Hallo Ivano,
this is bad story here and we had two years ago the same issues. But we had a config that work. Here what we want.
If you have a existing mmuserconfig than you must delete ist first:
1. Preparation:
mmuserauth service remove --data-access-method file
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : backend'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : range'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : schema_mode'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : unix_primary_group'
Set idmap to nss:
/usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : backend' nss
$ /usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : range' 200000000-299999999
mmuserauth service create --data-access-method file --type ad --servers <domain> --user-name <domain-admin> --netbios-name <Service-name> --idmap-role master --enable-nfs-kerberos --unixmap-domains lan'(200-100000000: unix)' --idmap-range 200000000-299999999 --idmap-range-size 1000000
The above number should be for your side adjusted.
change nsswitch.conf:
from:
passwd: files winbind sss
group: files winbind sss
to:
passwd: files sss
group: files sss
restart some components:
mmdsh -N CesNodes systemctl restart gpfs-winbind
mmdsh -N CesNodes systemctl restart sssd
check:
mmuserauth service check
you can ignore the Checking nsswitch file ERROR
This is our config with sssd an windbind aktive on the same machine.
Regards Renar
------------------------------
renar Grunenberg
HUK Coburg
Coburg
------------------------------
Original Message:
Sent: Tue July 02, 2024 07:54 AM
From: Ivano talamo
Subject: Authentication on CES nodes
Hi,
I have a question regarding CES nodes (aka protocol nodes).
We setup the AD authentication and, accordingly to this documentation, the sssd service has to be stopped:
Authentication limitations
However, we still need to allow authentication to some users using their central credentials that previously was going via PAM/sssd.
I thought to configure PAM to use winbind, but the installation of samba-winbind-modules (that provides pam_winbind.so) is impossible due to conflicts with the gpfs.smb package.
So, is there any way to configure authentication via central credentials on CES?
Regards,
Ivano
------------------------------
Ivano talamo
------------------------------