Re: [gpfsug-discuss] CES file authentication - bind account deleted?

Tue, 04 Sep 2018 06:18:14 -0700

Hi Richard,
 
If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get deleted?
 
If you choose to use an  user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid.
 
 
Andrew Beattie
Software Defined Storage  - IT Specialist
Phone: 614-2133-7927
 
 
----- Original message -----
From: "Sobey, Richard A" <r.so...@imperial.ac.uk>
Sent by: gpfsug-discuss-boun...@spectrumscale.org
To: "'gpfsug-discuss@spectrumscale.org'" <gpfsug-discuss@spectrumscale.org>
Cc:
Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
Date: Tue, Sep 4, 2018 8:45 AM
 

Hi all,

 

I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider:

 

FILE access configuration : AD

PARAMETERS               VALUES

-------------------------------------------------

ENABLE_NFS_KERBEROS      true

SERVERS                  domaincontroller.ic.ac.uk

USER_NAME                joeblo...@ic.ac.uk

NETBIOS_NAME             store

IDMAP_ROLE               master

IDMAP_RANGE              10000000-299999999

IDMAP_RANGE_SIZE         1000000

UNIXMAP_DOMAINS          IC(500 - 2000000)

LDAPMAP_DOMAINS          none

 

If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES?

 

Thanks

Richard

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
 

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Reply via email to