To clarify and expand on some of these: --servers takes the AD Domain Controller that is contacted first during configuration. Later and during normal operations the list of DCs is retrieved from DNS and the fastest (or closest one according to the AD sites) is used. The initially one used does not have a special role.
--idmap-role allows dedicating one cluster as a master, and a second cluster (e.g. a AFM replication target) as "subordinate". Only the master will allocate idmap ranges which can then be imported to the subordiate to have consistent id mappings. --idmap-range-size and --idmap-range are used for the internal idmap allocation which is used for every domain that is not explicitly using another domain. "man idmap_autorid" explains the approach taken. As long as the default does not overlap with any other ids, that can be used. The "netbios" name is used to create the machine account for the cluster when joining the AD domain. That is how the AD administrator will identify the CES cluster. It is also important in SMB deployments when Kerberos should be used with SMB: The same names as the netbios name has to be defined in DNS for the public CES IP addresses. When the name matches, then SMB clients can acquire a Kerberos ticket from AD to establish a SMB connection. When joinging the AD domain, --user-name, --password and --server are only used to initially identify and logon to the AD and to create the machine account for the cluster. Once that is done, that information is no longer used, and e.g. the account from --user-name could be deleted, the password changed or the specified DC could be removed from the domain (as long as other DCs are remaining). Regards, Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ [email protected] || +1-520-799-2469 (T/L: 321-2469) From: Jan-Frode Myklebust <[email protected]> To: gpfsug main discussion list <[email protected]> Date: 08/23/2016 08:15 AM Subject: Re: [gpfsug-discuss] CES and mmuserauth command Sent by: [email protected] Sorry to see no authoritative answers yet.. I'm doing lots of CES installations, but have not quite yet gotten the full understanding of this.. Simple stuff first: --servers You can only have one with AD. --enable-kerberos shouldn't be used, as that's only for LDAP according to the documentation. Guess kerberos is implied with AD. --idmap-role -- I've been using "master". Man-page says ID map role of a stand‐alone or singular system deployment must be selected "master" What the idmap options seems to be doing is configure the idmap options for Samba. Maybe best explained by: https://wiki.samba.org/index.php/Idmap_config_ad Your suggested options will then give you the samba idmap configuration: idmap config * : rangesize = 1000000 idmap config * : range = 3000000-3500000 idmap config * : read only = no idmap:cache = no idmap config * : backend = autorid idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : range = 500-2000000 idmap config DOMAIN : backend = ad Most likely you want to replace DOMAIN by your AD domain name.. So the --idmap options sets some defaults, that you probably won't care about, since all your users are likely covered by the specific "idmap config DOMAIN" config. Hope this helps somewhat, now I'll follow up with something I'm wondering myself...: Is the netbios name just a name, without any connection to anything in AD? Is the --user-name/--password a one-time used account that's only necessary when executing the mmuserauth command, or will it also be for communication between CES and AD while the services are running? -jf On Mon, Aug 22, 2016 at 1:59 PM, Sobey, Richard A <[email protected]> wrote: Hi all, We’re just about to start testing a new CES 4.2.0 cluster and at the stage of “joining” the cluster to our AD. What’s the bare minimum we need to get going with this? My Windows guy (who is more Linux but whatever) has suggested the following: mmuserauth service create --type ad --data-access-method file --netbios-name store --user-name USERNAME --password --enable-nfs-kerberos --enable-kerberos --servers list,of,servers --idmap-range-size 1000000 --idmap-range 3000000 - 3500000 --unixmap-domains 'DOMAIN(500 - 2000000)' He has also asked what the following is: --idmap-role ??? --idmap-range-size ?? All our LDAP GID/UIDs are coming from a system outside of GPFS so do we leave this blank, or say master Or, now I’ve re-read and mmuserauth page, is this purely for when you have AFM relationships and one GPFS cluster (the subordinate / the second cluster) gets its UIDs and GIDs from another GPFS cluster (the master / the first one)? For idmap-range-size is this essentially the highest number of users and groups you can have defined within Spectrum Scale? (I love how I’m using GPFS and SS interchangeably.. forgive me!) Many thanks Richard Richard Sobey Storage Area Network (SAN) Analyst Technical Operations, ICT Imperial College London South Kensington 403, City & Guilds Building London SW7 2AZ Tel: +44 (0)20 7594 6915 Email: [email protected] http://www.imperial.ac.uk/admin-services/ict/ _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
