As far as I know, you cannot run SSSD and GPFS-Winbind on the same CES server there will be conflicts. Since GPFS uses Winbind, the SSSD has to be disabled and point everything to use GPFS-Winbind (PAM files included). This is what we do on our CES nodes and they work just fine, users can authenticate using AD credentials, etc. The GPFS-Winbind works just like SSSD if configured correctly. The only issue is once GPFS is shutdown then GPFS-Winbind no longer works but can still passwordless ssh from another cluster server if access is needed, but GPFS is always up so this is not really a deal breaker.
Best Regards, Larry Henson IT Engineering Storage Team Cell (713) 702-4896 [cid:[email protected]] From: gpfsug-discuss <[email protected]> On Behalf Of Jarsulic, Michael [BSD] Sent: Monday, July 22, 2024 9:17 AM To: gpfsug main discussion list <[email protected]>; [email protected] Subject: [EXTERNAL] Re: [gpfsug-discuss] ssh authentication on CES nodes SLOW DOWN! - EXTERNAL SENDER: [email protected]<mailto:[email protected]> Be suspicious of tone, urgency, and formatting. Do not click/open links or attachments on a mobile device. Wait until you are at a computer to confirm you are absolutely certain it is a trusted source. If you are at all uncertain use the Report Phish button and our Cybersecurity team will investigate. Ivano, I am running SSSD on the CES nodes (we need it for file authorization for NFS and SMB, but rely on AD for authentication). IBM set this up for us, had no issues doing it, and there were no library conflicts. -- Mike Jarsulic Associate Director, Scientific Computing Center for Research Informatics | Biological Sciences Division University of Chicago 5454 South Shore Drive, Chicago, IL 60615 | (773) 702-2066 From: gpfsug-discuss <[email protected]<mailto:[email protected]>> on behalf of Talamo Ivano Giuseppe <[email protected]<mailto:[email protected]>> Date: Monday, July 22, 2024 at 8:55 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL] [gpfsug-discuss] ssh authentication on CES nodes Dear all, I have a question regarding the CES service, aka protocol nodes. Our CES cluster is configured with the AD authentication and, accordingly to the documentation [1], SSSD should not be running on the CES nodes. For us that's quite annoying, ZjQcmQRYFpfptBannerStart External: Use caution with links, attachments, and providing information. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MyIu0v6UfBA57LoN!4d_ODmlK7vdRO65GX_WTdZ3OfENAmlISr9BG6gKN6oPi384swmgkx0NzN8m6yWO08nZU-czK_NGKaSRNTtX3uO27nXLYetWX-fcXozmjTFNW7krLzXtpZD2eFFMkVMHiRpIuzzofs4dqbkJPXQ$> ZjQcmQRYFpfptBannerEnd Dear all, I have a question regarding the CES service, aka protocol nodes. Our CES cluster is configured with the AD authentication and, accordingly to the documentation [1], SSSD should not be running on the CES nodes. For us that's quite annoying, since we can't login with our personal/central accounts and then sudo. Neither we can use winbind, since samba-winbind-modules package (that provides the necessary PAM module) conflicts with the gpfs.smb package. We will probably end up creating one or more local accounts and using ssh keys for access. But I wonder if someone with a similar problem found a better workaround. Thanks, Ivano [1] https://www.ibm.com/docs/en/storage-scale/5.2.0?topic=authentication-limitations<https://urldefense.com/v3/__https:/www.ibm.com/docs/en/storage-scale/5.2.0?topic=authentication-limitations__;!!MyIu0v6UfBA57LoN!81qFjI1_Bd1tQ1ey7YDQHcce_OlEdsQ90dPVDgCbIFzKNw9JJPDKJ4BtVVdy1qE2Xiq3aE1-6-yht4mLhMrH-RUVMbma6g$> __________________________________________ Paul Scherrer Institut Ivano Talamo OBBA/230 Forschungsstrasse 111 5232 Villigen PSI Schweiz Phone: +41 56 310 47 11 E-Mail: [email protected]<mailto:[email protected]> Available: Monday - Wednesday ________________________________ “This message was received from outside of the organization. Please pay special attention and practice care when clicking on any links, or providing any information to the sender. Cyber attacks commonly attempt to trick you in to thinking the sender is a reputable individual who you can trust.” The information contained in this e-mail message may be privileged, confidential, and/or protected from disclosure. This e-mail message may contain protected health information (PHI); dissemination of PHI should comply with applicable federal and state laws. If you are not the intended recipient, or an authorized representative of the intended recipient, any further review, disclosure, use, dissemination, distribution, or copying of this message or any attachment (or the information contained therein) is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender by return e-mail and delete all references to it and its contents from your systems.
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
