Hi,

I have a question regarding CES nodes (aka protocol nodes).

We setup the AD authentication and, accordingly to this documentation, the sssd service has to be stopped:

Authentication limitations

However, we still need to allow authentication to some users using their central credentials that previously was going via PAM/sssd.

I thought to configure PAM to use winbind, but the installation of samba-winbind-modules (that provides pam_winbind.so) is impossible due to conflicts with the gpfs.smb package.

So, is there any way to configure authentication via central credentials on CES?

Regards,

Ivano

Hallo Ivano,
this is bad story here and we had two years ago the same issues. But we had a config that work. Here what we want.
If you have a existing mmuserconfig than you must delete ist first:
1. Preparation:
mmuserauth service remove --data-access-method file
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : backend'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : range'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : schema_mode'
/usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : unix_primary_group'

Set idmap to nss:
/usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : backend' nss
$ /usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : range' 200000000-299999999
mmuserauth service create --data-access-method file --type ad --servers <domain> --user-name <domain-admin> --netbios-name <Service-name> --idmap-role master --enable-nfs-kerberos --unixmap-domains lan'(200-100000000: unix)' --idmap-range 200000000-299999999 --idmap-range-size 1000000

The above number should be for your side adjusted.

change nsswitch.conf:
from: