Configuring AD-based authentication with RFC2307 ID mapping
You can configure IBM Spectrum Scale™ system authentication
with Active Directory (AD) and RFC2307 and Active Directory (AD) with
Kerberos and RFC2307 ID mapping. In these authentication methods,
use Active Directory to store user credentials and RFC2307 server
to store UIDs and GIDs. This is useful when you are planning to use
any pre-existing UNIX client
or NFS and SMB protocols for data access with the AFM feature of the IBM
Spectrum Scale system. If
you use AD-based authentication and the ID maps are not configured
with RFC2307, the IBM
Spectrum Scale system
uses the automatic ID mappings by default.
The following provides an example of configuring AD with RFC2307
ID mapping
- Submit the mmuserauth service create command
as shown in the following example:
# mmuserauth service create --type ad --data-access-method file --netbios-name
ess --user-name administrator --idmap-role master --servers myADserver
--password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999
--unixmap-domains 'DOMAIN(5000-20000)'
The system displays
the following output: File authentication configuration completed successfully.
- Issue the mmuserauth service list to
verify the authentication configuration as shown in the following
example:
# mmuserauth service list
The
system displays the following output:FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME ess
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS DOMAIN(5000-20000)
LDAPMAP_DOMAINS none
OBJECT access not configured
PARAMETERS VALUES
- Verify the user name resolution on the system. Confirm
that the resolution is showing IDs that are pulled from RFC2307 attributes
on the AD server.
# id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=10000(DOMAIN\domain users)
groups=10000(DOMAIN\domain users
Configuring AD using Kerberos with RFC2307 ID mapping
- Submit the mmuserauth service create command
as shown in the following example:
# mmuserauth service create --data-access-method file --type ad --netbios-name
kknode_v42 --servers myADserver --user-name administrator --password Passw0rd --idmap-role master
--enable-nfs-kerberos --unixmap-domains "DOMAIN(10000-200000)"
The
system displays the following output: File authentication configuration completed successfully.
- Issue the mmuserauth service list to
verify the authentication configuration as shown in the following
example:
# mmuserauth service list
The
system displays the following output:FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS true
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME kknode_v42
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS DOMAIN(1000-200000)
LDAPMAP_DOMAINS none
OBJECT access not configured
PARAMETERS VALUES
- Verify the user name resolution on the system. Confirm
that the resolution is showing IDs that are pulled from RFC2307 attributes
on the AD server.
# id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=40000(DOMAIN\domain users)
groups=11000545(BUILTIN\users),11000544 (BUILTIN\administrators)