File and Object Storage

File and Object Storage

Software-defined storage for building a global AI, HPC and analytics data platform 

 View Only
  • 1.  Authentication on CES nodes

    Posted Tue July 02, 2024 10:37 AM

    Hi,

    I have a question regarding CES nodes (aka protocol nodes).

    We setup the AD authentication and, accordingly to this documentation, the sssd service has to be stopped:

    Authentication limitations

    However, we still need to allow authentication to some users using their central credentials that previously was going via PAM/sssd.

    I thought to configure PAM to use winbind, but the installation of samba-winbind-modules (that provides pam_winbind.so) is impossible due to conflicts with the gpfs.smb package.

    So, is there any way to configure authentication via central credentials on CES?


    Regards,

    Ivano



    ------------------------------
    Ivano talamo
    ------------------------------


  • 2.  RE: Authentication on CES nodes

    Posted Wed July 31, 2024 01:00 AM

    Hallo Ivano,
    this is bad story here and we had two years ago the same issues. But we had a config that work. Here what we want.
    If you have a existing mmuserconfig than you must delete ist first:
    1. Preparation:
    mmuserauth service remove --data-access-method file
    /usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : backend'
    /usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : range'
    /usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : schema_mode'
    /usr/lpp/mmfs/bin/net conf delparm global 'idmap config ipa : unix_primary_group'

    Set idmap to nss:
    /usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : backend' nss
    $ /usr/lpp/mmfs/bin/net conf setparm global 'idmap config lan : range' 200000000-299999999
    mmuserauth service create --data-access-method file --type ad --servers <domain> --user-name <domain-admin> --netbios-name <Service-name> --idmap-role master --enable-nfs-kerberos --unixmap-domains lan'(200-100000000: unix)' --idmap-range 200000000-299999999 --idmap-range-size 1000000

    The above number should be for your side adjusted.

    change nsswitch.conf:
    from:

    passwd: files winbind sss
    group: files winbind sss
    to:
    passwd: files sss
    group: files sss

    restart some components:
    mmdsh -N CesNodes systemctl restart gpfs-winbind
    mmdsh -N CesNodes systemctl restart sssd

    check:
    mmuserauth service check
    you can ignore the Checking nsswitch file ERROR

    This is our config with sssd an windbind aktive on the same machine.
    Regards Renar






    ------------------------------
    renar Grunenberg
    HUK Coburg
    Coburg
    ------------------------------