Prerequisite for configuring AD-based authentication for file access

See Integrating with AD server for more information on the prerequisites for integrating AD server with the IBM Spectrum Scale system.

You need to run the mmuserauth service create command with the following mandatory parameters to create AD based authentication for file access:
  • --type ad
  • --data-access-method file
  • --servers <comma-delimited server host names or IP addresses>
  • --netbios-name <netBiosName>
  • --user-name <admin-username>
  • --password <admin-password>. This is optional while entering the parameters but the system prompts you to enter the password when you run the command.
  • --unixmap-domains <unixDomainMap>. This option is mandatory if RFC2307 ID mapping is used. For example, --unixmap-domains DOMAINS(5000-20000). Specifies the Active Directory domains for which user ID and group ID should be fetched from the Active directory server ( RFC2307 schema attributes )
  • --idmap-role master | subordinate. While using automatic ID mapping, in order to have same ID maps on systems sharing Active File Manager (AFM) relationship, you need to export the ID mappings from the system whose ID map role is master to the system whose ID map role is subordinate.

See the mmuserauth service create command for more information on each parameter.

Prerequisites for configuring AD with RFC2307

The following prerequisites are specific to AD with RFC2307 configuration:
  • RFC2307 schema is extended on the AD and all UNIX attributes (including UID and GID) are populated.
  • If a trusted domain is configured with ID mapping from RFC2307, the trusted domain must have two-way trust with the host domain, which is the Active Directory domain that is configured for use with the IBM Spectrum Scale system. For example, assume that there are three domains in trusted relationship , X, Y, Z, and that the IBM Spectrum Scale system is configured with domain X as the host domain. If RFC2307 ID mappings are required for domains Y and Z, domains Y and Z must each have a two-way trust with the domain X. X <-> Y ; X <-> Z.
  • User and group in the Active Directory domain, configured with ID mapping from RFC2307, must have a valid UID and a valid GID assigned to enable access to IBM Spectrum Scale system exports. The UID and GID number that is assigned must be within the ID map range that is specified in the mmuserauth service create command. Any users or groups from this domain that do not have UID or GID attributes configured are denied access.
Note: The primary Windows group that is assigned to an AD user must have a valid GID assigned within the specified ID mapping range. The primary Windows group is usually located in the Member Of tab in the user's properties. The primary Windows group is different from the UNIX primary group, which is listed in the UNIX Attributes tab. A user is denied access if that user’s Windows primary group does not have a valid GID assigned. The UNIX primary group attribute is ignored.

In case of a mutual trust setup between two independent AD domains, DNS forwarding must be configured between the two trust.

Parent topic: AD-based authentication for file access
Related reference:
mmuserauth command