Configuring a mixed Windows and UNIX (AIX or Linux) cluster
For GPFS clusters that include both Windows and UNIX (AIX® or Linux®) nodes, this topic describes the additional configuration steps needed beyond those described in Installing GPFS prerequisites.
- Optionally, install and configure identity mapping on your Active Directory domain controller (see Identity Mapping for Unix (IDMU) / RFC 2307 Attributes).
- Create the root administrative account (see Creating the GPFS administrative account).
- Edit the Domain Group Policy to give root the right to log on as a service (see Allowing the GPFS administrative account to run as a service.
- Configure the GPFS Administration service (mmwinserv) to run as root (see Configuring the GPFS Administration service).
- Install and configure OpenSSH (see Installing and configuring OpenSSH on Windows nodes).
Identity Mapping for Unix (IDMU) / RFC 2307 Attributes
GPFS can exploit a Windows Server feature called RFC 2307 attributes to provide consistent identities among all nodes in a cluster.
GPFS expects that all Windows nodes in a cluster are members of the same Active Directory domain. This gives domain users a consistent identity and consistent file access rights independent of the system they are using.
GPFS can exploit the RFC 2307 attributes for mapping users and groups between Windows and UNIX. These attributes can be administered by using Identity Mapping for Unix (IDMU) from Microsoft in Windows Server versions up to and including Windows Server 2012 R2. Beginning with Windows Server 2016 (since the IDMU MMC-snap-in has been removed) you can specify these RFC 2307 attributes by using the Active Directory Users and Computers MMC Snap-in or the Active Directory Administrative Center. For more information, see instructions on editing RFC 2307 attributes in Configuring ID mappings in Active Directory Users and Computers for Windows Server 2016 (and subsequent) versions.
The only way to achieve Windows-Unix user-mapping in GPFS is with RFC 2307 attributes. These attributes can be administered by using Identity Mapping for Unix (IMU) from Microsoft in Windows Server versions up to and including Windows Server 2012 R2. Beginning Windows Server 2016, these RFC 2307 attributes can be specified by using the Active Directory Users and Computers (ADUC) MMC Snap-in.
For more information, see instructions on editing IDMU or RFC 2307 attributes in Identity management on Windows / RFC 2307 attributes.
GPFS uses RFC 2307 attributes, specifically uidNumber, to map users and gidNumber to map groups between Windows and Unix. From the perspective of GPFS, IDMU is synonymous with RFC 2307 attributes. This means that any references to IDMU in the documentation should be interpreted as RFC 2307 attributes.
For IDMU or ADUC installation and configuration information, see Configuring ID mappings in Active Directory Users and Computers for Windows Server 2016 (and subsequent) versions.
Creating the GPFS administrative account
- Create a domain user with the logon name root.
- Add user root to the Domain Admins group or to the local Administrators group on each Windows node.
- In root Properties/Profile/Home/LocalPath, define a HOME directory such as C:\Users\root\home that does not include spaces in the path name and is not the same as the profile path.
- Give root the right to log on as a service as described in Allowing the GPFS administrative account to run as a service.
Step 3 is required for the Cygwin environment (described in Installing Cygwin) to operate correctly. Avoid using a path that contains a space character in any of the path names. Also avoid using root's profile path (for example, C:\User\root). OpenSSH requires specific permissions on this directory, which can interfere with some Windows applications.
You may need to create the HOME directory on each node in your GPFS cluster. Make sure that root owns this directory.
Allowing the GPFS administrative account to run as a service
Clusters that depend on a root account to interoperate with UNIX nodes in a cluster will need to configure the GPFS Administrative Service (mmwinserv) to run as the root account. For this, root needs to be assigned the right to log on as a service. See Configuring the GPFS Administration service for details.
The right to log on as a service is controlled by the Local Security Policy of each Windows node. You can use the Domain Group Policy to set the Local Security Policy on all Windows nodes in a GPFS cluster.
The following procedure assigns the log on as a service right to an account when the domain controller is running on Windows Server 2008:
- Open Group Policy Management (available under Administrative Tools).
- In the console tree, expand Forest name/Domains/Domain name/Group Policy Objects.
- Right click Default Domain Policy and select Edit.
- In the console tree of the Group Policy Management Editor, expand down to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
- Double click the Log on as a service policy.
- Check Define these policy settings if necessary.
- Use Add User or Group... to include the DomainName\root account in the policy, then click OK.
Refer to your Windows Server documentation for a full explanation of Local Security Policy and Group Policy Management.
Configuring the GPFS Administration service
GPFS for Windows includes a service called mmwinserv. In the Windows Services management console, this service has the name GPFS Administration. mmwinserv supports GPFS operations such as autoload and remote command execution in Windows GPFS clusters. The Linux and AIX versions of GPFS do not have a similar component. The mmwinserv service is used on all Windows nodes starting with GPFS 3.3.
The GPFS installation package configures mmwinserv to run using the default LocalSystem account. This account supports Windows GPFS clusters. For clusters that include both Windows and UNIX nodes, you must configure mmwinserv to run as root, the GPFS administrative account. Unlike LocalSystem, root can access the IDMU service and can access other GPFS nodes as required by some cluster configurations.
For IDMU installation and configuration information, see Identity management on Windows / RFC 2307 attributes. For information on supporting administrative access to GPFS nodes, see Requirements for administering a GPFS file system.
Before configuring mmwinserv to run as root, you must first grant root the right to run as a service. For details, see Allowing the GPFS administrative account to run as a service.
Use the GPFS command mmwinservctl to set and maintain the GPFS Administration service's log on account. mmwinservctl must be run on a Windows node. You can run mmwinservctl to set the service account before adding Windows nodes to a cluster. You can also use this command to change or update the account on nodes that are already in a cluster. GPFS can be running or stopped when executing mmwinservctl, however, refrain from running other GPFS administrative commands at the same time.
mmwinservctl set -N node1,node2,node3 --account mydomain/root --password mypwd --remote-shell no
mmwinservctl set -N all --password mynewpwdAs long as mmwinserv is running, the service will not be affected by an expired or changed password and GPFS will continue to function normally. However, GPFS will not start after a system reboot when mmwinserv is configured with an invalid password. If for any reason the Windows domain or root password changes, then mmwinservctl should be used to update the domain and password. The domain and password can also be updated on a per node basis by choosing Administrative Tools > Computer Management > Services and Applications > Services, and selecting GPFS Administration. Choose File > Properties > Logon and update the <domain>\username and the password.
For more information, see mmwinservctl command.
Installing and configuring OpenSSH on Windows nodes
If using a mixed cluster, OpenSSH must be configured on the Windows nodes. Refer to the Cygwin FAQ (www.cygwin.com/faq.html) and documentation on how to setup sshd. Replace the usage of the account cyg_server in the Cygwin documentation with root when setting up a privileged account for sshd.
- Verify that all nodes can be pinged among themselves by host name, Fully Qualified Domain Name (FQDN) and IP address.
- If not using IPv6, disable it. For more information, see How to disable IPv6 or its components in Windows (support.microsoft.com/kb/929852).
- Check that passwd contains the privileged
user that you plan to use for GPFS operations,
as well as its correct home path:
cat /etc/passwd | grep "root" root:unused:11103:10513:U-WINGPFS\root,S-1-5-21-3330551852-1995197583-3793546845-1103:/cygdrive/c/home/root:/bin/bashIf the user is not listed, rebuild your passwd:mkpasswd -l -d wingpfs > /etc/passwd - From the Cygwin shell, run /usr/bin/ssh-host-config and
respond yes to the prompts. When prompted
to enter the value of CYGWIN for the daemon, enter ntsec.
Specify root in response to the query for
the new user name. You may receive the following warning:
***Warning: The specified account 'root' does not have the ***Warning: required permissions or group memberships. This may ***Warning: cause problems if not corrected; continuing...As long as the account (in this case, root) is in the local Administrators group, you can ignore this warning.
- When the installation is complete, enter the following:
net start sshd The CYGWIN sshd service is starting. The CYGWIN sshd service was started successfully.
Once OpenSSH is installed, the GPFS administrative account root needs to be configured so that it can issue ssh and scp commands without requiring a password and without producing any extraneous messages. This kind of passwordless access is required from any node used for GPFS administration to all other nodes in the cluster.
For additional information, see Requirements for administering a GPFS file system and Windows issues.