Protocol authentication configuration changes during upgrade

To identify the current authentication scheme that is configured for file protocols, issue the following command.

# mmuserauth service list --data-access-method file

You identify authentication scheme that is configured for file protocols with the value of the field FILE protocols is configured for in the command output.

If file protocols are set up with the LDAP-based authentication scheme, complete the following steps. These steps are applicable for any variation of the LDAP-based authentication scheme.

1. Install the sssd-tools package on all the protocol nodes.
2. Obscure the password that is stored in the SSSD configuration file by doing the following steps.
   1. Copy the current SSSD configuration file to the /tmp path.

      # /bin/cp /etc/sssd/sssd.conf /tmp/sssd_update.conf

   2. Store the secret of the LDAP user that is used to integrate with the LDAP server in the current session.

      # secret="$(/usr/lpp/mmfs/bin/mmgetconfdata -f /tmp/sssd_update.conf -s "domain/LDAPDOMAIN" -a "ldap_default_authtok")"

   3. From IBM Storage Scale 5.1.0 and higher, obscure the secret of the user that is used to communicate with the LDAP server by issuing the following command.

      # echo -n "${secret}" | /usr/sbin/sss_obfuscate -d LDAPDOMAIN -f /tmp/sssd_update.conf --stdin

   4. Clear the secret from the current session by issuing the following command.

      # unset secret

   5. Publish the updated file to the CCR by issuing the following command.

      # /usr/lpp/mmfs/bin/mmccr fput SSSD_CONF /tmp/sssd_update.conf

   6. Delete the SSSD configuration file from the /tmp path by issuing the following command.

      # /bin/rm /tmp/sssd_update.conf

3. On each protocol node, publish the updated SSSD configuration file as follows.
   1. Publish the new SSSD configuration file from IBM Storage Scale configuration repository to the node.

      # /usr/lpp/mmfs/bin/mmccr fget SSSD_CONF /etc/sssd/sssd.conf

   2. Restart the SSSD service to reflect the change.

      # systemctl restart sssd 

4. Validate that the users from the LDAP server can be successfully resolved on all the protocol nodes.

If file protocols are set up with the LDAP-based authentication scheme and the communication with the LDAP server is secured by using the TLS protocol, do the following steps. These steps are applicable for any variation of the LDAP-based authentication scheme that is secured by TLS.

1. Fetch the configuration file from the CCR.

   #/usr/lpp/mmfs/bin/mmccr fget LDAP_CONF /tmp/ldap_conf.from.ccr

2. Update the temporary file for the following changes.
   1. Delete the entry for the TLS_CIPHER_SUITE setting from the file.
   2. Add the following new entry to the file.

      TLS_PROTOCOL_MIN 3.3

   3. Add the following new entry to the file based on an operating system (OS) of the protocol node.
      If the OS of the protocol node is RHEL or SLES, add the following entry.

      TLS_CIPHER_SUITE DEFAULT:!SSLv3:!TLSv1:!TLSv1.1:@STRENGTH

      If the OS of the protocol node is Ubuntu, add the following entry.

      TLS_CIPHER_SUITE NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-AES-128-CBC:-AES-256-CBC

   4. Save the file.
3. Publish the updated file to the CCR by issuing the following command.

   # /usr/lpp/mmfs/bin/mmccr fput LDAP_CONF /tmp/ldap_conf.from.ccr

4. Propagate the changes to all the protocol nodes of the cluster by issuing the following command.

   # mmuserauth service check --data-access-method file --rectify

5. Delete the temporary file.

   # /bin/rm /tmp/ldap_conf.from.ccr

If you are using AD or LDAP file authentication with Kerberos, do the following steps to upgrade the authentication configuration.

1. Complete the upgrade steps on protocol nodes by using the installation toolkit or the manual upgrade procedure.
2. Run the /usr/lpp/mmfs/bin/mmktupgrade script.

   The script creates a custom keytab file /var/mmfs/etc/krb5_scale.keytab and does the necessary NFS and SMB configuration changes.

3. Restart NFS and SMB on protocol nodes for the configuration changes to take effect.
   Note: To prevent downtime, you can restart services on these nodes in a phased manner.

After these steps, IBM Storage Scale uses the custom keytab file for Kerberos authentication.

The file protocols authentication scheme configuration command might fail with the following error.

mmuserauth: [E] CCR command failed: service
Failed to read value for variable LDAPMAP_DOMAINS from CCR.
mmuserauth service list: Command failed. Examine previous error messages to determine cause.

If this error occurs, set the LDAPMAP_DOMAINS variable to none in the cluster configuration repository (CCR) by doing the following steps from any protocol node.

1. Edit the /tmp/authccr file and set LDAPMAP_DOMAINS=none. If the LDAPMAP_DOMAINS entry is not present, add the entry and set it to none.
2. Issue this command.

   usr/lpp/mmfs/bin/mmccr fget authccr /tmp/authccr