So based on what I’m seeing ... When you run mmstartup, the start process edits /etc/nsswitch.conf.
I’ve managed to make it work in my environment, but I had to edit the file /usr/lpp/mmfs/bin/mmcesop to make it put ldap instead of winbind when it starts up. I also had to do some studious use of "net conf delparm” … Which is probably not a good idea. I did try using: mmuserauth service create --type userdefined --data-access-method file And the setting the "security = ADS” parameters by hand with "net conf” (can’t do it with mmsmb), and a manual “net ads join" but I couldn’t get it to authenticate clients properly. I can’t work out why just at the moment. But even then when mmshutdown runs, it still goes ahead and edits /etc/nsswitch.conf I’ve got a ticket open with IBM at the moment via our integrator to see what they say. But I’m not sure I like something going off and poking things like /etc/nsswitch.conf at startup/shutdown. I can sorta see that at config time, but when service start etc, I’m not sure I really like that idea! Simon On 06/07/2015 23:06, "Kallback-Rose, Kristy A" <[email protected]> wrote: >Just to chime in as another interested party, we do something fairly >similar but use sssd instead of nslcd. Very interested to see how >accommodating the IBM Samba is to local configuration needs. > >Best, >Kristy > >On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT >Services) <[email protected]> wrote: > >> Hi, >> >> (sorry, lots of questions about this stuff at the moment!) >> >> I¹m currently looking at removing the sernet smb configs we had >>previously >> and moving to IBM SMB. I¹ve removed all the old packages and only now >>have >> gpfs.smb installed on the systems. >> >> I¹m struggling to get the config tools to work for our environment. >> >> We have MS Windows AD Domain for authentication. For various reasons, >> however doesn¹t hold the UIDs/GIDs, which are instead held in a >>different >> LDAP directory. >> >> In the past, we¹d configure the Linux servers running Samba so that >>NSLCD >> was configured to get details from the LDAP server. (e.g. getent passwd >> would return the data for an AD user). The Linux boxes would also be >> configured to use KRB5 authentication where users were allowed to ssh >>etc >> in for password authentication. >> >> So as far as Samba was concerned, it would do ³security = ADS² and then >> we¹d also have "idmap config * : backend = tdb2² >> >> I.e. Use Domain for authentication, but look locally for ID mapping >>data. >> >> Now I can configured IBM SMB to use ADS for authentication: >> >> mmuserauth service create --type ad --data-access-method file >> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF >> --idmap-role subordinate >> >> >> However I can¹t see anyway for me to manipulate the config so that it >> doesn¹t use autorid. Using this we end up with: >> >> mmsmb config list | grep -i idmap >> idmap config * : backend autorid >> idmap config * : range 10000000-299999999 >> idmap config * : rangesize 1000000 >> idmap config * : read only yes >> idmap:cache no >> >> >> It also adds: >> >> mmsmb config list | grep -i auth >> auth methods guest sam winbind >> >> (though I don¹t think that is a problem). >> >> >> I also can¹t change the idmap using the mmsmb command (I think would >>look >> like this): >> # mmsmb config change --option="idmap config * : backend=tdb2" >> idmap config * : backend=tdb2: [E] Unsupported smb option. More >> information about smb options is availabe in the man page. >> >> >> >> I can¹t see anything in the docs at: >> >>http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spe >>ct >> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm >> >> That give me a clue how to do what I want. >> >> I¹d be happy to do some mixture of AD for authentication and LDAP for >> lookups (rather than just falling back to ³local² from nslcd), but I >>can¹t >> see a way to do this, and ³manual² seems to stop ADS authentication in >> Samba. >> >> Anyone got any suggestions? >> >> >> Thanks >> >> Simon >> >> >> _______________________________________________ >> gpfsug-discuss mailing list >> gpfsug-discuss at gpfsug.org >> http://gpfsug.org/mailman/listinfo/gpfsug-discuss > >_______________________________________________ >gpfsug-discuss mailing list >gpfsug-discuss at gpfsug.org >http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
