
    USER_OBJECTCLASS         posixAccount
    GROUP_OBJECTCLASS        posixGroup
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    KERBEROS_SERVER          myKerberosServer
    KERBEROS_REALM           MYREAL.com
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  8. To configure LDAP with TLS and Kerberos for file access, issue this command:
    # mmuserauth service create --type ldap --data-access-method file
    --servers myLDAPserver --base-dn dc=example,dc=com
    --user-name cn=ldapuser,dc=example,dc=com 
    --netbios-name specscale --enable-server-tls --enable-kerberos
          --kerberos-server myKerberosServer --kerberos-realm MYREAL.com
    
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        true
    ENABLE_KERBEROS          true
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    NETBIOS_NAME             specscale
    BASE_DN                  dc=example,dc=com
    USER_DN                  none
    GROUP_DN                 none
    NETGROUP_DN              none
    USER_OBJECTCLASS         posixAccount
    GROUP_OBJECTCLASS        posixGroup
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    KERBEROS_SERVER          myKerberosServer
    KERBEROS_REALM           MYREAL.com
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  9. To configure LDAP without TLS and without Kerberos for file access, issue this command:
    # mmuserauth service create --type ldap --data-access-method file
    --servers myLDAPserver --base-dn dc=example,dc=com --user-name
    cn=ldapuser,dc=example,dc=com  --netbios-name specscale
    
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        false
    ENABLE_KERBEROS          false
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    NETBIOS_NAME             specscale
    BASE_DN                  dc=example,dc=com
    USER_DN                  none
    GROUP_DN                 none
    NETGROUP_DN              none
    USER_OBJECTCLASS         posixAccount
    GROUP_OBJECTCLASS        posixGroup
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    KERBEROS_SERVER          none
    KERBEROS_REALM           none
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  10. To configure NIS-based authentication for file access, issue this command:
    # mmuserauth service create --type nis --data-access-method file
    --servers myNISserver --domain nisdomain
    
    The system displays output similar to this:
    
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : NIS
    PARAMETERS               VALUES
    -------------------------------------------------
    SERVERS                  myNISserver
    DOMAIN                   nisdomain
    
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
    Note: NIS authentication is not supported for RHEL 9.
  11. To configure user-defined authentication for file access, issue this command:
    # mmuserauth service create --data-access-method file --type userdefined
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : USERDEFINED
    PARAMETERS               VALUES
    -------------------------------------------------
    OBJECT access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
  12. To configure local authentication for object access, issue this command:
    # mmuserauth service create --data-access-method object --type local
    --ks-dns-name ksDNSname --ks-admin-user admin
    
    
    
    The system displays output similar to this:
    Object configuration with local (Database) as identity backend is completed
    successfully.
    Object Authentication configuration completed successfully.
    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
    # mmuserauth service list
    The system displays output similar to this:
    FILE access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
    OBJECT access configuration : LOCAL
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_KS_SSL            false
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            admin
    
  13. To configure AD without TLS authentication for object access, issue this command:
    # mmuserauth service create --type ad --data-access-method object
    --user-name "cn=adUser,cn=Users,dc=example,dc=com"  --base-dn "dc=example,DC=com" 
    --ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn
    --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com"
    --ks-swift-user swift 
    The system displays output similar to this:
    Object configuration with LDAP (Active Directory) as identity backend is completed
    successfully.
    Object Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
    OBJECT access configuration: AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        false
    ENABLE_KS_SSL            false
    USER_NAME                cn=adUser,cn=Users,dc=example,dc=com
    SERVERS                  myADserver
    BASE_DN                  dc=IBM,DC=local
    USER_DN                  cn=users,dc=example,dc=com
    USER_OBJECTCLASS         organizationalPerson
    USER_NAME_ATTRIB         sAMAccountName
    USER_ID_ATTRIB           cn
    USER_MAIL_ATTRIB         mail
    USER_FILTER              none
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            admin
    
  14. To configure AD with TLS authentication for object access, issue this command:
    # mmuserauth service create --type ad --data-access-method object
    --user-name "cn=adUser,cn=Users,dc=example,dc=com"  --base-dn
    "dc=example,DC=com" --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers
    myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson
    --user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift 
    The system displays output similar to this:
    Object configuration with LDAP (Active Directory) as identity backend is completed
    successfully.
    Object Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    OBJECT access configuration: AD
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_ANONYMOUS_BIND    false
    ENABLE_SERVER_TLS        true
    ENABLE_KS_SSL            false
    USER_NAME                cn=adUser,cn=Users,dc=example,dc=com
    SERVERS                  myADserver
    BASE_DN                  dc=IBM,DC=com
    USER_DN                  cn=users,dc=example,dc=com
    USER_OBJECTCLASS         organizationalPerson
    USER_NAME_ATTRIB         sAMAccountName
    USER_ID_ATTRIB           cn
    USER_MAIL_ATTRIB         mail
    USER_FILTER              none
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            admin
    
  15. To configure LDAP-based authentication for object access, issue this command:
    # mmuserauth service create --type ldap --data-access-method object
    --user-name "cn=ldapuser,dc=example,dc=com" 
    --base-dn dc=example,dc=com --ks-dns-name ksDNSname --ks-admin-user admin 
    --servers myLDAPserver --user-dn "ou=People,dc=example,dc=com"
    --ks-swift-user swift 
    The system displays output similar to this:
    Object configuration with LDAP as identity backend is completed successfully.
    Object Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    OBJECT access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS        false
    ENABLE_KS_SSL            false
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    BASE_DN                  dc=example,dc=com
    USER_DN                  ou=people,dc=example,dc=com
    USER_OBJECTCLASS         posixAccount
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    USER_MAIL_ATTRIB         mail
    USER_FILTER              none
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            admin
    
  16. To configure LDAP with TLS-based authentication for object access, issue this command:
    # mmuserauth service create --type ldap --data-access-method object
    --user-name "cn=ldapuser,dc=example,dc=com" 
    --base-dn dc=example,dc=com --enable-server-tls
    --ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver
    --user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift
    
    The system displays output similar to this:
    Object configuration with LDAP as identity backend is completed successfully.
    Object Authentication configuration completed successfully.
    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
    # mmuserauth service list
    The system displays output similar to this:
    FILE access not configured
    PARAMETERS               VALUES
    -------------------------------------------------
    
    OBJECT access configuration : LDAP
    PARAMETERS               VALUES
    -------------------------------------------------
    ENABLE_SERVER_TLS        true
    ENABLE_KS_SSL            false
    USER_NAME                cn=ldapuser,dc=example,dc=com
    SERVERS                  myLDAPserver
    BASE_DN                  dc=example,dc=com
    USER_DN                  ou=people,dc=example,dc=com
    USER_OBJECTCLASS         posixAccount
    USER_NAME_ATTRIB         cn
    USER_ID_ATTRIB           uid
    USER_MAIL_ATTRIB         mail
    USER_FILTER              none
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            admin
    
  17. To remove the authentication method that is configured for file access, issue this command:
    # mmuserauth service remove --data-access-method file
    The system displays output similar to this:
    mmuserauth service remove: Command successfully completed
    Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object.
  18. To remove the authentication method that is configured for object access, issue this command:
    # mmuserauth service remove --data-access-method object
    The system displays output similar to this:
    mmuserauth service remove: Command successfully completed 
    Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove the ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for --data-access-method must be either file or object.
  19. To check whether the authentication configuration is consistent across the cluster and the required services are enabled and running, issue this command:
     mmuserauth service check --data-access-method file --nodes cesNodes  --server-reachability
    The system displays output similar to this:
     
             Userauth file check on node: node1
                       Checking SSSD_CONF: OK
                       Checking nsswitch file: OK
                       Checking Pre-requisite Packages: OK
             LDAP servers status
                       LDAP server myLdapServer : OK
             Service 'sssd' status: OK
    
             Userauth file check on node: node2
                       Checking SSSD_CONF: OK
                       Checking nsswitch file: OK
                       Checking Pre-requisite Packages: OK
             LDAP servers status
                       LDAP server myLdapServer : OK
             Service 'sssd' status: OK
  20. To check whether the file authentication configuration is consistent across the cluster and the required services are enabled and running, and if you want to correct the situation, issue this command:
    mmuserauth service check --data-access-method file --nodes cesNodes  --rectify
  21. To check that all object configuration files (including certificates) are present, and if not, rectify the situation by issuing the following command:
    # mmuserauth service check --data-access-method object --rectify
    The system displays output similar to this:
    Userauth object check on node: node1
    Checking keystone.conf: OK
    Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
    Checking /etc/keystone/ssl/private/signing_key.pem: OK
    Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
    Checking /etc/keystone/ssl/certs/object_ldap_cacert.pem: OK
    Service 'openstack-keystone' status: OK
    
  22. To check if the external authentication server is reachable by each protocol node, use the following command:
    mmuserauth service check --server-reachability
    1. If file is not configured, object is configured, and there are no errors, the system displays output similar to this:
      Userauth object check on node: node1
      	Checking keystone.conf: OK
      	Checking wsgi-keystone.conf: OK
      	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
      	Checking /etc/keystone/ssl/private/signing_key.pem: OK
      	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
      
      LDAP servers status
      	LDAP server myLDAPserver : OK
      Service 'httpd' status: OK
      
    2. If file is not configured, object is configured, and there is a single error, the system displays output similar to this:
      Userauth object check on node: node1
      	Checking keystone.conf: OK
      	Checking wsgi-keystone.conf: OK
      	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
      	Checking /etc/keystone/ssl/private/signing_key.pem: OK
      	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
      
      LDAP servers status
      	LDAP server myLDAPserver : ERROR
      Service 'httpd' status: OK
      
      
    3. If file and object are configured and there are no errors, the system displays output similar to this:
      Userauth file check on node: node1
      	Checking nsswitch file: OK
             Checking Pre-requisite Packages: OK
             Checking SRV Records lookup: OK
      
      Domain Controller status
      	NETLOGON connection: OK, connection to DC: win2k16.example.com
      	Domain join status: OK
      	Machine password status: OK
      Service 'gpfs-winbind' status: OK
      
      Userauth object check on node: node1
      	Checking keystone.conf: OK
      	Checking wsgi-keystone.conf: OK
      	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
      	Checking /etc/keystone/ssl/private/signing_key.pem: OK
      	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
      
      LDAP servers status
      	LDAP server myLDAPserver : OK
      Service 'httpd' status: OK
      
    4. If file and object are configured and there is a single error, the system displays output similar to this:
      
      Userauth file check on node: node1
      	Checking nsswitch file: OK
             Checking Pre-requisite Packages: OK
             Checking SRV Records lookup: OK
      
      Domain Controller status
      	NETLOGON connection: OK, connection to DC: WIN8-12Up.example.com
      	Domain join status: OK
      	Machine password status: ERROR
      Service 'gpfs-winbind' status: OK
      
      Userauth object check on node: node1
      
      
      	Checking keystone.conf: OK
      	Checking wsgi-keystone.conf: OK
      	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
      	Checking /etc/keystone/ssl/private/signing_key.pem: OK
      	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
      
      LDAP servers status
      	LDAP server myLDAPserver : OK
      
    5. If file and object are configured and there is are multiple errors, the system displays output similar to this:
      Userauth file check on node: node1
      	Checking nsswitch file: OK
             Checking Pre-requisite Packages: OK
             Checking SRV Records lookup: OK
      
      Domain Controller status
      	NETLOGON connection: ERROR (DC not found)
      	Domain join status: ERROR
      	Machine password status: ERROR
      Service 'gpfs-winbind' status: OK
      
      Userauth object check on node: node1
      	Checking keystone.conf: OK
      	Checking wsgi-keystone.conf: OK
      	Checking /etc/keystone/ssl/certs/signing_cert.pem: OK
      	Checking /etc/keystone/ssl/private/signing_key.pem: OK
      	Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK
      
      LDAP servers status
      	LDAP server myLDAPserver : ERROR
      Service 'httpd' status: OK
      
      Note: The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the erroneous config files and service-related errors only.
  23. To configure AD authentication by using a password file for File protocol configuration, use the following command:
    mmuserauth service create  --type ad --data-access-method file
     --netbios-name test --user-name administrator 
    --idmap-role master --servers myADServer
     --pwd-file fileauth
    Contents of fileauth saved at /var/mmfs/ssl/keyServ/tmp/ are:
    %fileauth:       
    password=Passw0rd
    Here, Passw0rd is the password for the user to bind with the authentication server.
  24. To configure AD authentication by using a password file for Object protocol configuration, use the following command:
    mmuserauth service create --type ad --data-access-method object
     --base-dn "dc=example,DC=com"  --servers myADserver --user-id-attrib cn
    --user-name-attrib sAMAccountName --user-objectclass organizationalPerson 
    --user-dn "cn=Users,dc=example,dc=com"  --pwd-file objectauth
    Contents of objectauth saved at /var/mmfs/ssl/keyServ/tmp/ are:
    %objectauth:  
    password=Passw0rd
    ksAdminPwd=Passw0rd1
    ksSwiftPwd=Passw0rd2
    Here, Passw0rd is the password for the user to bind with the authentication server. Passw0rd1 is the Keystone administrator's password, and Passw0rd2 is the Swift Service user's password.
  25. To check whether the DNS configuration is correct when cluster is already configured with file AD authentication scheme, issue this command:
    mmuserauth service check --data-access-method file --nodes cesNodes
    If DNS configuration is valid; then system displays output similar to this:
    
        Userauth file check on node: node1
                       Checking nsswitch file: OK
                       Checking Pre-requisite Packages: OK
                       Checking SRV Records lookup: OK
        Service 'gpfs-winbind' status: OK
    
        Userauth file check on node: node2
                       Checking nsswitch file: OK
                       Checking Pre-requisite Packages: OK
                       Checking SRV Records lookup: OK
        Service 'gpfs-winbind' status: OK
    If DNS configuration is incorrect; then system displays output similar to this:
    
       Userauth file check on node: node1
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
                   Checking SRV Records lookup: ERROR (Make sure Domain Controller 
       can be looked up from this node. Validate correct DNS server is populated in network configuration.)
       Found errors in configuration.
    
       Userauth file check on node: node2
                   Checking nsswitch file: OK
                   Checking Pre-requisite Packages: OK
                   Checking SRV Records lookup: ERROR (Make sure Domain Controller
       can be looked up from this node. Validate correct DNS server is populated in network configuration.)
            Found errors in configuration.
  26. To configure Microsoft Active Directory(AD)-based authentication when the time difference between the node and domain controller is more than five minutes, run the following command:
    mmuserauth service create --type ad --data-access-method file --netbios-name
       specscale --user-name adUser --idmap-role master --servers myADserver
       --idmap-range-size 1000000 --idmap-range 10000000-299999999
    The system displays output similar to this:
    
       WARNING: Time difference between current node and domain controller is 4073 seconds.
       It is greater than max allowed clock skew 300 seconds.   File Authentication configuration
       completed successfully.
    
  27. To configure LDAP-based authentication for file access with an IPv6 address of the authentication server, issue this command:
    # mmuserauth service create --type ldap --data-access-method file --servers
    [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name
    cn=ldapuser,dc=example,dc=com --netbios-name specscale
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_SERVER_TLS        false                    
        ENABLE_KERBEROS          false                    
        USER_NAME                cn=ldapuser,dc=example,dc=com
        SERVERS                  [2001:192::e61f:122:feb7:5df0]
        NETBIOS_NAME             specscale                
        BASE_DN                  dc=example,dc=com          
        USER_DN                  none                     
        GROUP_DN                 none                     
        NETGROUP_DN              none                     
        USER_OBJECTCLASS         posixAccount             
        GROUP_OBJECTCLASS        posixGroup               
        USER_NAME_ATTRIB         cn                       
        USER_ID_ATTRIB           uid                      
        KERBEROS_SERVER          none                     
        KERBEROS_REALM           none                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------
      
  28. To configure LDAP-based authentication with TLS encryption for file access with an IPv6 address of the authentication server, issue this command:
    mmuserauth service create --type ldap --data-access-method file --servers 
    [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name 
    cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tls
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_SERVER_TLS        true                    
        ENABLE_KERBEROS          false                    
        USER_NAME                cn=ldapuser,dc=example,dc=com
        SERVERS                  [2001:192::e61f:122:feb7:5df0]
        NETBIOS_NAME             specscale                
        BASE_DN                  dc=example,dc=com          
        USER_DN                  none                     
        GROUP_DN                 none                     
        NETGROUP_DN              none                     
        USER_OBJECTCLASS         posixAccount             
        GROUP_OBJECTCLASS        posixGroup               
        USER_NAME_ATTRIB         cn                       
        USER_ID_ATTRIB           uid                      
        KERBEROS_SERVER          none                     
        KERBEROS_REALM           none                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------
  29. To configure LDAP-based authentication with Kerberos for file access with an IPv6 address of the authentication server, issue this command:
    mmuserauth service create --type ldap --data-access-method file --servers 
    [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name 
    cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-kerberos --kerberos-server 
    [2001:192::e61f:122:feb7:5dc0] --kerberos-realm MYREALM.com
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : LDAP
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_SERVER_TLS        false                    
        ENABLE_KERBEROS          true                    
        USER_NAME                cn=ldapuser,dc=example,dc=com
        SERVERS                  [2001:192::e61f:122:feb7:5df0]
        NETBIOS_NAME             specscale                
        BASE_DN                  dc=example,dc=com          
        USER_DN                  none                     
        GROUP_DN                 none                     
        NETGROUP_DN              none                     
        USER_OBJECTCLASS         posixAccount             
        GROUP_OBJECTCLASS        posixGroup               
        USER_NAME_ATTRIB         cn                       
        USER_ID_ATTRIB           uid                      
        KERBEROS_SERVER          [2001:192::e61f:122:feb7:5dc0]                     
        KERBEROS_REALM           MYREALM.com                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------
  30. To configure Microsoft Active Directory (AD)-based authentication with the automatic ID mapping for file access with an IPv6 address of the authentication server, issue this command:
    mmuserauth service create --type ad --data-access-method file --servers 
    [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
    adUser --idmap-role master --idmap-range-size 1000000 --idmap-range 10000000-299999999
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : AD
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_NFS_KERBEROS      false                    
        SERVERS                  "*"                      
        USER_NAME                adUser$             
        NETBIOS_NAME             specscale              
        IDMAP_ROLE               master                   
        IDMAP_RANGE              10000000-299999999       
        IDMAP_RANGE_SIZE         1000000                  
        UNIXMAP_DOMAINS          none                     
        LDAPMAP_DOMAINS          none                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------
  31. To configure Microsoft Active Directory (AD)-based authentication with RFC2307 ID mapping for file access with IPv6 address of the authentication server, issue this command:
    mmuserauth service create --type ad --data-access-method file --servers 
    [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
    adUser --idmap-role master --unixmap-domains 'TESTDOMAIN(10000-50000:win)'
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : AD
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_NFS_KERBEROS      false                    
        SERVERS                  "*"                      
        USER_NAME                adUser$             
        NETBIOS_NAME             specscale              
        IDMAP_ROLE               master                   
        IDMAP_RANGE              10000000-299999999       
        IDMAP_RANGE_SIZE         1000000                  
        UNIXMAP_DOMAINS          TESTDOMAIN(10000-50000:win)                     
        LDAPMAP_DOMAINS          none                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------
    
  32. To configure Microsoft Active Directory (AD)-based authentication with LDAP ID mapping for file access with IPv6 address of the authentication server, issue this command:
    mmuserauth service create --type ad --data-access-method file --servers 
    [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name 
    adUser --idmap-role master --ldapmap-domains "TESTDOMAIN(type=stand-alone: range=1000-10000:ldap_srv=[2001:192::e61f:122:feb7:5bf0]: 
    usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example, 
    dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"
    The system displays output similar to this:
    File Authentication configuration completed successfully.

    To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:

    # mmuserauth service list
    The system displays output similar to this:
    FILE access configuration : AD
        PARAMETERS               VALUES                   
        -------------------------------------------------
        ENABLE_NFS_KERBEROS      false                    
        SERVERS                  "*"                      
        USER_NAME                adUser$             
        NETBIOS_NAME             specscale              
        IDMAP_ROLE               master                   
        IDMAP_RANGE              10000000-299999999       
        IDMAP_RANGE_SIZE         1000000                  
        UNIXMAP_DOMAINS          none                     
        LDAPMAP_DOMAINS          TESTDOMAIN(type=stand-alone: range=1000-10000:
        ldap_srv=[2001:192::e61f:122:feb7:5bf0]:usr_dn=ou=People,dc=example,dc=com:grp_dn=
        ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com)                     
    
        OBJECT access not configured
        PARAMETERS               VALUES                   
        -------------------------------------------------

See also

Location

/usr/lpp/mmfs/bin