Hello.
the user name should not matter for operations beyon domain join.
mmuserauth man page:
--user-name userName
....
In case of --type ad with
--data-access-method file, the specified username
is used to join the cluster to AD domain. It results in
creating a machine account for the cluster based on the
--netbios-name specified in the command. After
successful configuration, the cluster connects with its
machine account, and not the user used during the domain
join. So the specified username after domain join has no
role to play in communication with the AD domain
controller and can be even deleted from the AD server.
The cluster can still keep using AD for authentication
via the machine account created.
Mit freundlichen Grüßen / Kind regards
Dr. Markus Rohwedder
Spectrum Scale GUI Development
Phone: +49 7034 6430190 IBM Deutschland Research &
Development
E-Mail: [email protected] Am Weiher 24
65451 Kelsterbach
Germany
From: "Andrew Beattie" <[email protected]>
To: [email protected]
Cc: [email protected]
Date: 04.09.2018 15:18
Subject: Re: [gpfsug-discuss] CES file authentication - bind account
deleted?
Sent by: [email protected]
Hi Richard,
If you are setting up Protocol authentication against the active directory,
would you not choose to use a service account that isn't going to get
deleted?
If you choose to use an user account of a Sys Admin who has Domain admin
privileges and they leave the company and their account is deleted, you
would almost certainly have issues with the Scale cluster trying to
validate users permissions and having scale get an error from AD when the
credentials that it uses are no longer valid.
Andrew Beattie
Software Defined Storage - IT Specialist
Phone: 614-2133-7927
E-mail: [email protected]
----- Original message -----
From: "Sobey, Richard A" <[email protected]>
Sent by: [email protected]
To: "'[email protected]'"
<[email protected]>
Cc:
Subject: [gpfsug-discuss] CES file authentication - bind account deleted?
Date: Tue, Sep 4, 2018 8:45 AM
Hi all,
I don’t like using long subject lines as a rule so it probably doesn’t
make sense, but consider:
FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS true
SERVERS domaincontroller.ic.ac.uk
USER_NAME [email protected]
NETBIOS_NAME store
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS IC(500 - 2000000)
LDAPMAP_DOMAINS none
If “joebloggs” was to leave the organization and that account deleted from
Active Directory, what is the impact on file authentication in CES?
Thanks
Richard
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
