File and Object Storage

 View Only

IBM Spectrum Scale™ Authentication using Active Directory and RFC2307

By Archive User posted Fri September 01, 2017 03:35 PM

Now that we have seen how to configure IBM Spectrum Scale™ with Automatic ID Mapping for Windows Only environment, we can move to configuring Active directory for Mixed Environment.
For a mixed environment which comprises of Windows Clients as well as UNIX clients for FILE access, we support:
  • Active Directory with RFC2307

  • Active Directory with LDAP.

  • Here RFC2307 and LDAP are used as the ID Mapping server while AD is used for authentication.

    Configuring AD-based authentication with RFC2307 ID mapping

    This configuration is useful when you are planning to use any pre-existing UNIX client or NFS and SMB protocols for data access with the AFM feature of the IBM Spectrum Scale™ system. In this configuration we also support NFSV3 with Kereberos along with NFSV4 with and without Kerberos.

    Command to Configure Plain AD with RFC2307

    Issue the mmuserauth service create command as shown in the following example:

    # mmuserauth service create --type ad --data-access-method file --netbios-name specscale --user-name administrator --idmap-role master --servers myADserver --password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999 --unixmap-domains 'DOMAIN1(5000-20000)'

  • --type - Type of Authentication, so its AD.

  • --data-access-method - In this case we use File.

  • --netbios-name - It should be a unique identifier on a network. The NetBIOS name is limited to 15 ASCII characters and must not contain any white space or one of the following characters: / : * ? . " ; |
    The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly.

  • --user-name - This is the user name to be used to perform operations against the authentication server. The user specified must have sufficient permissions to read user and group attributes from the authentication server and create a machine account for the join between the domain and IBM Spectrum Scale™. This user need not be an administrator user only.

  • --idmap-role-master - If you have only a single stand along deployment, this value will remain "master". If you plan to have two or more in AFM relationship, then the primary system will be a "master" while on the secondary system or DR site, you will have the role as "subordinate".
    Important: ID Mappings are always created only on the "master" system. On the "subordinate" system, these ID Mappings have to be imported from the "master" system.

  • --servers - The Server name or the IP Address of the Domain Controller is specified here. You can specify only a single server. For other domains that you want to authenticate, they must be in two way trust with the server that you pass with the command.

  • --password - This is the password for the user specified in --user-name.

  • --idmap-range-size - This is the size of the bucket of UIDs and GIDs to allocate for idmap-range assigned to each of domains that can authenticate successfully. For example, if --idmap-range is defined as 10000000-299999999, and range size is defined as 1000000, each domain is assigned with a bucket consisting of 1000000 IDs. The next domain gets the next bucket of 1000000 IDs. A total of 290 domains can be mapped. If a domain has more than 1000000 users, then the next idmap-range is assigned containing another 1000000 IDs.
    Important: Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale™ system.

  • --idmap-range - This is the range of values from which UIDs and GIDs are automatically generated and assigned by the system to the Active Directory users and groups.

  • --unixmap-domains - This list specifies the AD domains for which user ID and group ID should be fetched from the AD server. This option is only valid with --type {ad} and --data-access-method {file}. The unixDomainMap takes value in this format: DOMAIN1(L1-H1)[;DOMAIN2(L2-H2)[;DOMAIN3(L3-H3)....]].
    Here L1-H1 is the low-high range for that domain between which the UID and GID exist. This value needs to be appropriately pre-filled into "UNIX Attributes" tab for each user on that domain by the AD Administrator. Also, its primary group must have a valid GID which is also in the range specified.

  • Note: With this type of configuration you can also pass the flag, --enable-nfs-kerberos which will enable Kerberized NFSv4-based access to exports.
    Check Manpage of mmuserauth for more information on the different parameters that can be used and their details.

    If successful, the system displays the following output:

    File Authentication configuration completed successfully.

    Verify the authentication configuration by issuing the command as shown below:

    # mmuserauth service list

    The system displays the following output:

    FILE access configuration : AD
    SERVERS myADserver
    USER_NAME administrator
    IDMAP_ROLE master
    IDMAP_RANGE 10000000-299999999
    IDMAP_RANGE_SIZE 1000000

    OBJECT access not configured

    So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the UNIX Map Domains and their details.

    Limitations of AD + RFC2307

  • We do not support migrating the internally generated user and group ID maps to external ID mapping server. If customer wants to move from Auto ID Mapping to RFC2307 it is their responsibility to make sure the IDs are the same else access will be denied. This needs to be properly planned and hence we recommend to full research on the types of clients that will access data and plan for suitable authentication method at the start itself.

  • Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains. The customer is responsible for configuring the two-way trust relationship between these domains.

  • To access the IBM Spectrum Scale™ system, users and groups must have a valid UID/GID assigned to them in AD along with the user's primary Microsoft Windows group must be assigned with a valid GID.

  • Kerberized NFSv3-based access is not supported by AD as an authentication server.

  • #IBMCloudstorage