mmuserauth command
Manages the authentication configuration of file and object access protocols. The configuration allows protocol access methods to authenticate users who need to access data that is stored on the system over these protocols.
Synopsis
mmuserauth service create --data-access-method{file|object}
--type {ldap|local|ad|nis|userdefined}
--servers[IP address/hostname]
{[--pwd-file PasswordFile]--user-name | --enable-anonymous-bind}
[--base-dn]
[--enable-server-tls][--enable-ks-ssl]
[--enable-kerberos][--enable-nfs-kerberos]
[--user-dn][--group-dn][--netgroup-dn]
[--netbios-name] [--domain]
[--idmap-role{master|subordinate}][--idmap-range][--idmap-range-size]
[--user-objectclass][--group-objectclass][--user-name-attrib]
[--user-id-attrib][--user-mail-attrib][--user-filter]
[ --ks-dns-name][--ks-ext-endpoint]
[--kerberos-server][--kerberos-realm]
[--unixmap-domains] [--enable-overlapping-unixmap-ranges] [--ldapmap-domains]
Or
mmuserauth service list [-Y] [ --data-access-method {file|object|all}]
Or
mmuserauth service check [ --data-access-method {file|object|all}] [-r|--rectify]
[-N|--nodes {node-list|cesNodes}][--server-reachability]
Or
mmuserauth service remove --data-access-method {file|object|all}[--idmapdelete]
Availability
Available on all IBM Storage Scale editions.
Description
Use the mmuserauth commands to create and manage IBM Storage Scale protocol authentication and ID mappings.
Parameters
- service
- Manages the authentication configuration of file and object access protocols with one of the
following actions:
- create
- Configures authentication for file and object access protocols. The authentication method for file and object access protocols cannot be configured together. The mmuserauth service create command needs to be submitted separately for configuring authentication for the file and object access protocols each.
- list
- Displays the details of the authentication method that is configured for both file and object access protocols.
- check
- Verifies the authentication method configuration details for file and object access protocols. Validates the connectivity to the configured authentication servers. It also supports corrections to the configuration details on the erroneously configured protocol nodes.
- remove
- Removes the authentication method configuration of file and object access protocols and ID maps
if any.
If you plan to remove both, authentication method configuration and ID maps, remove authentication method configuration followed by the removal of ID maps. That is, at first you need to submit the mmuserauth service remove command without the --idmapdelete option to remove the authentication method configuration and then submit the same command with the --idmapdelete option to remove ID maps.
CAUTION:Deleting the authentication method configuration with the ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning.
- --data-access-method {file|object}
- Specifies the access protocols for which the authentication method needs to be configured. The
IBM Storage Scale system supports file access protocols such as
SMB and NFS along with Object access protocols to access data that is stored on the system.
The file data access method is meant for authorizing the users who access data over SMB and NFS protocols.
- --type {ldap|local|ad|nis|userdefined}
- Specifies the authentication method to be configured for accessing data over file and object
access protocols.
ldap - Defines an external LDAP server as the authentication server. This authentication type is valid for both file and object access protocols.
ad - Defines an external Microsoft Active Directory server as the authentication server. This authentication type is valid for both file and object access protocols.
local - Defines an internal database stored on IBM Storage Scale protocol nodes for authenticating user accessing data over object access protocol. This authentication type is valid for Object access protocol only.
nis - Defines an external NIS server as the authentication server. This authentication type is only valid for NFS file access protocol only. The NIS configuration with an IPv6 address is not supported.Note: NIS authentication is not supported for RHEL 9.userdefined - Defines user-defined (system administrator defined) authentication method for data access. This authentication type is valid for both file and object access protocols.
- --servers [AuthServer1[:Port],AuthServer2[:Port],AuthServer3[:Port] ...]
- Specifies the host name or IP address of the authentication server that is used for file and
object access protocols.
This option is only valid with
--type {ldap|ad|nis}
.With
--type ldap
, the input value format is "serverName/serverIP:[port]".Specifying the port value is optional. Default port is 389.
For example,
--servers ldapserver.mydomain.com:1389.
For file access protocol, multiple LDAP servers can be specified by using a comma as a separator.
For the object access protocol, only one authentication server must be specified. If multiple servers are specified by using a comma, only the first server in the list is considered as the authentication server for configuration.
With
--type ad
, the input value format is "serverName/serverIP".For example,
--servers ldapserver.mydomain.com.
For the file access protocol, only one authentication server must be specified. Specifying multiple servers is invalid. The AD server accepted while configuration is used to fetch details required for validation and configuration of the authentication method. Post successful configuration, each CES node will query DNS to lookout available Domain Controllers serving the AD domain it is joined to. Among the returned list, the node binds with the best available domain controller.
For the object access protocol, only one authentication server must be specified. If multiple servers are specified by using a comma, only the first server in the list is considered as the authentication server.
With
--type nis
, the input value format is "serverName/serverIP".For example,
--servers nisserver.mydomain.com.
Multiple NIS servers can be specified by using a comma separator. At least one of the specified servers must be available and reachable while configuring the authentication method. This is important for the verification of the specified NIS domain, against which the availability of either passwd.byname or netgroup map is validated.
When you enter an IPv6 address, ensure that the address is enclosed within square brackets to work correctly.
For example,
--servers [2001:192::e61f:122:feb7:5df5] - --base-dn ldapBase
- Specifies the LDAP base DN of the authentication server. This option is only valid with
--type {ldap|ad}
for--data-access-method
object and--type ldap
for--data-access-method
file. - --enable-anonymous-bind
- Specifies whether to enable anonymous binding with authentication server for various validation
operations.This option is valid for the following cases (if the authentication server supports anonymous binding):
--type {ldap|ad}
and--data-access-method {object}
--type {ldap}
and--data-access-method {file}
Note: This case is supported for NFS shares only.
--user-name
and password combination. - --user-name userName
- Specifies the user name to be used to perform operations against the authentication server. This
option is only valid with
--type {ldap|ad}
and--data-access-method {file|object}
.This option combined with password is mutually exclusive with
--enable-anonymous-bind
. The specified user name must have sufficient permissions to read user and group attributes from the authentication server.In case of
In case of--type {ad|ldap}
with--data-access-method
object, the user name must be specified in complete DN format.--type ad
with--data-access-method
file, the specified username is used to join the cluster to AD domain. It results in creating a machine account for the cluster based on the--netbios-name
specified in the command. After successful configuration, the cluster connects with its machine account, and not the user used during the domain join. So the specified username after domain join has no role to play in communication with the AD domain controller and can be even deleted from the AD server. The cluster can still keep using AD for authentication via the machine account created. - --pwd-file PasswordFile
- Specifies the file containing passwords of administrative users for authentication configuration
of file and object access protocols. The password file must be saved under
/var/mmfs/ssl/keyServ/tmp on the node from which you are running the command.
If this option is omitted, the command prompts for a password. The password file is a
security-sensitive file and hence, must have the following characteristics:
- It must be a regular file.
- It must be owned by the root user.
- Only the root user must have permission to read or write it.
A password file for file protocol configuration must have the following format:%fileauth: password=userpassword
where:- fileauth
- Stanza name for file protocol
- password
- Specifies the password of --user-name.
Note: With--type ad
for file authentication, the specified password is only required during the domain joining period. After joining the domain, the password of the machine account of the cluster is used for accessing Active Directory.A password file for object protocol configuration must have the following format:%objectauth: password=userpassword ksAdminPwd=ksAdminPwdpassword ksSwiftPwd=ksSwiftPwdpassword
where:- objectauth
- Stanza name for object protocol
- password
- Specifies the password of --user-name.
- ksAdminPwd
- Specifies the Keystone Administrator's password.
- ksSwiftPwd
- Specifies the Swift service user's password.
Note: Passwords cannot contain any of the following characters: / : \ @ $ { } and space.The passwords are stored in the associated Keystone and Swift configuration files. You can change these passwords by using the following commands:- To change the stored AD or LDAP password, issue the following
command:
# mmobj config change --ccrfile keystone.conf --section ldap --property password --value NewPassword
- To change the stored password for the Swift user, issue the following
command:
# mmobj config change --ccrfile proxy-server.conf --section filter:authtoken --property password --value NewPassword
- --enable-server-tls
- Specifies whether to enable TLS communication with the authentication server. With
--data-access-method object
, this option is only valid with--type {ldap|ad}
. With
, this option is only valid with--data-access-method file
--type {ldap}
.This option is disabled by default.
For file access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name ldap_cacert.pem on the node that the command is to be run.
For object access protocol configuration, ensure that the CA certificate is placed in the /var/mmfs/tmp/ directory with the name object_ldap_cacert.pem on the node that the command is to be run.
- --enable-nfs-kerberos
- Specifies whether to enable Kerberized logins for users gaining access by using the NFSv3 and
NFSv4 file access protocols.
This option is only valid with
--type {ad}
and--data-access-method {file}
.This option is disabled by default.
Note: Kerberized NFSv3 and NFSv4 access is only supported for users from AD domains that are configured for fetching the UID/GID information from Active Directory (RFC2307 schema attributes). Such AD domain definition is specified by using the--unixmap-domains
option. - --user-dn ldapUserDN
- Specifies the LDAP group DN. Restricts search of groups within the specified sub-tree. For CIFS access, the value of this parameter is ignored and a search is performed on the baseDN.
- --group-dn ldapGroupDN
- Specifies the LDAP group suffix. Restricts search of groups within a specified sub-tree.
- --netgroup-dn ldapGroupDN
- Specifies the LDAP netgroup suffix. The system searches the netgroups based on this suffix. The value must be specified in complete DN format.
- --user-objectclass userObjectClass
- Specifies the object class of user on the authentication server. Only users with specified object class along with other filter are treated as valid users.
- --group-objectclass groupObjectClass
- Specifies the object class of group on the authentication server. This option is only valid with
--type {ldap}
and--data-access-method {file}
. - --netbios-name netBiosName
- Specifies the unique identifier of the resources on a network that are running NetBIOS. This
option is only valid with
--type {ad|ldap}
and--data-access-method {file}
. - --domain domainName
- Specifies the name of the NIS domain. This option is only valid with
--type {nis}
and--data-access-method {file}
. - --idmap-role {master|subordinate}
- Specifies the ID map role of the IBM Storage Scale system. ID map role of a stand-alone or singular system deployment must be selected "master". The value of the ID map role is important in AFM-based deployments.
- --idmap-range lowerValue-higherValue
- Specifies the range of values from which the IBM Storage Scale UIDs and GIDs are assigned by the system to the Active
Directory users and groups. This option is only valid with
--type {ad}
and--data-access-method {file}
. The default value is 10000000-299999999. The lower value of the range must be at least 1000. After configuring the IBM Storage Scale system with AD authentication, only the higher value can be increased (this essentially increases the number of ranges). - --idmap-range-size rangeSize
- Specifies the total number of UIDs and GIDs that are assignable per domain. For example, if
--idmap-range
is defined as 10000000-299999999, and range size is defined as 1000000, 290 domains can be mapped, each consisting of 1000000 IDs. - --unixmap-domains unixDomainMap
- Specifies the AD domains for which user ID and group ID should be fetched from the AD server.
This option is only valid with
--type {ad}
and--data-access-method {file}
. The unixDomainMap takes value in this format:DOMAIN1(L1-H1:{win|unix})[;DOMAIN2(L2-H2:{win|unix})[;DOMAIN3(L3-H3:{win|unix})....]]
- DOMAIN
- Use DOMAIN to specify an AD domain for which ID mapping services are to be configured. The name of the domain to be specified must be the NetBIOS domain name. The UIDs and GIDs of the users and groups for the specified DOMAIN are read from the UNIX attributes that are populated in the RFC2307 schema extension of AD server. Any users or groups, from this domain, with missing UID/GID attributes are denied access. Use the L-H format to specify the ID range. All the users or groups from DOMAIN that need access to exports need to have their UIDs or GIDs in the specified range.
- --enable-overlapping-unixmap-ranges
- Allows overlapping ranges for multiple AD domains that are specified by using
--unixmap-domains
option. This option is only valid with--data-access-method {file}
and--type {ad}
along with--unixmap-domains
.Note: Ensure that UIDs and GIDs are unique among users and groups from different domains. ID collisions can cause data access issues and compromise data security. - --ldapmap-domains ldapDomainMap
- Specifies the AD domains for which user ID and group ID should be fetched from a separate
stand-alone LDAP server. This option is only valid with
--type {ad}
and--data-access-method {file}
. ldapDomainMap takes value of the format as follows, - --enable-kerberos
- Specifies whether to enable Kerberized logins for users who are gaining access by using file
access protocols.
This option is only valid with
--type {ldap}
and--data-access-method {file}
.This option is disabled by default.
Note: Ensure that the legitimate keytab file is placed in the /var/mmfs/tmp directory and is named as krb5_scale.keytab on the node that the authentication method configuration command is to be run. - --kerberos-server kerberosServer
- Specifies the Kerberos server. This option is only valid with
--type {ldap}
and--data-access-method {file}
. - --kerberos-realm kerberosRealm
- Indicates the Kerberos server authentication administrative domain. The realm name is usually the all-uppercase version of the domain name. This option is case-sensitive.
- --user-name-attrib UserNameAttribute
- Specifies the attribute to be used to search for user name on authentication server.
- --user-id-attrib UserIDAttribute
- Specifies the attribute to be used to search for user ID on the authentication server.
- --user-mail-attrib UserMailAttribute
- Specifies the attribute to be used to search for email on authentication server. If the
--data-access-method
is object, this option is only valid with--type {ldap|ad}
. For--data-access-method file
, this option is only valid with--type {ldap}
. Default value is mail. - --user-filter userFilter
- Specifies the additional filter to be used to search for user in the authentication server. The
filter must be specified in LDAP filter format. This option is only valid with
--type {ldap|ad}
and--data-access-method {object}
. By default, no filter is used. - --ks-dns-name keystoneDnsName
- Specifies the DNS name for keystone service. The specified name must be resolved on all protocol
nodes for proper functioning. This is optional with
--data-access-method {object}
. If the value is not specified for this parameter, the mmuserauth service create command uses the value that is used during the IBM Storage Scale system installation. - --ks-admin-user keystoneAdminName
- Specifies the Keystone server administrative user. This user must be a valid user on
authentication server if
--type {ldap|ad}
is specified. In case of--type local
, new user is created, and admin role is assigned in Keystone. This option is mandatory with--data-access-method {object}
. - --enable-ks-ssl
- Specifies whether the SSL communication must be enabled with the Keystone service. It enables a secured way to access the Keystone service over the HTTPS protocol. The default communication option with the Keystone service is over HTTP protocol, which has security risks.
- --ks-swift-user keystoneSwiftName
- Specifies the username to be used as swift user in proxy-server.conf. If AD or LDAP-based
authentication is used, this user must be available in the AD or LDAP authentication server. If
local authentication method is used, new user with this name is created in the local database This
option is only valid with
--data-access-method {object}
. - --ks-ext-endpoint externalendpoint
- Specifies the endpoint URL of external keystone. Only API v3 and HTTP are supported. This option
is only valid with
--data-access-method {object}
and--type {userdefined}
- --idmapdelete
- Specifies whether to delete the current ID maps (SID to UID/GID mappings) from the ID mapping
databases for the file access method and user-role-project-domain mappings stored in local keystone
database for object access method.
This option is only valid with the mmuserauth service remove command. Unless the --data-access-method parameter is specified on the command line, ID maps for file and object access protocols are erased by default. To delete the ID maps of a particular access protocol, explicitly specify the --data-access-method parameter on command line along with the valid access protocol name.
The authentication method configuration and ID maps cannot be deleted together. The authentication method configuration must be deleted before the ID maps.
CAUTION:Deleting ID maps can lead to irrecoverable loss of access to data. Use this option with proper planning. - -N|--nodes{node-list|cesNodes}
- Verifies the authentication configuration on each node. If the specified node is not protocol node, it is ignored. If protocol node is specified, then the system checks configuration on all protocol nodes. If you do not specify a node, the system checks the configuration of only the current node.
- -Y
- Displays the command output in a parseable format with a colon (:) as a field
delimiter. Each column is described by a header.Note: Fields that have a colon (:) are encoded to prevent confusion. For the set of characters that might be encoded, see the command documentation of mmclidecode. Use the mmclidecode command to decode the field.
- -r|--rectify
- Rectifies the authentication configurations and missing SSL and TLS certificates.
- --server-reachability
- Without this flag, the mmuserauth service check command only validates whether the authentication configuration files are consistent across the protocol nodes. Use this flag to ensure if the external authentication server is reachable by each protocol node.
- 0
- Successful completion.
- nonzero
- A failure has occurred.
Security
You must have root authority to run the mmuserauth command.
The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages. For more information, see Requirements for administering a GPFS file system.
Examples
- To configure Microsoft Active Directory (AD) based
authentication with automatic ID mapping for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method file --netbios-name specscale --user-name adUser --idmap-role master --servers myADserver --idmap-range-size 1000000 --idmap-range 10000000-299999999
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:File Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS
"*"
USER_NAMEspecscale$
NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- - To configure Microsoft Active Directory (AD) based
authentication with RFC2307 ID mapping for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method file --netbios-name specscale --user-name adUser --idmap-role master --servers myAdserver --idmap-range-size 1000000 --idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN(5000-20000:win)'
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS
"*"
USER_NAMEspecscale$
NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN(5000-20000:win) LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES - To configure Microsoft Active Directory (AD) based
authentication with LDAP ID mapping for file access, issue this
command:
The system displays output similar to this:mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser --netbios-name specscale --idmap-role master --ldapmap-domains "DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example, dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS
"*"
USER_NAMEspecscale$
NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS DOMAIN(type=stand-alone: range=1000-10000: ldap_srv=myLDAPserver:usr_dn=ou=People,dc=example,dc=com:grp_dn= ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com) OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- - To configure Microsoft Active Directory (AD) based
authentication with LDAP ID mapping for file access (anonymous binding with LDAP), issue this
command:
The system displays output similar to this:# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser --netbios-name specscale --idmap-role master --ldapmap-domains "DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com)"
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS
"*"
USER_NAMEspecscale$
NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS DOMAIN(type=stand-alone: range=1000-10000:ldap_srv=myLDAPserver: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example,dc=com) OBJECT access not configured PARAMETERS VALUES ------------------------------------------------- - To configure AD-based authentication with overlapping ID map ranges, issue this
command:
The system displays output similar to this:# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser --netbios-name specscale --idmap-role master --unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" --enable-overlapping-unixmap-ranges
To verify the authentication configuration, the mmuserauth service list command as shown in the following example:Enter Active Directory User 'adUser' password: Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs or/and data access issues. See man mmuserauth for further details. File authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
# mmuserauth service list FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME specscale$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win) LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with TLS encryption for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tls
File Authentication configuration completed successfully.
Note: Before issuing the mmuserauth service create command to configure LDAP with TLS, ensure that the CA certificate for LDAP server is placed under /var/mmfs/tmp directory with the name "ldap_cacert.pem" specifically on the protocol node where the command is issued.To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with Kerberos for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm MYREAL.com
File Authentication configuration completed successfully.
Note: Before issuing the mmuserauth service create command to configure LDAP with Kerberos, ensure that the keytab file is also placed under /var/mmfs/tmp directory name as krb5_scale.keytab specifically on the node where the command is run.To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KERBEROS true USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER myKerberosServer KERBEROS_REALM MYREAL.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP with TLS and Kerberos for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tls --enable-kerberos --kerberos-server myKerberosServer --kerberos-realm MYREAL.com
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KERBEROS true USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER myKerberosServer KERBEROS_REALM MYREAL.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP without TLS and without Kerberos for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers myLDAPserver --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KERBEROS false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure NIS-based authentication for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type nis --data-access-method file --servers myNISserver --domain nisdomain
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : NIS PARAMETERS VALUES ------------------------------------------------- SERVERS myNISserver DOMAIN nisdomain OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
Note: NIS authentication is not supported for RHEL 9. - To configure user-defined authentication for file access, issue this
command:
The system displays output similar to this:# mmuserauth service create --data-access-method file --type userdefined
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : USERDEFINED PARAMETERS VALUES ------------------------------------------------- OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure local authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --data-access-method object --type local --ks-dns-name ksDNSname --ks-admin-user admin
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with local (Database) as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LOCAL PARAMETERS VALUES ------------------------------------------------- ENABLE_KS_SSL false ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure AD without TLS authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method object --user-name "cn=adUser,cn=Users,dc=example,dc=com" --base-dn "dc=example,DC=com" --ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift
Object configuration with LDAP (Active Directory) as identity backend is completed successfully. Object Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration: AD PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS false ENABLE_KS_SSL false USER_NAME cn=adUser,cn=Users,dc=example,dc=com SERVERS myADserver BASE_DN dc=IBM,DC=local USER_DN cn=users,dc=example,dc=com USER_OBJECTCLASS organizationalPerson USER_NAME_ATTRIB sAMAccountName USER_ID_ATTRIB cn USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure AD with TLS authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ad --data-access-method object --user-name "cn=adUser,cn=Users,dc=example,dc=com" --base-dn "dc=example,DC=com" --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com" --ks-swift-user swift
Object configuration with LDAP (Active Directory) as identity backend is completed successfully. Object Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration: AD PARAMETERS VALUES ------------------------------------------------- ENABLE_ANONYMOUS_BIND false ENABLE_SERVER_TLS true ENABLE_KS_SSL false USER_NAME cn=adUser,cn=Users,dc=example,dc=com SERVERS myADserver BASE_DN dc=IBM,DC=com USER_DN cn=users,dc=example,dc=com USER_OBJECTCLASS organizationalPerson USER_NAME_ATTRIB sAMAccountName USER_ID_ATTRIB cn USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure LDAP-based authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method object --user-name "cn=ldapuser,dc=example,dc=com" --base-dn dc=example,dc=com --ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver --user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift
Object configuration with LDAP as identity backend is completed successfully. Object Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KS_SSL false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver BASE_DN dc=example,dc=com USER_DN ou=people,dc=example,dc=com USER_OBJECTCLASS posixAccount USER_NAME_ATTRIB cn USER_ID_ATTRIB uid USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To configure LDAP with TLS-based authentication for object access, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method object --user-name "cn=ldapuser,dc=example,dc=com" --base-dn dc=example,dc=com --enable-server-tls --ks-dns-name ksDNSname --ks-admin-user admin --servers myLDAPserver --user-dn "ou=People,dc=example,dc=com" --ks-swift-user swift
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:Object configuration with LDAP as identity backend is completed successfully. Object Authentication configuration completed successfully.
The system displays output similar to this:# mmuserauth service list
FILE access not configured PARAMETERS VALUES ------------------------------------------------- OBJECT access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KS_SSL false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS myLDAPserver BASE_DN dc=example,dc=com USER_DN ou=people,dc=example,dc=com USER_OBJECTCLASS posixAccount USER_NAME_ATTRIB cn USER_ID_ATTRIB uid USER_MAIL_ATTRIB mail USER_FILTER none ENABLE_KS_CASIGNING false KS_ADMIN_USER admin
- To remove the authentication method that is configured for file
access, issue this command:
The system displays output similar to this:# mmuserauth service remove --data-access-method file
mmuserauth service remove: Command successfully completed
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for--data-access-method
must be eitherfile
orobject
. - To remove the authentication method that is configured for object
access, issue this command:
The system displays output similar to this:# mmuserauth service remove --data-access-method object
mmuserauth service remove: Command successfully completed
Note: Authentication configuration and ID maps cannot be deleted together. To remove ID maps, remove the authentication configuration first and then remove the ID maps. Also, you cannot delete ID maps that are used for file and object access together. That is, when you delete the ID maps, the value that is specified for--data-access-method
must be either file or object. - To check whether the authentication configuration is consistent across the cluster and the
required services are enabled and running, issue this
command:
The system displays output similar to this:mmuserauth service check --data-access-method file --nodes cesNodes --server-reachability
Userauth file check on node: node1 Checking SSSD_CONF: OK Checking nsswitch file: OK Checking Pre-requisite Packages: OK LDAP servers status LDAP server myLdapServer : OK Service 'sssd' status: OK Userauth file check on node: node2 Checking SSSD_CONF: OK Checking nsswitch file: OK Checking Pre-requisite Packages: OK LDAP servers status LDAP server myLdapServer : OK Service 'sssd' status: OK
- To check whether the file authentication configuration is consistent across the cluster and the
required services are enabled and running, and if you want to correct the situation, issue this
command:
mmuserauth service check --data-access-method file --nodes cesNodes --rectify
- To check that all object configuration files (including certificates) are present, and if not,
rectify the situation by issuing the following
command:
The system displays output similar to this:# mmuserauth service check --data-access-method object --rectify
Userauth object check on node: node1 Checking keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK Checking /etc/keystone/ssl/certs/object_ldap_cacert.pem: OK Service 'openstack-keystone' status: OK
- To check if the external authentication server is reachable by each protocol node, use the
following command:
mmuserauth service check --server-reachability
- If file is not configured, object is configured, and there are no errors, the system displays
output similar to this:
Userauth object check on node: node1 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server myLDAPserver : OK Service 'httpd' status: OK
- If file is not configured, object is configured, and there is a single error, the system
displays output similar to this:
Userauth object check on node: node1 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server myLDAPserver : ERROR Service 'httpd' status: OK
- If file and object are configured and there are no errors, the system displays output similar to
this:
Userauth file check on node: node1 Checking nsswitch file: OK Checking Pre-requisite Packages: OK
Checking SRV Records lookup: OK
Domain Controller status
NETLOGON connection: OK, connection to DC: win2k16.example.com
Domain join status: OK Machine password status: OK Service 'gpfs-winbind' status: OK Userauth object check on node: node1 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server myLDAPserver : OK Service 'httpd' status: OK - If file and object are configured and there is a single error, the system displays output
similar to
this:
Userauth file check on node: node1 Checking nsswitch file: OK Checking Pre-requisite Packages: OK
Checking SRV Records lookup: OK
Domain Controller status
NETLOGON connection: OK, connection to DC: WIN8-12Up.example.com
Domain join status: OK Machine password status: ERROR Service 'gpfs-winbind' status: OK Userauth object check on node: node1 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server myLDAPserver : OK - If file and object are configured and there is are multiple errors, the system displays output
similar to
this:
Userauth file check on node: node1 Checking nsswitch file: OK Checking Pre-requisite Packages: OK
Checking SRV Records lookup: OK
Domain Controller status
NETLOGON connection: ERROR(DC not found)
Domain join status: ERROR Machine password status: ERROR Service 'gpfs-winbind' status: OK Userauth object check on node: node1 Checking keystone.conf: OK Checking wsgi-keystone.conf: OK Checking /etc/keystone/ssl/certs/signing_cert.pem: OK Checking /etc/keystone/ssl/private/signing_key.pem: OK Checking /etc/keystone/ssl/certs/signing_cacert.pem: OK LDAP servers status LDAP server myLDAPserver : ERROR Service 'httpd' status: OKNote: The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the erroneous config files and service-related errors only.
- If file is not configured, object is configured, and there are no errors, the system displays
output similar to this:
- To configure AD authentication by using a password file for File protocol configuration, use the
following
command:
Contents of fileauth saved at /var/mmfs/ssl/keyServ/tmp/ are:mmuserauth service create --type ad --data-access-method file --netbios-name test --user-name administrator --idmap-role master --servers myADServer --pwd-file fileauth
Here, Passw0rd is the password for the user to bind with the authentication server.%fileauth: password=Passw0rd
- To configure AD authentication by using a password file for Object protocol configuration, use
the following
command:
Contents of objectauth saved at /var/mmfs/ssl/keyServ/tmp/ are:mmuserauth service create --type ad --data-access-method object --base-dn "dc=example,DC=com" --servers myADserver --user-id-attrib cn --user-name-attrib sAMAccountName --user-objectclass organizationalPerson --user-dn "cn=Users,dc=example,dc=com" --pwd-file objectauth
Here, Passw0rd is the password for the user to bind with the authentication server. Passw0rd1 is the Keystone administrator's password, and Passw0rd2 is the Swift Service user's password.%objectauth: password=Passw0rd ksAdminPwd=Passw0rd1 ksSwiftPwd=Passw0rd2
- To check whether the DNS configuration is correct when cluster is
already configured with file AD authentication scheme, issue this command:
If DNS configuration is valid; then system displays output similar to this:mmuserauth service check --data-access-method file --nodes cesNodes
If DNS configuration is incorrect; then system displays output similar to this:Userauth file check on node: node1 Checking nsswitch file: OK Checking Pre-requisite Packages: OK Checking SRV Records lookup: OK Service 'gpfs-winbind' status: OK Userauth file check on node: node2 Checking nsswitch file: OK Checking Pre-requisite Packages: OK Checking SRV Records lookup: OK Service 'gpfs-winbind' status: OK
Userauth file check on node: node1 Checking nsswitch file: OK Checking Pre-requisite Packages: OK Checking SRV Records lookup: ERROR (Make sure Domain Controller can be looked up from this node. Validate correct DNS server is populated in network configuration.) Found errors in configuration. Userauth file check on node: node2 Checking nsswitch file: OK Checking Pre-requisite Packages: OK Checking SRV Records lookup: ERROR (Make sure Domain Controller can be looked up from this node. Validate correct DNS server is populated in network configuration.) Found errors in configuration.
- To configure Microsoft Active Directory(AD)-based authentication when the time difference between the node and domain controller is more than five minutes, run the following command:
The system displays output similar to this:mmuserauth service create --type ad --data-access-method file --netbios-name specscale --user-name adUser --idmap-role master --servers myADserver --idmap-range-size 1000000 --idmap-range 10000000-299999999
WARNING: Time difference between current node and domain controller is 4073 seconds. It is greater than max allowed clock skew 300 seconds. File Authentication configuration completed successfully.
- To configure LDAP-based authentication for file access with an IPv6
address of the authentication server, issue this
command:
The system displays output similar to this:# mmuserauth service create --type ldap --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KERBEROS false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS [2001:192::e61f:122:feb7:5df0] NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with TLS encryption for file access with an IPv6 address
of the authentication server, issue this
command:
The system displays output similar to this:mmuserauth service create --type ldap --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-server-tls
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS true ENABLE_KERBEROS false USER_NAME cn=ldapuser,dc=example,dc=com SERVERS [2001:192::e61f:122:feb7:5df0] NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER none KERBEROS_REALM none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure LDAP-based authentication with Kerberos for file access
with an IPv6 address of the authentication server, issue this
command:
The system displays output similar to this:mmuserauth service create --type ldap --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --base-dn dc=example,dc=com --user-name cn=ldapuser,dc=example,dc=com --netbios-name specscale --enable-kerberos --kerberos-server [2001:192::e61f:122:feb7:5dc0] --kerberos-realm MYREALM.com
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : LDAP PARAMETERS VALUES ------------------------------------------------- ENABLE_SERVER_TLS false ENABLE_KERBEROS true USER_NAME cn=ldapuser,dc=example,dc=com SERVERS [2001:192::e61f:122:feb7:5df0] NETBIOS_NAME specscale BASE_DN dc=example,dc=com USER_DN none GROUP_DN none NETGROUP_DN none USER_OBJECTCLASS posixAccount GROUP_OBJECTCLASS posixGroup USER_NAME_ATTRIB cn USER_ID_ATTRIB uid KERBEROS_SERVER [2001:192::e61f:122:feb7:5dc0] KERBEROS_REALM MYREALM.com OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure Microsoft Active Directory
(AD)-based authentication with the automatic ID mapping for file access with an IPv6 address of the
authentication server, issue this
command:
The system displays output similar to this:mmuserauth service create --type ad --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name adUser --idmap-role master --idmap-range-size 1000000 --idmap-range 10000000-299999999
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME adUser$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure Microsoft Active Directory
(AD)-based authentication with RFC2307 ID mapping for file access with IPv6 address of the
authentication server, issue this
command:
The system displays output similar to this:mmuserauth service create --type ad --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name adUser --idmap-role master --unixmap-domains 'TESTDOMAIN(10000-50000:win)'
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME adUser$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS TESTDOMAIN(10000-50000:win) LDAPMAP_DOMAINS none OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
- To configure Microsoft Active Directory
(AD)-based authentication with LDAP ID mapping for file access with IPv6 address of the
authentication server, issue this
command:
The system displays output similar to this:mmuserauth service create --type ad --data-access-method file --servers [2001:192::e61f:122:feb7:5df0] --netbios-name specscale --user-name adUser --idmap-role master --ldapmap-domains "TESTDOMAIN(type=stand-alone: range=1000-10000:ldap_srv=[2001:192::e61f:122:feb7:5bf0]: usr_dn=ou=People,dc=example,dc=com:grp_dn=ou=Groups,dc=example, dc=com:bind_dn=cn=ldapuser,dc=example,dc=com:bind_dn_pwd=password)"
File Authentication configuration completed successfully.
To verify the authentication configuration, use the mmuserauth service list command as shown in the following example:
The system displays output similar to this:# mmuserauth service list
FILE access configuration : AD PARAMETERS VALUES ------------------------------------------------- ENABLE_NFS_KERBEROS false SERVERS "*" USER_NAME adUser$ NETBIOS_NAME specscale IDMAP_ROLE master IDMAP_RANGE 10000000-299999999 IDMAP_RANGE_SIZE 1000000 UNIXMAP_DOMAINS none LDAPMAP_DOMAINS TESTDOMAIN(type=stand-alone: range=1000-10000: ldap_srv=[2001:192::e61f:122:feb7:5bf0]:usr_dn=ou=People,dc=example,dc=com:grp_dn= ou=Groups,dc=example,dc=com:bind_dn=cn=ldapuser,dc=example,dc=com) OBJECT access not configured PARAMETERS VALUES -------------------------------------------------
See also
Location
/usr/lpp/mmfs/bin