Monty, Simon, Christof,
Many thanks for your help. I found that the firewall wasn’t configured correctly – I made the assumption that the samba “service” enabled the ctdb port (4379 the next person searching for this) as well – enabling it manually and restarting the node has resolved it. I need to investigate the issue of consistent uids / gids between my linux machines. Obviously very easy when you have full control over the AD, but as ours is a local AD (which I can control) and most of the user IDs coming over on a trust it is much more tricky. Has anyone done an ldap set up where they are effectively adding extra user info (like uids / gids / samba info) to existing AD users without messing with the original AD? Thanks, Gethyn From: [email protected] [mailto:[email protected]] On Behalf Of Monty Poppe Sent: 25 February 2016 17:01 To: gpfsug main discussion list Subject: Re: [gpfsug-discuss] Integration with Active Directory All CES nodes should operate consistently across the cluster. Here are a few tips on debugging: /usr/lpp/mmfs/bin/wbinfo-p to ensure winbind is running properly /usr/lpp/mmfs/bin/wbinfo-P (capital P), to ensure winbind can communicate with AD server ensure the first nameserver in /etc/resolv.conf points to your AD server (check all nodes) mmuserauth service check --server-reachability for a more thorough validation that all nodes can communicate to the authentication server If you need to look at samba logs (/var/adm/ras/log.smbd & log.wb-<domainname>) to see what's going on, change samba log levels issue: /usr/lpp/mmfs/bin/net conf setparm global 'log level' 3. Don't forget to set back to 0 or 1 when you are done! If you're willing to go with a later release, AD authentication with LDAP ID mapping has been added as a feature in the 4.2 release. ( <https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en> https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en) Monty Poppe Spectrum Scale Test [email protected] 512-286-8047 T/L 363-8047 From: "Simon Thompson (Research Computing - IT Services)" <[email protected]> To: gpfsug main discussion list <[email protected]> Date: 02/25/2016 07:19 AM Subject: Re: [gpfsug-discuss] Integration with Active Directory Sent by: [email protected] _____ Hi Gethyn, >From what I recall, CTDB used underneath is used to share the secret and only >the primary named machine is joined, but CTDB and CES should work this backend >part out for you. I do have a question though, do you want to have consistent UIDs across other systems? For example if you plan to use NFS to other *nix systems, then you probably want to think about LDAP mapping and using custom auth (we do this as out AD doesn't contain UIDs either). Simon From: < <mailto:[email protected]> [email protected]> on behalf of "Longworth, Gethyn" < <mailto:[email protected]> [email protected]> Reply-To: " <mailto:[email protected]> [email protected]" < <mailto:[email protected]> [email protected]> Date: Thursday, 25 February 2016 at 10:42 To: " <mailto:[email protected]> [email protected]" < <mailto:[email protected]> [email protected]> Subject: [gpfsug-discuss] Integration with Active Directory Hi all, I’m new to both GPFS and to this mailing list, so I thought I’d introduce myself and one of the issues I am having. I am a consultant to Rolls-Royce Aerospace currently working on a large facilities project, part of my remit is to deliver a data system. We selected GPFS (sorry Spectrum Scale…) for this three clusters, with two of the clusters using storage provided by Spectrum Accelerate, and the other by a pair of IBM SANs and a tape library back up. My current issue is to do with integration into Active Directory. I’ve configured my three node test cluster with two protocol nodes and a quorum (version 4.2.0.1 on RHEL 7.1) as the master for an automated id mapping system (we can’t use RFC2307, as our IT department don’t understand what this is), but the problem I’m having is to do with domain joins. The documentation suggests that using the CES cluster hostname to register in the domain will allow all nodes in the cluster to share the identity mapping, but only one of my protocol nodes will authenticate – I can run “id” on that node with a domain account and it provides the correct answer – whereas the other will not and denies any knowledge of the domain or user. From a GPFS point of view, this results in a degraded CES, SMB, NFS and AUTH state. My small amount of AD knowledge says that this is expected – a single entry (e.g. the cluster name) can only have one SID. So I guess that my question is, what have I missed? Is there something in AD that I need to configure to make this work? Does one of the nodes in the cluster end up as the master and the other a subordinate? How do I configure that within the confines of mmuserauth? As I said I am a bit new to this, and am essentially learning on the fly, so any pointers that you can provide would be appreciated! Cheers, Gethyn Longworth MEng CEng MIET |Consultant Systems Engineer | AEROSPACE P Please consider the environment before printing this email _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org <http://gpfsug.org/mailman/listinfo/gpfsug-discuss> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
smime.p7s
Description: S/MIME cryptographic signature
The data contained in, or attached to, this e-mail, may contain confidential information. If you have received it in error you should notify the sender immediately by reply e-mail, delete the message from your system and contact +44 (0) 3301235850 (Security Operations Centre) if you need assistance. Please do not copy it for any purpose, or disclose its contents to any other person. An e-mail response to this address may be subject to interception or monitoring for operational reasons or for lawful business practices. (c) 2016 Rolls-Royce plc Registered office: 62 Buckingham Gate, London SW1E 6AT Company number: 1003142. Registered in England.
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
