subject:"\[gpfsug\-discuss\] Question concerning integration of CES with AD authentication system"

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2019-07-26 Thread Christof Schmitt

Mark,
 
to answer your questions:
 
> I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.>> => This gets mapped to 'idmap config ... : unix_primary_group' in the> => internal config.>> Does that correspond to setting the smb.conf parameter>> unix_primary_group = yes
 
This corresponds to the smb.conf parameter 'idmap config DOMAIN :unix_primary_group' = yes. This refers to the id mapping configurationfor the specified domain.  See the idmap_ad man page for the Sambadocumentation of this parameter.
 
> Specifically, under Spectrum Scale 5.0.2, if I run:>> mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad>> (some args removed in this example), will that map the user's primary group to>> the primaryGroupID supplied by AD>   or> the primaryGroupID LDAP field>   or> the gidNumber LDAP field
 
This primary group in this configuration is the primary group inActive Directory. This is stored in Active Directory in theprimaryGroupID field that refers to the RID of the primary group (thelast part of the SID of the group). This id mapping method currentlydoes not read the gidNumber of the user. In theory it would bepossible to add this similar to the 'unix_primary_group' from above,but that should be treated as a new feature and requsting that througha RFE would be appropriate.
 
Regards,
 
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZchristof.schm...@us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)
 
 
- Original message -From: mark.berg...@uphs.upenn.eduTo: gpfsug main discussion list Cc: christof.schm...@us.ibm.comSubject: [EXTERNAL] Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication systemDate: Thu, Jul 25, 2019 4:31 PM 
In the message dated: Thu, 24 May 2018 17:07:02 -,The pithy ruminations from Christof Schmitt on[Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system] were:=>Following up on an old, old post...=> > Basically Samba ignores the separate GID field in RFC2307bis, so one=> > imagines the options for changing the LDAP attributes are none=> > existent.=>  => mmuserauth now has an option to use either the gid from the actual primary=> group or the gid defined for the user. See:=>  => https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/=> com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm=>  => --unixmap-domains unixDomainMap=> [...]=>     win: Specifies the system to read the primary group set as Windows=> primary group of a user on the Active Directory.=>      unix: Specifies the system to read the primary group as set in "UNIX=> attributes" of a user on the Active Directory.  =>     For example,=>      --unixmap-domains "MYDOMAIN1(2-5:unix);MYDOMAIN2=> (10-20:win)"I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.=> This gets mapped to 'idmap config ... : unix_primary_group' in the=> internal config.Does that correspond to setting the smb.conf parameterunix_primary_group = yesSpecifically, under Spectrum Scale 5.0.2, if I run:mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad(some args removed in this example), will that map the user's primary group tothe primaryGroupID supplied by AD  orthe primaryGroupID LDAP field  orthe gidNumber LDAP fieldor something else?Thanks,Mark=>=> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ=> christof.schm...@us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)=>  
 

___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2019-07-25 Thread mark . bergman

In the message dated: Thu, 24 May 2018 17:07:02 -,
The pithy ruminations from Christof Schmitt on 
[Re: [gpfsug-discuss] Question concerning integration of CES with AD 
authentication system] were:
=> 

Following up on an old, old post...

=> > Basically Samba ignores the separate GID field in RFC2307bis, so one
=> > imagines the options for changing the LDAP attributes are none
=> > existent.
=>  
=> mmuserauth now has an option to use either the gid from the actual primary
=> group or the gid defined for the user. See:
=>  
=> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/
=> com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm
=>  
=> --unixmap-domains unixDomainMap
=> [...]
=> win: Specifies the system to read the primary group set as Windows
=> primary group of a user on the Active Directory.
=>  unix: Specifies the system to read the primary group as set in "UNIX
=> attributes" of a user on the Active Directory.  
=> For example,
=>  --unixmap-domains "MYDOMAIN1(2-5:unix);MYDOMAIN2
=> (10-20:win)"

I see this is refering to UNIX attributes within AD, but I'm curious about 
mapping to attributes in LDAP.

=> This gets mapped to 'idmap config ... : unix_primary_group' in the
=> internal config.

Does that correspond to setting the smb.conf parameter

unix_primary_group = yes




Specifically, under Spectrum Scale 5.0.2, if I run:

mmuserauth service create --data-access-method file --ldapmap-domains 
"DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)"
 --type ad

(some args removed in this example), will that map the user's primary group to

the primaryGroupID supplied by AD
  or
the primaryGroupID LDAP field
  or
the gidNumber LDAP field

or something else?

Thanks,

Mark


=> 
=> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
=> christof.schm...@us.ibm.com  ||  +1-520-799-2469(T/L: 321-2469)
=>  
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Christof Schmitt

> My understanding, after talking to expert people here, is that I should use the RFC2307 model for ID mapping (described here: https://goo.gl/XvqHDH). The problem is
> that our ID schema is slightly different than that one described in RFC2307. In the RFC the relevant user identification fields are named "uidNumber" and "gidNumber". > But in our AD database schema we have:>> # egrep 'uid_number|gid_number' /etc/sssd/sssd.conf> ldap_user_uid_number = msSFU30UidNumber> ldap_user_gid_number = msSFU30GidNumber> ldap_group_gid_number = msSFU30GidNumber>> My question is: is it possible to configure CES to look for the custom field labels (those ones listed above) instead the default ones officially described in rfc2307 ? 
mmuserauth only supports the rfc2307 attributes for Active Directory. That is the tested and supported configuration. The attribute names from the sssd configuration look like the "old" SFU attributes are used. You could try going through "mmuserauth service create --type ad ..." and then switching the internal configuration to use the SFU attributes:
/usr/lpp/mmfs/bin/net conf setparm global 'idmap config DOMAINNAME : schema_mode' sfu
 
Then restart gpfs-winbind on all protocol nodes or use "mmces service" to stop and start SMB on all protocol nodes.
 
Note that we have not tested this configuration, so if that should be supported in a possible future release, please open a RFE.
 
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZchristof.schm...@us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)
 
 
- Original message -From: "Dorigo Alvise (PSI)" Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: "gpfsug-discuss@spectrumscale.org" Cc:Subject: [gpfsug-discuss] Question concerning integration of CES with AD authentication systemDate: Thu, May 24, 2018 1:45 AM 
Dear members,at PSI I'm trying to integrate the CES service with our AD authentication system.My understanding, after talking to expert people here, is that I should use the RFC2307 model for ID mapping (described here: https://goo.gl/XvqHDH). The problem is that our ID schema is slightly different than that one described in RFC2307. In the RFC the relevant user identification fields are named "uidNumber" and "gidNumber". But in our AD database schema we have:# egrep 'uid_number|gid_number' /etc/sssd/sssd.confldap_user_uid_number = msSFU30UidNumberldap_user_gid_number = msSFU30GidNumberldap_group_gid_number = msSFU30GidNumberMy question is: is it possible to configure CES to look for the custom field labels (those ones listed above) instead the default ones officially described in rfc2307 ?many thanks.Regards,   Alvise Dorigo
___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss
 

___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Christof Schmitt

> Basically Samba ignores the separate GID field in RFC2307bis, so one> imagines the options for changing the LDAP attributes are none> existent.
 
mmuserauth now has an option to use either the gid from the actual primarygroup or the gid defined for the user. See:
 
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm
 
--unixmap-domains unixDomainMap[...]    win: Specifies the system to read the primary group set as Windows primary group of a user on the Active Directory.
 unix: Specifies the system to read the primary group as set in "UNIX attributes" of a user on the Active Directory.  For example, --unixmap-domains "MYDOMAIN1(2-5:unix);MYDOMAIN2(10-20:win)"
This gets mapped to 'idmap config ... : unix_primary_group' in theinternal config.
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZchristof.schm...@us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)
 
 
- Original message -From: Jonathan Buzzard Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: gpfsug main discussion list Cc:Subject: Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication systemDate: Thu, May 24, 2018 7:50 AM 
On Thu, 2018-05-24 at 14:16 +, Skylar Thompson wrote:> I haven't needed to change the LDAP attributes that CES uses, but I> do see --user-id-attrib in the mmuserauth documentation.> Unfortunately, I don't see an equivalent one for gidNumber.>Is it not doing the "Samba thing" where your GID is the GID of yourprimary Active Directory group? This is usually "Domain Users" but notalways.Basically Samba ignores the separate GID field in RFC2307bis, so oneimagines the options for changing the LDAP attributes are noneexistent.I know back in the day this had me stumped for a while because unlessyou assign a GID number to the users primary group then Winbind doesnot return anything, aka a "getent passwd" on the user fails.JAB.--Jonathan A. Buzzard Tel: +44141-5483420HPC System Administrator, ARCHIE-WeSt.University of Strathclyde, John Anderson Building, Glasgow. G4 0NG___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss 
 

___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Simon Thompson (IT Research Support)

You can change them using the normal SMB commands, from the appropriate bin 
directory, whether this is supported is another matter.

We have one parameter set this way but I forgot which.

Simkn

From: gpfsug-discuss-boun...@spectrumscale.org 
[gpfsug-discuss-boun...@spectrumscale.org] on behalf of Skylar Thompson 
[skyl...@uw.edu]
Sent: 24 May 2018 15:51
To: gpfsug-discuss@spectrumscale.org
Subject: Re: [gpfsug-discuss] Question concerning integration of CES with AD 
authentication system

On Thu, May 24, 2018 at 03:46:32PM +0100, Jonathan Buzzard wrote:
> On Thu, 2018-05-24 at 14:16 +, Skylar Thompson wrote:
> > I haven't needed to change the LDAP attributes that CES uses, but I
> > do see --user-id-attrib in the mmuserauth documentation.
> > Unfortunately, I don't see an equivalent one for gidNumber.
> >
>
> Is it not doing the "Samba thing" where your GID is the GID of your
> primary Active Directory group? This is usually "Domain Users" but not
> always.
>
> Basically Samba ignores the separate GID field in RFC2307bis, so one
> imagines the options for changing the LDAP attributes are none
> existent.
>
> I know back in the day this had me stumped for a while because unless
> you assign a GID number to the users primary group then Winbind does
> not return anything, aka a "getent passwd" on the user fails.

At least for us, it seems to be using the gidNumber attribute of our users.
On the back-end, of course, it is Samba, but I don't know that there are
mm* commands available for all of the tunables one can set in smb.conf.

--
-- Skylar Thompson (skyl...@u.washington.edu)
-- Genome Sciences Department, System Administrator
-- Foege Building S046, (206)-685-7354
-- University of Washington School of Medicine
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Skylar Thompson

On Thu, May 24, 2018 at 03:46:32PM +0100, Jonathan Buzzard wrote:
> On Thu, 2018-05-24 at 14:16 +, Skylar Thompson wrote:
> > I haven't needed to change the LDAP attributes that CES uses, but I
> > do see --user-id-attrib in the mmuserauth documentation.
> > Unfortunately, I don't see an equivalent one for gidNumber.
> > 
> 
> Is it not doing the "Samba thing" where your GID is the GID of your
> primary Active Directory group? This is usually "Domain Users" but not
> always.
> 
> Basically Samba ignores the separate GID field in RFC2307bis, so one
> imagines the options for changing the LDAP attributes are none
> existent.
> 
> I know back in the day this had me stumped for a while because unless
> you assign a GID number to the users primary group then Winbind does
> not return anything, aka a "getent passwd" on the user fails.

At least for us, it seems to be using the gidNumber attribute of our users.
On the back-end, of course, it is Samba, but I don't know that there are
mm* commands available for all of the tunables one can set in smb.conf.

-- 
-- Skylar Thompson (skyl...@u.washington.edu)
-- Genome Sciences Department, System Administrator
-- Foege Building S046, (206)-685-7354
-- University of Washington School of Medicine
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Jonathan Buzzard

On Thu, 2018-05-24 at 14:16 +, Skylar Thompson wrote:
> I haven't needed to change the LDAP attributes that CES uses, but I
> do see --user-id-attrib in the mmuserauth documentation.
> Unfortunately, I don't see an equivalent one for gidNumber.
> 

Is it not doing the "Samba thing" where your GID is the GID of your
primary Active Directory group? This is usually "Domain Users" but not
always.

Basically Samba ignores the separate GID field in RFC2307bis, so one
imagines the options for changing the LDAP attributes are none
existent.

I know back in the day this had me stumped for a while because unless
you assign a GID number to the users primary group then Winbind does
not return anything, aka a "getent passwd" on the user fails.

JAB.

-- 
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG

___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Skylar Thompson

I haven't needed to change the LDAP attributes that CES uses, but I do see
--user-id-attrib in the mmuserauth documentation. Unfortunately, I don't
see an equivalent one for gidNumber.

On Thu, May 24, 2018 at 08:45:00AM +, Dorigo Alvise (PSI) wrote:
> Dear members,
> at PSI I'm trying to integrate the CES service with our AD authentication 
> system.
> 
> My understanding, after talking to expert people here, is that I should use 
> the RFC2307 model for ID mapping (described here: https://goo.gl/XvqHDH). The 
> problem is that our ID schema is slightly different than that one described 
> in RFC2307. In the RFC the relevant user identification fields are named 
> "uidNumber" and "gidNumber". But in our AD database schema we have:
> 
> # egrep 'uid_number|gid_number' /etc/sssd/sssd.conf
> ldap_user_uid_number = msSFU30UidNumber
> ldap_user_gid_number = msSFU30GidNumber
> ldap_group_gid_number = msSFU30GidNumber
> 
> My question is: is it possible to configure CES to look for the custom field 
> labels (those ones listed above) instead the default ones officially 
> described in rfc2307 ?
> 
> many thanks.
> Regards,
> 
>Alvise Dorigo

> ___
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss


-- 
-- Skylar Thompson (skyl...@u.washington.edu)
-- Genome Sciences Department, System Administrator
-- Foege Building S046, (206)-685-7354
-- University of Washington School of Medicine
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

[gpfsug-discuss] Question concerning integration of CES with AD authentication system

2018-05-24 Thread Dorigo Alvise (PSI)

Dear members,
at PSI I'm trying to integrate the CES service with our AD authentication 
system.

My understanding, after talking to expert people here, is that I should use the 
RFC2307 model for ID mapping (described here: https://goo.gl/XvqHDH). The 
problem is that our ID schema is slightly different than that one described in 
RFC2307. In the RFC the relevant user identification fields are named 
"uidNumber" and "gidNumber". But in our AD database schema we have:

# egrep 'uid_number|gid_number' /etc/sssd/sssd.conf
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_group_gid_number = msSFU30GidNumber

My question is: is it possible to configure CES to look for the custom field 
labels (those ones listed above) instead the default ones officially described 
in rfc2307 ?

many thanks.
Regards,

   Alvise Dorigo
___
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system

[gpfsug-discuss] Question concerning integration of CES with AD authentication system

9 matches

Site Navigation

Mail list logo

Footer information