Hi Christoph, This solved my issues in most areas. Now I will probably add our Storage Management Group to local Administrators group, this way we are able to use all strong utilities like subinacl etc, and will be able to migrate to Spectrum Scale using robocopy with /ZB option working properly.
For our Share-responsible Administrator we probably will add their Management user to the 'admin Users' option of the specific share allowing them to do wat ever they need to do, knowing that some tools may work with limitations. Do you know if we may also add a builtin group named BackupOperators? Regards Willi -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von [email protected] Gesendet: Freitag, 31. März 2017 13:00 An: [email protected] Betreff: gpfsug-discuss Digest, Vol 62, Issue 82 Send gpfsug-discuss mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://gpfsug.org/mailman/listinfo/gpfsug-discuss or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of gpfsug-discuss digest..." Today's Topics: 1. Re: Spectrum Scale CES adds only Domain Admin to local Administrators group (Christof Schmitt) ---------------------------------------------------------------------- Message: 1 Date: Thu, 30 Mar 2017 13:18:21 -0700 From: "Christof Schmitt" <[email protected]> To: gpfsug main discussion list <[email protected]> Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group Message-ID: <ofa3ad3b5d.41825bbb-on072580f3.005cf921-072580f3.006f8...@notes.na.collabse rv.com> Content-Type: text/plain; charset="US-ASCII" [email protected] wrote on 03/30/2017 07:23:40 AM: > >-Last time I checked simply adding a normal computer object to the domain > didn't add the account of the adding user to the local administrators group > and CES is no exception. > > We have been using before a competitor Product as a NAS system. With that > system, we were able to define virtual NAS Servers, each one joined as an > independent object to AD. When joined, we found the 'Domain Admin' > group and > the joining user as member of local administrators group of that > virtual server. > Since out AD is quite big, it is structured into many OU. We as the Storage > OU have OU admin rights, but we are not member of "Domain Admin" group. > Looking Back, we were able by ourselves to add the required groups as needed > to the local Administrators group of the NAS server. > Why is this important? Since we have quit a mix of OS accessing our shares, > some of the create exclusive access rights at the time they create profiles > etc. At the end of the lifecycle, one needs to delete those files via the > SMB / NFSV4 protocol, which is difficult if not having access rights. > On the > other hand, we have seen situations, where one OS corrupted the ACL > and could not access anymore. Also this needs to be handled by us, > giving us a > hard time not being member of the administrators group. I.e. the MS > tool subinacl does check the privileges before trying to modify ACLs, > and if not > being member of the Administrators group, not all required privileges are > granted. There is two parts to that in Spectrum Scale: 1) There is an option to declare a user as 'admin users'. The notion there is that this user is mapped to root on access, thus this user can always access files and fix access issues. The user defined here should not be used for normal usage, this is only recommended for data migrations and to fix access issues. 2) When joining Spectrum Scale to an Active Directory domain, the Domain Admins groups is added to the internal Administrators group (sometimes referred to as BUILTIN\Administrators). One way to change the membership in that group would be through the MMC on a Windows client. Initially only Domain Admins are allowed, a member of this group would be required to add other users or groups. Alternatively, the "net sam" interface can be used to modify the group from root access on the protocol nodes: /usr/lpp/mmfs/bin/net sam listmem Administrators to list the members of the Administrators groups. /usr/lpp/mmfs/bin/net sam addmem Administrators DOMAIN\user to add a member. /usr/lpp/mmfs/bin/net sam delmem Administrators DOMAIN\user to remove a member This is currently an untested feature and not exposed through the CLI. If there is a need to have this exposed through the CLI or GUI, that should be requested through a RFE so that it can feed into the planning and prioritization for future releases. Regards, Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ [email protected] || +1-520-799-2469 (T/L: 321-2469) ------------------------------ _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss End of gpfsug-discuss Digest, Vol 62, Issue 82 **********************************************
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
