Well, reading the user-defined authentication documentation again. It is basically left to sysadmins to deal with authentication and it looks like it would not be so much of a hack, to customize smb on CES nodes according to our needs. I will see if i could do this without much trouble.
Regards, Lohit On Mar 8, 2019, 10:42 AM -0600, [email protected], wrote: > Thank you Simon. > > I do remember reading your page about few years back, when i was researching > this issue. > When you mentioned Custom Auth. I assumed it to be user-defined > authentication from CES. However, looks like i need to hack it a bit to get > SMB working with AD? > > I did not feel comfortable hacking the SMB from the CES cluster, and thus i > was trying to bring up SMB outside the CES cluster. I almost hack with > everything in the cluster but i leave GPFS and any of its configuration in > the supported config, because if things break - i felt it might mess up > things real bad. > I wish we do not have to hack our way out of this, and IBM supported this > config out of the box. > > I do not understand the current requirements from CES with respect to AD or > user defined authentication where either both SMB and NFS should be AD/LDAP > authenticated or both of them user defined. > > I believe many places do use just ssh-key as authentication for linux > machines including the cloud instances, while SMB obviously cannot be used > with ssh-key authentication and has to be used either with LDAP or AD > authentication. > > Did anyone try to raise this as a feature request? > > Even if i do figure to hack this thing and make sure that updating CES won’t > mess it up badly. I think i will have to do few things to get the SIDs to > Uids match as you mentioned. > We do not use passwords to authenticate to LDAP and I do not want to be > creating another set of passwords apart from AD which is already existing, > and users authenticate to it when they login to machines. > > I was thinking to bring up something like Redhat IDM that could sync with AD > and get all the usernames/sids and password hashes. I could then enter my > current LDAP uids/gids in the Redhat IDM. IDM will automatically create > uids/gids for usernames that do not have them i believe. > In this way, when SMB authenticates with Redhat IDM - users can use there > current AD kerberos tickets or the same passwords and i do not have to change > the passwords. > It will also automatically sync with AD and create UIDs/GIDs and thus i don’t > have to manually script something to create one for every person in AD. > I however need to see if i could get to make this work with institutional AD > and it might not be as smooth. > > So which of the below cases will IBM most probably support? :) > > 1. Run SMB outside the CES cluster with the above configuration. > 2. Hack SMB inside the CES cluster > > Is it that running SMB outside the CES cluster with R/W has a possibility of > corrupting the GPFS filesystem? > We do not necessarily need HA with SMB and so apart from HA - What does IBM > SMB do that would prevent such corruption from happening? > > The reason i was expecting the usernames to be same in LDAP and AD is because > - if they are, then SMB will do uid mapping by default. i.e SMB will > automatically map windows sids to ldap uids. I will not have to bring up > Redhat IDM if this was the case. But unfortunately we have many users who > have different ldap usernames from AD usernames - so i guess the practical > way would be to use Redhat IDM to map windows sids to ldap uids. > > I have read about mmname2uid and mmuid2name that Andrew mentioned but looks > like it is made to work between 2 gpfs clusters with different uids. Not > exactly to make SMB map windows SIDs to ldap uids. > > Regards, > Lohit > > On Mar 8, 2019, 2:41 AM -0600, Simon Thompson <[email protected]>, > wrote: > > Hi Lohit, > > > > Custom auth sounds like it would work. > > > > NFS uses the “system” ldap, SMB can use LDAP or AD, or you can fudge it and > > actually use both. We came at this very early in CES and I think some of > > this is better in mixed mode now, but we do something vaguely related to > > what you need. > > > > What you’d need is data in your ldap server to map windows usernames and > > SIDs to Unix IDs. So for example we have in our mmsmb config: > > idmap config * : backend ldap > > idmap config * : bind_path_group > > ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > idmap config * : ldap_base_dn > > ou=SidMap,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > idmap config * : ldap_server stand-alone > > idmap config * : ldap_url ldap://localhost > > idmap config * : ldap_user_dn > > uid=nslcd,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > idmap config * : range 1000-9999999 > > idmap config * : rangesize 1000000 > > idmap config * : read only yes > > > > You then need entries in the LDAP server, it could be a different server or > > somewhere else in the schema, but basically LDAP entries that map windows > > username/sid to underlying UID, e.g: > > > > dn: uid=USERNAME,ou=People,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > uid: USERNAME > > objectClass: top > > objectClass: posixAccount > > objectClass: account > > objectClass: shadowAccount > > loginShell: /bin/bash > > uidNumber: 605436 > > shadowMax: 99999 > > gidNumber: 100 > > homeDirectory: /rds/homes/u/USERNAME > > cn: USERS DISPLAY NAME > > structuralObjectClass: account > > entryUUID: 85a18df0-88bd-1037-9152-418eb0c7777 > > creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > createTimestamp: 20180108124516Z > > entryCSN: 20180108124516.623983Z#000000#001#000000 > > modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > modifyTimestamp: 20180108124516Z > > > > dn: sambaSID=S-1-5-21-1390067357-308236825-725345543-498888,ou=SidMap,dc=rds > > ,dc=adf,dc=bham,dc=ac,dc=uk > > objectClass: sambaIdmapEntry > > objectClass: sambaSidEntry > > sambaSID: S-1-5-21-1390067357-308236825-725345543-498888 > > uidNumber: 605436 > > structuralObjectClass: sambaSidEntry > > entryUUID: 85efa490-88bd-1037-9153-418eb0c9999 > > creatorsName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > createTimestamp: 20180108124517Z > > entryCSN: 20180108124517.135744Z#000000#001#000000 > > modifiersName: cn=Manager,dc=rds,dc=adf,dc=bham,dc=ac,dc=uk > > modifyTimestamp: 20180108124517Z > > > > I don’t think SMB actually cares about the username matching, what it needs > > to be able to do is resolve the Windows SID presented to the Unix UID > > underneath which is how it then accesses files. i.e. it doesn’t really > > matter what the username in the middle is … > > > > Supported config? No. Works for what you need? Probably ... > > > > I wrote this: > > https://www.roamingzebra.co.uk/2015/07/smb-protocol-support-with-spectrum.html > > back in 2015 about what we were doing, probably much of it stands, but you > > might want to look at proper supported mixed mode. That is our plan at some > > point. > > > > Simon > > > > From: "[email protected]" <[email protected]> > > Date: Friday, 8 March 2019 at 00:08 > > To: "Simon Thompson (IT Research Support)" <[email protected]> > > Subject: Re: [gpfsug-discuss] Exporting remote GPFS mounts on a non-ces SMB > > share > > > > Thank you Simon. > > > > First issue: > > I believe what i would need is a combination of user-defined authentication > > and ad authentication. > > > > User-defined authentication to help me export NFS and have the linux > > clients authenticate users with ssh keys. > > AD based authentication to help me export SMB with AD > > authentication/kerberos to mount filesystem on windows connected to just AD. > > > > At first look, it looked like CES either supports user-defined > > authentication or AD based authentication - which would not work. We do not > > use kerberos or ldap passwords for accessing the HPC clusters. > > > > Second issue: > > AD username to LDAP username mapping. I could bring up another AD/LDAP > > server that has the AD usernames and LDAP uids just for SMB authentication > > but i would need to do this for all the users in the agency. > > I will try and research if this way is easier or the mmNametoUID. > > > > > > Regards, > > Lohit > > > > On Mar 7, 2019, 5:00 PM -0600, Simon Thompson <[email protected]>, > > wrote: > > > > > > > > custom Auth mode > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at spectrumscale.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
