Configuring AD-based authentication with RFC2307 ID mapping

You can configure IBM Spectrum Scale™ system authentication with Active Directory (AD) and RFC2307 and Active Directory (AD) with Kerberos and RFC2307 ID mapping. In these authentication methods, use Active Directory to store user credentials and RFC2307 server to store UIDs and GIDs. This is useful when you are planning to use any pre-existing UNIX client or NFS and SMB protocols for data access with the AFM feature of the IBM Spectrum Scale system. If you use AD-based authentication and the ID maps are not configured with RFC2307, the IBM Spectrum Scale system uses the automatic ID mappings by default.

Parent topic: AD-based authentication for file access

The following provides an example of configuring AD with RFC2307 ID mapping

  1. Submit the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create  --type ad --data-access-method file --netbios-name 
ess --user-name administrator --idmap-role master --servers myADserver 
--password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999 
--unixmap-domains 'DOMAIN(5000-20000)'
    The system displays the following output: 
    File authentication configuration completed successfully.
  2. Issue the mmuserauth service list to verify the authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      false
SERVERS                  myADserver
USER_NAME                administrator
NETBIOS_NAME             ess
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN(5000-20000)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
  3. Verify the user name resolution on the system. Confirm that the resolution is showing IDs that are pulled from RFC2307 attributes on the AD server. 
    # id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=10000(DOMAIN\domain users) 
groups=10000(DOMAIN\domain users

Configuring AD using Kerberos with RFC2307 ID mapping

  1. Submit the mmuserauth service create command as shown in the following example: 
    # mmuserauth service create  --data-access-method file --type ad --netbios-name 
kknode_v42 --servers myADserver --user-name administrator --password Passw0rd --idmap-role master 
--enable-nfs-kerberos --unixmap-domains "DOMAIN(10000-200000)"
    The system displays the following output: 
    File authentication configuration completed successfully.
  2. Issue the mmuserauth service list to verify the authentication configuration as shown in the following example: 
    # mmuserauth service list
    The system displays the following output:
    FILE access configuration : AD
PARAMETERS               VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS      true
SERVERS                  myADserver
USER_NAME                administrator
NETBIOS_NAME             kknode_v42
IDMAP_ROLE               master
IDMAP_RANGE              10000000-299999999
IDMAP_RANGE_SIZE         1000000
UNIXMAP_DOMAINS          DOMAIN(1000-200000)
LDAPMAP_DOMAINS          none

OBJECT access not configured
PARAMETERS               VALUES
  3. Verify the user name resolution on the system. Confirm that the resolution is showing IDs that are pulled from RFC2307 attributes on the AD server. 
    # id DOMAIN\\administrator
uid=10002(DOMAIN\administrator) gid=40000(DOMAIN\domain users) 
groups=11000545(BUILTIN\users),11000544 (BUILTIN\administrators)
Related reference:
mmuserauth command