Configuring a mixed Windows and UNIX cluster

For GPFS™ clusters that include both Windows and UNIX nodes, this topic describes the additional configuration steps needed beyond those described in Installing GPFS prerequisites.

For mixed clusters, perform the following steps:

Optionally, install and configure identity mapping on your Active Directory domain controller (see Identity Management for UNIX (IMU)).
Create the root administrative account (see Creating the GPFS administrative account).
Edit the Domain Group Policy to give root the right to log on as a service (see Allowing the GPFS administrative account to run as a service.
Configure the GPFS Administration service (mmwinserv) to run as root (see Configuring the GPFS Administration service).
Install and configure OpenSSH (see Installing and configuring OpenSSH).

Complete this process before performing configuration steps common to all GPFS supported platforms.

Identity Management for UNIX (IMU)

GPFS can exploit a Windows Server feature called Identity Management for UNIX (IMU) to provide consistent identities among all nodes in a cluster.

GPFS expects that all Windows nodes in a cluster are members of the same Active Directory domain. This gives domain users a consistent identity and consistent file access rights independent of the system they are using.

In addition, GPFS can exploit the Identity Management for UNIX (IMU) service for mapping users and groups between Windows and UNIX. IMU is an optional component of Microsoft Windows Server (starting with Server 2003 R2) that can be installed on domain controllers. GPFS does not require IMU.

For IMU installation and configuration information, see Identity management on Windows in IBM Spectrum Scale: Advanced Administration Guide.

Creating the GPFS administrative account

GPFS uses an administrative account in the Active Directory domain named root in order to interoperate with UNIX nodes in the cluster. Create this administrative account as follows:

Create a domain user with the logon name root.
Add user root to the Domain Admins group or to the local Administrators group on each Windows node.
In root Properties/Profile/Home/LocalPath, define a HOME directory such as C:\Users\root\home that does not include spaces in the path name and is not the same as the profile path.
Give root the right to log on as a service as described in Allowing the GPFS administrative account to run as a service.

Step 3 is required for the Cygwin environment (described in Installing Cygwin) to operate correctly. Avoid using a path that contains a space character in any of the path names. Also avoid using root's profile path (for example, C:\User\root). OpenSSH requires specific permissions on this directory, which can interfere with some Windows applications.

You may need to create the HOME directory on each node in your GPFS cluster. Make sure that root owns this directory.

Allowing the GPFS administrative account to run as a service

Clusters that depend on a root account to interoperate with UNIX nodes in a cluster will need to configure the GPFS Administrative Service (mmwinserv) to run as the root account. For this, root needs to be assigned the right to log on as a service. See Configuring the GPFS Administration service for details.

The right to log on as a service is controlled by the Local Security Policy of each Windows node. You can use the Domain Group Policy to set the Local Security Policy on all Windows nodes in a GPFS cluster.

The following procedure assigns the log on as a service right to an account when the domain controller is running on Windows Server 2008:

Open Group Policy Management (available under Administrative Tools).
In the console tree, expand Forest name/Domains/Domain name/Group Policy Objects.
Right click Default Domain Policy and select Edit.
In the console tree of the Group Policy Management Editor, expand down to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
Double click the Log on as a service policy.
Check Define these policy settings if necessary.
Use Add User or Group... to include the DomainName\root account in the policy, then click OK.

Refer to your Windows Server documentation for a full explanation of Local Security Policy and Group Policy Management.

Configuring the GPFS Administration service

GPFS for Windows includes a service called mmwinserv. In the Windows Services management console, this service has the name GPFS Administration. mmwinserv supports GPFS operations such as autoload and remote command execution in Windows GPFS clusters. The Linux and AIX® versions of GPFS do not have a similar component. The mmwinserv service is used on all Windows nodes starting with GPFS 3.3.

The GPFS installation package configures mmwinserv to run using the default LocalSystem account. This account supports Windows GPFS clusters. For clusters that include both Windows and UNIX nodes, you must configure mmwinserv to run as root, the GPFS administrative account. Unlike LocalSystem, root can access the Identity Management for UNIX (IMU) service and can access other GPFS nodes as required by some cluster configurations.

For IMU installation and configuration information, see Identity management on Windows in IBM Spectrum Scale: Advanced Administration Guide. For information on supporting administrative access to GPFS nodes, see the Requirements for administering a GPFS file system topic in the IBM Spectrum Scale: Administration and Programming Reference.

Before configuring mmwinserv to run as root, you must first grant root the right to run as a service. For details, see Allowing the GPFS administrative account to run as a service.

Use the GPFS command mmwinservctl to set and maintain the GPFS Administration service's log on account. mmwinservctl must be run on a Windows node. You can run mmwinservctl to set the service account before adding Windows nodes to a cluster. You can also use this command to change or update the account on nodes that are already in a cluster. GPFS can be running or stopped when executing mmwinservctl, however, refrain from running other GPFS administrative commands at the same time.

In this example, mmwinservctl configures three nodes before they are added to a GPFS cluster containing both Windows and UNIX:

mmwinservctl set -N node1,node2,node3 --account mydomain/root --password mypwd --remote-shell no

Whenever root's password changes, the mmwinserv logon information needs to be updated to use the new password. The following command updates on all Windows nodes in a cluster with a new password:

mmwinservctl set -N all --password mynewpwd

As long as mmwinserv is running, the service will not be affected by an expired or changed password and GPFS will continue to function normally. However, GPFS will not start after a system reboot when mmwinserv is configured with an invalid password. If for any reason the Windows domain or root password changes, then mmwinservctl should be used to update the domain and password. The domain and password can also be updated on a per node basis by choosing Administrative Tools > Computer Management > Services and Applications > Services, and selecting GPFS Administration. Choose File > Properties > Logon and update the <domain>\username and the password.

For more information, see mmwinservctl command in IBM Spectrum Scale: Administration and Programming Reference.

Installing and configuring OpenSSH

If using a mixed cluster, OpenSSH must be configured on the Windows nodes. Refer to the Cygwin FAQ and documentation on how to setup sshd. Replace the usage of the account cyg_server in the Cygwin documentation with root when setting up a privileged account for sshd.

The following are some guidelines in addition to the Cygwin instructions on setting up sshd:

Verify that all nodes can be pinged among themselves by host name, Fully Qualified Domain Name (FQDN) and IP address.
If not using IPv6, disable it. For more information, see How to disable IPv6 or its components in Windows.

Check that passwd contains the privileged user that you plan to use for GPFS operations, as well as its correct home path:

$ cat /etc/passwd | grep "root"

root:unused:11103:10513:U-WINGPFS\root,S-1-5-21-3330551852-1995197583-3793546845-1103:/cygdrive/c/home/root:/bin/bash

If the user is not listed, rebuild your passwd:

mkpasswd -l -d wingpfs > /etc/passwd

From the Cygwin shell, run /usr/bin/ssh-host-config and respond yes to the prompts. When prompted to enter the value of CYGWIN for the daemon, enter ntsec. Specify root in response to the query for the new user name. You may receive the following warning:
```
***Warning:  The specified account 'root' does not have the 
***Warning:  required permissions or group memberships.  This may
***Warning:  cause problems if not corrected; continuing...
```
As long as the account (in this case, root) is in the local Administrators group, you can ignore this warning.

When the installation is complete, enter the following:

$ net start sshd

The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

Note: The OpenSSH READMEs are available at /usr/share/doc/openssh. Also see the IBM Spectrum Scale™ FAQ in IBM® Knowledge Center.

Once OpenSSH is installed, the GPFS administrative account root needs to be configured so that it can issue ssh and scp commands without requiring a password and without producing any extraneous messages. This kind of passwordless access is required from any node used for GPFS administration to all other nodes in the cluster.

For additional information, see Requirements for administering a GPFS file system in IBM Spectrum Scale: Administration and Programming Reference and Troubleshooting Windows problems in IBM Spectrum Scale: Problem Determination Guide.