On 2017-04-13 15:09, Diego Zuccato wrote: > > Il 12/04/2017 08:52, Janne Blomqvist ha scritto: > >> BTW, do you have some kind of trust relationship between your FreeIPA >> domain and the AD domain, or how do you do it? I did play around with >> using FreeIPA for our cluster as well and somehow synchronizing it with >> the university AD domain, but in the end we managed to convince the >> university IT to allow us to join our nodes directly to AD, so we were >> able to skip FreeIPA entirely. > What are you using to join nodes to AD? > > I've used samba-winbind in the past but it was very fragile, and am > currently using PBIS-Open but it's having problems with colliding UIDs > and GIDs (multi-domain forest with quite a lot of [100k+] users and even > more groups). >
We use adcli (there's an rpm package called adcli in EL7, FWIW; upstream seems to be http://cgit.freedesktop.org/realmd/adcli ). For node provisioning, adcli allows pre-creating multiple machine accounts with one command (with the help of python-hostlist you can expand hostlist syntax), and then when the node first boots the node joins to AD with a one-time password (run via ansible-pull). A minor caveat is that we have some Samba gateway nodes to give laptops and Windows workstations access to Lustre, and samba isn't happy with the domain join that adcli does, and for these we use the samba "net ads join ..." command to join them. Not sure how any of this would work with colliding UID's/GID's. -- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqv...@aalto.fi