Configuring file authentication by using GUI

You can configure an authentication method or view the existing authentication method that is used for Network File System (NFS) and Server Message Block (SMB) users from the Services > File Authentication page of the GUI.

The IBM Storage Scale system supports the following file user authentication methods to authenticate an NFS or SMB user:
Active Directory
Uses Microsoft Active Directory (AD) as the authentication server. This method is used if you need to authenticate SMB users to access the data through SMB shares. When you select AD as the authentication server, you need to configure an ID-mapping method to map the user IDs from the external domain with a set of internal user IDs. You can configure the following ID-mapping methods: Automatic ID mapping, RFC2307 ID mapping, and LDAP ID mapping. The details of these ID-mapping methods are explained in the procedure.
LDAP
Uses an LDAP server to authenticate users. This is the ideal method to authenticate the NFS protocol users to access the data through the NFS exports.
NIS
The NIS-based authentication is useful in NFS-only environment where NIS acts as an ID-mapping server and used for net groups. When file access is configured with NIS, SMB access cannot be enabled.
Note: NIS authentication is not supported for RHEL 9.
User-defined
The user can select the authentication and ID-mapping methods of their choice. It is the responsibility of the administrator of the client system to manage the authentication and ID mapping for file access to the IBM Storage Scale system.

Example for how to configure file authentication by using GUI

The following steps show how to configure an Active Directory-based file authentication method by using GUI:

  1. Go to Services > File Authentication page in the IBM Storage Scale GUI.
  2. Click Configure File Authentication. The Configure File Authentication wizard appears.
  3. Select Active Directory as the authentication method from the following list of authentication methods:
    • Active Directory
    • Lightweight Directory Access Protocol (LDAP)
    • Network Information Service (NIS) for NFS
    • User-defined
  4. Type the AD domain controller in the Server field.
  5. Type the username in the User name field. This user name is used for initial access to the authentication server in the configuration phase.
  6. Type the password for the user name in the Password field.
  7. Select Show password if you want to verify the password that you entered.
  8. Type the NetBIOS name in the NetBIOS name field. The NetBIOS name that is used for identifying the cluster in the AD. A machine account based on the NetBIOS name is created when this cluster joins AD. This account is used for communication between the cluster and AD.
  9. Click Next and configure ID mapping. You can configure the following ID-mapping methods:
    • Automatic ID mapping: The user and group IDs are automatically generated and stored within the IBM Storage Scale system. When an external ID-mapping server is not present in the environment or cannot be used, then this ID-mapping method can be used. This method is typically used if you have SMB only access and do not plan to deploy multiprotocol access. That is, the AD-based authentication with automatic ID mapping is not used when you need to allow NFS and SMB access to the same data.
    • RFC2307 ID mapping: The user and group IDs are stored and managed in the AD server and these IDs are used by the IBM Storage Scale system during file access. The RFC2307 ID-mapping method is used when you want to have multiprotocol access. That is, you can have both NFS and SMB access over the same data.
    • LDAP ID mapping: In the LDAP-mapping method, user ID and group ID are stored and managed in the LDAP server, and these IDs are used by the IBM Storage Scale system during file access. The LDAP ID-mapping method is used when you want to have multiprotocol access. That is, you can have both NFS and SMB access over the same data.

    For Automatic ID mapping

  10. Select the ID-mapping role from the ID mapping role field. You can select either Master or Subordinate as the ID map role. For Master role, the system creates the ID maps. If you select Subordinate, the system does not create ID maps on its own. In such cases, ID maps must be exported from the master to the subordinate. While using automatic ID mapping, to have same ID maps on systems that share AFM relationship, you need to export the ID mappings from master to subordinate.
  11. In the ID range field, specify the range of values from which the IBM Storage Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. The default value is 10000000-299999999.
  12. In the ID map size field, specify the range of values from which the IBM Storage Scale UIDs and GIDs are assigned by the system to the Active Directory users and groups. The lower value of the range must be at least 1000.
  13. Click Next to configure RFC2307 ID mapping.
    For RFC2307 ID mapping
  14. Specify the AD domain for which the ID mapping needs to be configured, in the Domain name field.
  15. In the ID range field, specify the range of users or groups from a domain that needs access to data exports.
  16. Select the source of the primary group from the Primary group source field. You can select either Windows primary group of a user in the AD or the primary group as set in the UNIX attributes of a user in the AD.
  17. Select the Enable Kerberized logins checkbox when you want to enable Kerberized losing for the users who gain access by using NFSv3 or NFSv4 protocols.
  18. Click Next to configure LDAP ID mapping.
    For LDAP ID mapping
  19. In the Domain name field, specify the AD domain for which ID-mapping service needs to be configured.
  20. Specify the LDAP server that manages the ID mapping.
  21. In the ID range field, specify the range of IDs from which the UID and GID must be assigned.
  22. In the User DN field, specify the bind tree on the LDAP server where user objects are located.
  23. In the Group DN field, specify the bind tree on the LDAP server where group objects are located.
  24. In the Bind DN field, specify the user DN that must be used for authentication in the LDAP server. If not specified, anonymous bind is performed.
  25. Specify the user DN password that is specified in the bind DN, in the Bind password field. Select the Show password checkbox if you want to verify the password that you entered.
  26. Click Next to continue.
  27. Review the details of the configuration in the Summary page of the Configure File Authentication wizard.
  28. Select the Test connection to the Active Directory server checkbox, if you want to verify whether the AD server is reachable to all protocol nodes.
  29. Click Finish to complete the process. The system runs the commands in the background and completes the file authentication configuration and displays the status of the operation.
Viewing, modifying, or deleting the file authentication configuration

You can also perform the following tasks from the Services > File Authentication page in the GUI.

  • View the existing configuration. The existing authentication is specified under the Settings tab.
  • Modify the existing authentication configuration.
  • Delete the existing configuration and ID mappings, if any.
Modifying or deleting an existing configuration can be done by using the Edit option that is available under the Settings tab of the Services > File Authentication page. This opens the Configure File Authentication wizard. Follow the wizard to either switch to a new authentication after clearing the existing configuration or only to remove the existing configuration.