Thank you Simon. I do remember reading your page about few years back, when i was researching this issue. When you mentioned Custom Auth. I assumed it to be user-defined authentication from CES. However, looks like i need to hack it a bit to get SMB working with AD?
I did not feel comfortable hacking the SMB from the CES cluster, and thus i was trying to bring up SMB outside the CES cluster. I almost hack with everything in the cluster but i leave GPFS and any of its configuration in the supported config, because if things break - i felt it might mess up things real bad. I wish we do not have to hack our way out of this, and IBM supported this config out of the box. I do not understand the current requirements from CES with respect to AD or user defined authentication where either both SMB and NFS should be AD/LDAP authenticated or both of them user defined. I believe many places do use just ssh-key as authentication for linux machines including the cloud instances, while SMB obviously cannot be used with ssh-key authentication and has to be used either with LDAP or AD authentication. Did anyone try to raise this as a feature request? Even if i do figure to hack this thing and make sure that updating CES won’t mess it up badly. I think i will have to do few things to get the SIDs to Uids match as you mentioned. We do not use passwords to authenticate to LDAP and I do not want to be creating another set of passwords apart from AD which is already existing, and users authenticate to it when they login to machines. I was thinking to bring up something like Redhat IDM that could sync with AD and get all the usernames/sids and password hashes. I could then enter my current LDAP uids/gids in the Redhat IDM. IDM will automatically create uids/gids for usernames that do not have them i believe. In this way, when SMB authenticates with Redhat IDM - users can use there current AD kerberos tickets or the same passwords and i do not have to change the passwords. It will also automatically sync with AD and create UIDs/GIDs and thus i don’t have to manually script something to create one for every person in AD. I however need to see if i could get to make this work with institutional AD and it might not be as smooth. So which of the below cases will IBM most probably support? :) 1. Run SMB outside the CES cluster with the above configuration. 2. Hack SMB inside the CES cluster Is it that running SMB outside the CES cluster with R/W has a possibility of corrupting the GPFS filesystem? We do not necessarily need HA with SMB and so apart from HA - What does IBM SMB do that would prevent such corruption from happening? The reason i was expecting the usernames to be same in LDAP and AD is because - if they are, then SMB will do uid mapping by default. i.e SMB will automatically map windows sids to ldap uids. I will not have to bring up Redhat IDM if this was the case. But unfortunately we have many users who have different ldap usernames from AD usernames - so i guess the practical way would be to use Redhat IDM to map windows sids to ldap uids. I have read about mmname2uid and mmuid2name that Andrew mentioned but looks like it is made to work between 2 gpfs clusters with different uids. Not exactly to make SMB map windows SIDs to ldap uids. Regards, Lohit On Mar 8, 2019, 2:41 AM -0600, Simon Thompson <[email protected]>, wrote: > Hi Lohit, > > Custom auth sounds like it would work. > > NFS uses the “system” ldap, SMB can use LDAP or AD, or you can fudge it and > actually use both. We came at this very early in CES and I think some of this > is better in mixed mode now, but we do something vaguely related to what you > need. > > What you’d need is data in your ldap server to map windows usernames and SIDs > to Unix IDs. So for example we have in our mmsmb config: > idmap config * : backend ldap > idmap config * : bind_path_group ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > idmap config * : ldap_base_dn ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > idmap config * : ldap_server stand-alone > idmap config * : ldap_url ldap://localhost > idmap config * : ldap_user_dn > uid=nslcd,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > idmap config * : range 1000-9999999 > idmap config * : rangesize 1000000 > idmap config * : read only yes > > You then need entries in the LDAP server, it could be a different server or > somewhere else in the schema, but basically LDAP entries that map windows > username/sid to underlying UID, e.g: > > dn: uid=USERNAME,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > uid: USERNAME > objectClass: top > objectClass: posixAccount > objectClass: account > objectClass: shadowAccount > loginShell: /bin/bash > uidNumber: 605436 > shadowMax: 99999 > gidNumber: 100 > homeDirectory: /rds/homes/u/USERNAME > cn: USERS DISPLAY NAME > structuralObjectClass: account > entryUUID: 85a18df0-88bd-1037-9152-418eb0c7777 > creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > createTimestamp: 20180108124516Z > entryCSN: 20180108124516.623983Z#000000#001#000000 > modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > modifyTimestamp: 20180108124516Z > > dn: sambaSID=S-1-5-21-1390067357-308236825-725345543-498888,ou=SidMap,dc=rds > ,dc=adf,dc=bham,dc=ac,dc=uk > objectClass: sambaIdmapEntry > objectClass: sambaSidEntry > sambaSID: S-1-5-21-1390067357-308236825-725345543-498888 > uidNumber: 605436 > structuralObjectClass: sambaSidEntry > entryUUID: 85efa490-88bd-1037-9153-418eb0c9999 > creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > createTimestamp: 20180108124517Z > entryCSN: 20180108124517.135744Z#000000#001#000000 > modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > modifyTimestamp: 20180108124517Z > > I don’t think SMB actually cares about the username matching, what it needs > to be able to do is resolve the Windows SID presented to the Unix UID > underneath which is how it then accesses files. i.e. it doesn’t really matter > what the username in the middle is … > > Supported config? No. Works for what you need? Probably ... > > I wrote this: > https://www.roamingzebra.co.uk/2015/07/smb-protocol-support-with-spectrum.html > back in 2015 about what we were doing, probably much of it stands, but you > might want to look at proper supported mixed mode. That is our plan at some > point. > > Simon > > From: "[email protected]" <[email protected]> > Date: Friday, 8 March 2019 at 00:08 > To: "Simon Thompson (IT Research Support)" <[email protected]> > Subject: Re: [gpfsug-discuss] Exporting remote GPFS mounts on a non-ces SMB > share > > Thank you Simon. > > First issue: > I believe what i would need is a combination of user-defined authentication > and ad authentication. > > User-defined authentication to help me export NFS and have the linux clients > authenticate users with ssh keys. > AD based authentication to help me export SMB with AD authentication/kerberos > to mount filesystem on windows connected to just AD. > > At first look, it looked like CES either supports user-defined authentication > or AD based authentication - which would not work. We do not use kerberos or > ldap passwords for accessing the HPC clusters. > > Second issue: > AD username to LDAP username mapping. I could bring up another AD/LDAP server > that has the AD usernames and LDAP uids just for SMB authentication but i > would need to do this for all the users in the agency. > I will try and research if this way is easier or the mmNametoUID. > > > Regards, > Lohit > > On Mar 7, 2019, 5:00 PM -0600, Simon Thompson <[email protected]>, > wrote: > > > > > custom Auth mode
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
