Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 88, Issue 21

Christof Schmitt Mon, 20 May 2019 11:52:08 -0700

Hi,

the most likely case here is that an id mapping for the user or the
user's primary group is missing (we require both). One possible way to
troubleshoot would be issuing the queries manually:

This is from a test system, but can be easily adapted to other
environments. Everything needs to be run from a protocol node:

1) Query the user record (here: cschmit):

# /usr/lpp/mmfs/bin/net ads search -P sAMAccountName=cschmit uidNumber gidNumber objectSid primaryGroupId
Got 1 replies

primaryGroupID: 513
objectSid: S-1-5-21-2745666129-1984454212-2075974874-1120
uidNumber: 10000

Does the user have uidNumber defined? Does it fall into the specified
range? (10000-9999999 from the previous email).

2) Query the user's primary group. The SID of the group can be
constructed from the user's SID and the primaryGroupID. Replace the
last part of the user's SID with the primaryGroupID.

[root@sandrattler-vm1 ~]# /usr/lpp/mmfs/bin/net ads search -P objectSid=S-1-5-21-2745666129-1984454212-2075974874-513 gidNumber
Got 1 replies

gidNumber: 10001

Does the group have a gidNumber defined? Does it fall into the configured range?

A special case that is also supported is having the gidNumber defined
in the user's record. If that is the case, then the configuration can
be changed to --unixmap-domains with the :unix flag.

See 'man mmuserauth'

--unixmap-domains unixDomainMap
...
                  unix: Specifies the system to read the
                  primary group as set in "UNIX attributes" of a
                  user on the Active Directory.
                  For example,
                  --unixmap-domains
                  "MYDOMAIN1(20000-50000:unix);MYDOMAIN2(100000-200000:win)"

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
[email protected] || +1-520-799-2469 (T/L: 321-2469)

----- Original message -----
From: "L.walid (PowerM)" <[email protected]>
Sent by: [email protected]
To: [email protected]
Cc:
Subject: [EXTERNAL] Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 88, Issue 21
Date: Mon, May 20, 2019 8:36 AM

Hi,

I manage to make the command work (basically checking /etc/resolv.conf, /etc/hosts, /etc/nsswitch.conf) :

root@scale1 committed]# mmuserauth service create --data-access-method file --type ad --servers X.X.X.X --user-name MYUSER --idmap-role master --netbios-name CESSCALE --unixmap-domains "MYDOMAIN(10000-9999999)"

Enter Active Directory User 'spectrum_scale' password:

File authentication configuration completed successfully.

[root@scale1 committed]# mmuserauth service check

Userauth file check on node: scale1

Checking nsswitch file: OK

Checking Pre-requisite Packages: OK

Checking SRV Records lookup: OK

Service 'gpfs-winbind' status: OK

Object not configured

[root@scale1 committed]# mmuserauth service check --server-reachability

Userauth file check on node: scale1

Checking nsswitch file: OK

Checking Pre-requisite Packages: OK

Checking SRV Records lookup: OK

Domain Controller status

NETLOGON connection: OK, connection to DC: xxxx

Domain join status: OK

Machine password status: OK

Service 'gpfs-winbind' status: OK

Object not configured

But unfortunately, even if all the commands seems good, i cannot use user from active directory as owner or to setup ACL on SMB shares (it doesn't recognise AD users), plus the command 'id DOMAIN\USER' gives error cannot find user.

Any ideas ?

On Mon, 20 May 2019 at 01:46, <[email protected]> wrote:

Send gpfsug-discuss mailing list submissions to
[email protected]

To subscribe or unsubscribe via the World Wide Web, visit
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
or, via email, send a message with subject or body 'help' to
[email protected]

You can reach the person managing the list at
[email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of gpfsug-discuss digest..."

Today's Topics:

1. Re: gpfsug-discuss Digest, Vol 88, Issue 19 (Schmied, Will)

----------------------------------------------------------------------

Message: 1
Date: Mon, 20 May 2019 01:45:57 +0000
From: "Schmied, Will" <[email protected]>
To: gpfsug main discussion list <[email protected]>
Subject: Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 88, Issue 19
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"

?Well not seeing anything odd about the second try (just the username only) except that your NETBIOS domain name needs to be put in place of the placeholder (DOMAIN_NETBIOS_NAME).

You can copy from a text file and then paste into the stdin when the command asks for your password. Just a way to be sure no typos are in the password entry.

Thanks,
Will

From: <[email protected]> on behalf of "L.walid (PowerM)" <[email protected]>
Reply-To: gpfsug main discussion list <[email protected]>
Date: Sunday, May 19, 2019 at 18:39
To: "[email protected]" <[email protected]>
Subject: Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 88, Issue 19

Caution: External Sender

Hi,

Thanks for the feedback, i have tried the suggested command :

mmuserauth service create --data-access-method file --type ad --servers powermdomain.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">> --user-name cn=walid,cn=users,dc=powerm,dc=ma --idmap-role master --netbios-name scaleces --unixmap-domains "DOMAIN_NETBIOS_NAME(10000-9999999)"
Enter Active Directory User 'cn=walid,cn=users,dc=powerm,dc=ma' password:
Invalid credentials specified for the server powermdomain.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">>
mmuserauth service create: Command failed. Examine previous error messages to determine cause.

[root@scale1 ~]# mmuserauth service create --data-access-method file --type ad --servers powermdomain.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">> --user-name walid --idmap-role master --netbios-name scaleces --unixmap-domains "DOMAIN_NETBIOS_NAME(10000-9999999)"
Enter Active Directory User 'walid' password:
Invalid credentials specified for the server powermdomain.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">>
mmuserauth service create: Command failed. Examine previous error messages to determine cause.

i tried both domain qualifier and plain user in the --name parameters but i get Invalid Credentials (knowing that walid is an Administrator in Active Directory)

[root@scale1 ~]# ldapsearch -H ldap://powermdomain.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">> -x -W -D "[email protected]<mailto:[email protected]>" -b "dc=powerm,dc=ma" "(sAMAccountName=walid)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=powerm,dc=ma> with scope subtree
# filter: (sAMAccountName=walid)
# requesting: ALL
#

# Walid, Users, powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">>
dn: CN=Walid,CN=Users,DC=powerm,DC=ma
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Walid
sn: Largou
givenName: Walid
distinguishedName: CN=Walid,CN=Users,DC=powerm,DC=ma
instanceType: 4
whenCreated: 20190518224649.0Z
whenChanged: 20190520001645.0Z
uSNCreated: 12751
memberOf: CN=Domain Admins,CN=Users,DC=powerm,DC=ma
uSNChanged: 16404
name: Walid
objectGUID:: Le4tH38qy0SfcxaroNGPEg==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132028055547447029
lastLogoff: 0
lastLogon: 132028055940741392
pwdLastSet: 132026934129698743
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAG4qBuwTv6AKWAIpcTwQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: walid
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=powerm,DC=ma
dSCorePropagationData: 20190518225159.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132027850050695698

# search reference
ref: ldap://ForestDnsZones.powerm.ma/DC=ForestDnsZones,DC=powerm,DC=ma<https://nam03.safelinks.protection.outlook.com/?url="">>

# search reference
ref: ldap://DomainDnsZones.powerm.ma/DC=DomainDnsZones,DC=powerm,DC=ma<https://nam03.safelinks.protection.outlook.com/?url="">>

# search reference
ref: ldap://powerm.ma/CN=Configuration,DC=powerm,DC=ma<https://nam03.safelinks.protection.outlook.com/?url="">>

# search result
search: 2
result: 0 Success

On Sun, 19 May 2019 at 23:31, <[email protected]<mailto:[email protected]>> wrote:
Send gpfsug-discuss mailing list submissions to
[email protected]<mailto:[email protected]>

To subscribe or unsubscribe via the World Wide Web, visit
http://gpfsug.org/mailman/listinfo/gpfsug-discuss<https://nam03.safelinks.protection.outlook.com/?url="">>
or, via email, send a message with subject or body 'help' to
[email protected]<mailto:[email protected]>

You can reach the person managing the list at
[email protected]<mailto:[email protected]>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of gpfsug-discuss digest..."

Today's Topics:

1. Re: Active Directory Authentification (Schmied, Will)

----------------------------------------------------------------------

Message: 1
Date: Sun, 19 May 2019 23:24:15 +0000
From: "Schmied, Will" <[email protected]<mailto:[email protected]>>
To: gpfsug main discussion list <[email protected]<mailto:[email protected]>>
Subject: Re: [gpfsug-discuss] Active Directory Authentification
Message-ID: <[email protected]<mailto:[email protected]>>
Content-Type: text/plain; charset="utf-8"

Hi Walid,

Without knowing any specifics of your environment, the below command is what I have used, successfully across multiple clusters at 4.2.x. The binding account you specify needs to be able to add computers to the domain.

mmuserauth service create --data-access-method file --type ad --servers some_dc.foo.bar --user-name some_ad_bind_account --idmap-role master --netbios-name some_ad_computer_name --unixmap-domains "DOMAIN_NETBIOS_NAME(10000-9999999)"

10000-9999999 is the acceptable range of UID / GID for AD accounts.

Thanks,
Will

From: <[email protected]<mailto:[email protected]>> on behalf of "L.walid (PowerM)" <[email protected]<mailto:[email protected]>>
Reply-To: gpfsug main discussion list <[email protected]<mailto:[email protected]>>
Date: Sunday, May 19, 2019 at 14:30
To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>
Subject: [gpfsug-discuss] Active Directory Authentification

Caution: External Sender

Hi,

I'm planning to integrate Active Directory with our Spectrum Scale, but it seems i'm missing out something, please note that i'm on a 2 protocol nodes with only service SMB running Spectrum Scale 5.0.3.0 (latest version). I've tried from the gui the two ways, connect to Active Directory, and the other to LDAP.

Connect to LDAP :
mmuserauth service create --data-access-method 'file' --type 'LDAP' --servers 'powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url="">><https://nam03.safelinks.protection.outlook.com/?url=""><https://nam03.safelinks.protection.outlook.com/?url="">>>' --user-name 'cn=walid,cn=users,dc=powerm,dc=ma'
--pwd-file 'auth_pass.txt' --netbios-name 'scaleces' --base-dn 'cn=users,dc=powerm,dc=ma'
7:26 PM
Either failed to create a samba domain entry on LDAP server if not present or could not read the already existing samba domain entry from the LDAP server
7:26 PM
Detailed message:smbldap_search_domain_info: Adding domain info for SCALECES failed with NT_STATUS_UNSUCCESSFUL
7:26 PM
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
7:26 PM
pdb backend ldapsam:"ldap://powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url="">><https://nam03.safelinks.protection.outlook.com/?url=""><https://nam03.safelinks.protection.outlook.com/?url="">>>" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
7:26 PM
WARNING: Could not open passdb
7:26 PM
File authentication configuration failed.
7:26 PM
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
7:26 PM
Operation Failed
7:26 PM
Error: Either failed to create a samba domain entry on LDAP server if not present or could not read the already existing samba domain entry from the LDAP server
Detailed message:smbldap_search_domain_info: Adding domain info for SCALECES failed with NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
pdb backend ldapsam:"ldap://powermdomain.powerm.ma:389<https://nam03.safelinks.protection.outlook.com/?url="">><https://nam03.safelinks.protection.outlook.com/?url=""><https://nam03.safelinks.protection.outlook.com/?url="">>>" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
WARNING: Could not open passdb
File authentication configuration failed.
mmuserauth service create: Command failed. Examine previous error messages to determine cause.

Connect to Active Directory :
mmuserauth service create --data-access-method 'file' --type 'AD' --servers '192.168.56.5' --user-name 'walid' --pwd-file 'auth_pass.txt' --netbios-name 'scaleces' --idmap-role 'MASTER' --ldapmap-domains 'powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">><https://nam03.safelinks.protection.outlook.com/?url=""><https://nam03.safelinks.protection.outlook.com/?url="">>>(type=s
tand-alone:ldap_srv=192.168.56.5:range=-9000000000000000-4294967296:usr_dn=cn=users,dc=powerm,dc=ma:grp_dn=cn=users,dc=powerm,dc=ma:bind_dn=cn=walid,cn=users,dc=powerm,dc=ma:bind_dn_pwd=P@ssword)'
7:29 PM
mmuserauth service create: Invalid parameter passed for --ldapmap-domain
7:29 PM
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
7:29 PM
Operation Failed
7:29 PM
Error: mmuserauth service create: Invalid parameter passed for --ldapmap-domain
mmuserauth service create: Command failed. Examine previous error messages to determine cause.
--
Best regards,

Walid Largou
Senior IT Specialist

Power Maroc

Mobile : +212 62<tel:+212%20661%2015%2021%2055>1 31 98 71

Email: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>
320 Bd Zertouni 6th Floor, Casablanca, Morocco

https://www.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">><https://nam03.safelinks.protection.outlook.com/?url=""><https://nam03.safelinks.protection.outlook.com/?url="">>>

[cid:A8AE246E-9B75-4FE9-AE84-3DC9C8753FEA]
This message is confidential .Its contents do not constitute a commitment by Power Maroc S.A.R.L except where provided for in a written agreement between you and Power Maroc S.A.R.L. Any authorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately.

________________________________

Email Disclaimer: www.stjude.org/emaildisclaimer<http://www.stjude.org/emaildisclaimer>
Consultation Disclaimer: www.stjude.org/consultationdisclaimer<http://www.stjude.org/consultationdisclaimer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20190519/9b579ecf/attachment.html<https://nam03.safelinks.protection.outlook.com/?url="">>>

------------------------------

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org<https://nam03.safelinks.protection.outlook.com/?url="">>
http://gpfsug.org/mailman/listinfo/gpfsug-discuss<https://nam03.safelinks.protection.outlook.com/?url="">>

End of gpfsug-discuss Digest, Vol 88, Issue 19
**********************************************

--
Best regards,

Walid Largou
Senior IT Specialist

Power Maroc

Mobile : +212 62<tel:+212%20661%2015%2021%2055>1 31 98 71

Email: [email protected]<mailto:[email protected]>
320 Bd Zertouni 6th Floor, Casablanca, Morocco

https://www.powerm.ma<https://nam03.safelinks.protection.outlook.com/?url="">>

[cid:A8AE246E-9B75-4FE9-AE84-3DC9C8753FEA]
This message is confidential .Its contents do not constitute a commitment by Power Maroc S.A.R.L except where provided for in a written agreement between you and Power Maroc S.A.R.L. Any authorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20190520/92f25565/attachment.html>

------------------------------

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

End of gpfsug-discuss Digest, Vol 88, Issue 21
**********************************************

--
Best regards,

Walid Largou

Senior IT Specialist

Power Maroc

Mobile : +212 621 31 98 71

Email: [email protected]

320 Bd Zertouni 6th Floor, Casablanca, Morocco

https://www.powerm.ma

This message is confidential .Its contents do not constitute a commitment by Power Maroc S.A.R.L except where provided for in a written agreement between you and Power Maroc S.A.R.L. Any authorized disclosure, use or dissemination, either whole or partial, is prohibited. If you are not the intended recipient of the message, please notify the sender immediately.

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 88, Issue 21

Reply via email to