After looking into this again, the source of confusion is probably from the fact that there are three different authentication schemes present here:
When configuring a LDAP server for file or object authentication, then the specified server, user and password are used during normal operations for querying user data. The same applies for configuring object authentication with AD; AD is here treated as a LDAP server. Configuring AD for file authentication is different in that during the "mmuserauth service create", the machine account is created, and then that account is used to connect to a DC that is chosen from the DCs discovered through DNS and not necessarily the one used for the initial configuration. I submitted an internal request to explain this better in the mmuserauth manpage. Regards, Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ [email protected] || +1-520-799-2469 (T/L: 321-2469) From: Christof Schmitt/Tucson/IBM@IBMUS To: gpfsug main discussion list <[email protected]> Date: 08/26/2016 09:30 AM Subject: Re: [gpfsug-discuss] CES and mmuserauth command Sent by: [email protected] The --user-name option applies to both, AD and LDAP authentication. In the LDAP case, this information is correct. I will try to get some clarification added for the AD case. The same applies to the information shown in "service list". There is a common field that holds the information and the parameter from the initial "service create" is stored there. The meaning is different for AD and LDAP: For LDAP it is the username being used to access the LDAP server, while in the AD case it was only the user initially used until the machine account was created. Regards, Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ [email protected] || +1-520-799-2469 (T/L: 321-2469) From: Jan-Frode Myklebust <[email protected]> To: gpfsug main discussion list <[email protected]> Date: 08/26/2016 05:59 AM Subject: Re: [gpfsug-discuss] CES and mmuserauth command Sent by: [email protected] On Fri, Aug 26, 2016 at 1:49 AM, Christof Schmitt < [email protected]> wrote: When joinging the AD domain, --user-name, --password and --server are only used to initially identify and logon to the AD and to create the machine account for the cluster. Once that is done, that information is no longer used, and e.g. the account from --user-name could be deleted, the password changed or the specified DC could be removed from the domain (as long as other DCs are remaining). That was my initial understanding of the --user-name, but when reading the man-page I get the impression that it's also used to do connect to AD to do user and group lookups: ------------------------------------------------------------------------------------------------------ ‐‐user‐name userName Specifies the user name to be used to perform operations against the authentication server. The specified user name must have sufficient permissions to read user and group attributes from the authentication server. ------------------------------------------------------------------------------------------------------- Also it's strange that "mmuserauth service list" would list the USER_NAME if it was only somthing that was used at configuration time..? -jf_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
