Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Ah, thanks Markus, that’s what I was looking for. Andrew yes, the service account has been created now, I am more interested in the “what if” we didn’t change things. I suppose this is the result of ~4 years of technical debt on our part! Thanks, Richard From: gpfsug-discuss-boun...@spectrumscale.org On Behalf Of Markus Rohwedder Sent: 04 September 2018 14:41 To: gpfsug main discussion list Cc: gpfsug-discuss-boun...@spectrumscale.org Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted? Hello. the user name should not matter for operations beyon domain join. mmuserauth man page: --user-name userName In case of --type ad with --data-access-method file, the specified username is used to join the cluster to AD domain. It results in creating a machine account for the cluster based on the --netbios-name specified in the command. After successful configuration, the cluster connects with its machine account, and not the user used during the domain join. So the specified username after domain join has no role to play in communication with the AD domain controller and can be even deleted from the AD server. The cluster can still keep using AD for authentication via the machine account created. Mit freundlichen Grüßen / Kind regards Dr. Markus Rohwedder Spectrum Scale GUI Development Phone: +49 7034 6430190 IBM Deutschland Research & Development [cid:image002.png@01D4445D.C716BB30] E-Mail: rohwed...@de.ibm.com<mailto:rohwed...@de.ibm.com> Am Weiher 24 65451 Kelsterbach Germany [Inactive hide details for "Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,]"Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard, From: "Andrew Beattie" mailto:abeat...@au1.ibm.com>> To: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Cc: gpfsug-discuss@spectrumscale.org<mailto:gpfsug-discuss@spectrumscale.org> Date: 04.09.2018 15:18 Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted? Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> Hi Richard, If you are setting up Protocol authentication against the active directory, would you not choose to use a service account that isn't going to get deleted? If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid. Andrew Beattie Software Defined Storage - IT Specialist Phone: 614-2133-7927 E-mail: abeat...@au1.ibm.com<mailto:abeat...@au1.ibm.com> - Original message - From: "Sobey, Richard A" mailto:r.so...@imperial.ac.uk>> Sent by: gpfsug-discuss-boun...@spectrumscale.org<mailto:gpfsug-discuss-boun...@spectrumscale.org> To: "'gpfsug-discuss@spectrumscale.org'" mailto:gpfsug-discuss@spectrumscale.org>> Cc: Subject: [gpfsug-discuss] CES file authentication - bind account deleted? Date: Tue, Sep 4, 2018 8:45 AM Hi all, I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider: FILE access configuration : AD PARAMETERS VALUES - ENABLE_NFS_KERBEROS true SERVERS domaincontroller.ic.ac.uk USER_NAME joeblo...@ic.ac.uk<mailto:joeblo...@ic.ac.uk> NETBIOS_NAME store IDMAP_ROLE master IDMAP_RANGE 1000-2 IDMAP_RANGE_SIZE 100 UNIXMAP_DOMAINS IC(500 - 200) LDAPMAP_DOMAINS none If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES? Thanks Richard ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Hello. the user name should not matter for operations beyon domain join. mmuserauth man page: --user-name userName In case of --type ad with --data-access-method file, the specified username is used to join the cluster to AD domain. It results in creating a machine account for the cluster based on the --netbios-name specified in the command. After successful configuration, the cluster connects with its machine account, and not the user used during the domain join. So the specified username after domain join has no role to play in communication with the AD domain controller and can be even deleted from the AD server. The cluster can still keep using AD for authentication via the machine account created. Mit freundlichen Grüßen / Kind regards Dr. Markus Rohwedder Spectrum Scale GUI Development Phone: +49 7034 6430190 IBM Deutschland Research & Development E-Mail: rohwed...@de.ibm.com Am Weiher 24 65451 Kelsterbach Germany From: "Andrew Beattie" To: gpfsug-discuss@spectrumscale.org Cc: gpfsug-discuss@spectrumscale.org Date: 04.09.2018 15:18 Subject: Re: [gpfsug-discuss] CES file authentication - bind account deleted? Sent by:gpfsug-discuss-boun...@spectrumscale.org Hi Richard, If you are setting up Protocol authentication against the active directory, would you not choose to use a service account that isn't going to get deleted? If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid. Andrew Beattie Software Defined Storage - IT Specialist Phone: 614-2133-7927 E-mail: abeat...@au1.ibm.com - Original message - From: "Sobey, Richard A" Sent by: gpfsug-discuss-boun...@spectrumscale.org To: "'gpfsug-discuss@spectrumscale.org'" Cc: Subject: [gpfsug-discuss] CES file authentication - bind account deleted? Date: Tue, Sep 4, 2018 8:45 AM Hi all, I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider: FILE access configuration : AD PARAMETERS VALUES - ENABLE_NFS_KERBEROS true SERVERS domaincontroller.ic.ac.uk USER_NAMEjoeblo...@ic.ac.uk NETBIOS_NAME store IDMAP_ROLE master IDMAP_RANGE 1000-2 IDMAP_RANGE_SIZE 100 UNIXMAP_DOMAINS IC(500 - 200) LDAPMAP_DOMAINS none If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES? Thanks Richard ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Hi Richard, If you are setting up Protocol authentication against the active directory, would you not choose to use a service account that isn't going to get deleted? If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid. Andrew Beattie Software Defined Storage - IT Specialist Phone: 614-2133-7927 E-mail: abeat...@au1.ibm.com - Original message -From: "Sobey, Richard A" Sent by: gpfsug-discuss-boun...@spectrumscale.orgTo: "'gpfsug-discuss@spectrumscale.org'" Cc:Subject: [gpfsug-discuss] CES file authentication - bind account deleted?Date: Tue, Sep 4, 2018 8:45 AM Hi all, I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider: FILE access configuration : AD PARAMETERS VALUES - ENABLE_NFS_KERBEROS true SERVERS domaincontroller.ic.ac.uk USER_NAME joeblo...@ic.ac.uk NETBIOS_NAME store IDMAP_ROLE master IDMAP_RANGE 1000-2 IDMAP_RANGE_SIZE 100 UNIXMAP_DOMAINS IC(500 - 200) LDAPMAP_DOMAINS none If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES? Thanks Richard ___gpfsug-discuss mailing listgpfsug-discuss at spectrumscale.orghttp://gpfsug.org/mailman/listinfo/gpfsug-discuss ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Re: [gpfsug-discuss] CES file authentication - bind account deleted?
Files owned by "joebloggs" will be owned by the user's uid and gid. Assuming those ids aren't recycled, then there shouldn't be any impact on file authentication, right? It's a different matter if the ids are recycled by AD. Kind regards, Zong-Pei Zong-Pei Han (BSc MSc PhD) UK MED-BIO Data Systems Administrator Room 126, Sir Alexander Fleming Building South Kensington Campus Imperial College London, SW7 2AZ On Tue, 4 Sep 2018, Sobey, Richard A wrote: Date: Tue, 4 Sep 2018 08:44:59 + From: "Sobey, Richard A" Reply-To: gpfsug main discussion list To: "'gpfsug-discuss@spectrumscale.org'" Subject: [gpfsug-discuss] CES file authentication - bind account deleted? Hi all, I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider: FILE access configuration : AD PARAMETERS VALUES - ENABLE_NFS_KERBEROS true SERVERS domaincontroller.ic.ac.uk USER_NAME joeblo...@ic.ac.uk NETBIOS_NAME store IDMAP_ROLE master IDMAP_RANGE 1000-2 IDMAP_RANGE_SIZE 100 UNIXMAP_DOMAINS IC(500 - 200) LDAPMAP_DOMAINS none If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES? Thanks Richard ___ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss