File and Object Storage

 View Only

"mmadquery", a Powerful tool helps check AD settings from Spectrum Scale

By Archive User posted Mon November 11, 2019 03:23 PM

If you are looking for ways to check AD related settings like User Info, Group Info, DC info or even ID Mapping related info then this article will help you.

In Spectrum Scale we have a very useful tool, "mmadquery". Using this tool/command you can query the AD server to get the following information:
1. User Info
2. Group Info
3. DC Info
4. Trust Info
5. ID Range Info

mmadquery Tool Description

Now let's see what information you can get using this tool.

"mmadquery" queries and validates Active Directory (AD) server settings. You can use the command to list the various information or you can check for User and group Info. You can also print statistics about AD Server objects.

This powerful tool allows to be run the following three ways:
mmadquery list {user | uids | gids | groups | dc | trusts | idrange} [Options]

mmadquery check {uids | gids | idrange} [Options]

mmadquery stats {user |uids}

Help to Diagnose Issue

This tool is very useful when you want to diagnose an issue especially related to user authentication or access.
We urge you to use this tool to identify any issue so that you can resolve them yourself quickly.

Some of the common issues where you can use this command are:
1. You have configured authentication with AD + RFC2307 and users are not able to authenticate themselves.
Here you can check for the following:
i) Check the ID map range set for the domain.
ii) Check if the users UID and GID are also in the same range.
iii) Check if the Primary group has a valid GID set.

Now how do you do all this from Spectrum Scale?
Here is where this tool comes handy - Just run:
# mmadquery list uids --filter="user1"

UIDS from server X.X.X.X (domain DOMAIN.COM)
User SID UID UIDNumber
------------- -------------------------------------------- ------------- ---------
user1 S-1-5-21-733047736-3426338400-2963614976-500 user1 20021

# mmadquery list uids --filter="user1" -L

UIDS from server X.X.X.X (domain DOMAIN.COM)
User SID UID UIDNumber GIDNumber Primary Group ID Primary Group GID
------------- -------------------------------------------- ------------- --------- --------- ---------------- -----------------
user1 S-1-5-21-733047736-3426338400-2963614976-500 user1 20021 21000 513 -

Now if you check if UIDNumber and GIDNumber are correct. If not as expected, it could be the reason for access or authentication failure.

2. UIDNumber and GIDNumber seem correct, but still access or authentication is failing.
In this case, check if the UIDNumber and GIDNumber are in the range that has been set for the domain. In case of AUTO IDMapping, this is taken care of automatically. However, for AD + RFC2307 or AD + LDAP where you have to manually set the UID and GID for every user, you need to check and confirm that it is indeed in the right range.

To check this, run the following:
# mmadquery list idrange --traverse-domains

IDRANGE from server X.X.X.X (domain DOMAIN.COM)
Domain IDRange
--------- -----------------
DOMAIN.COM 20000-30000

IDRANGE from server Y.Y.Y.Y (domain
Domain IDRange
------------- ------------------ 50000-60000

Here you can see the ranges for different trusted domains around the joined domain. Check if the UID and GID fit in the range.
If not, you will need to rectify.

So, in general you can use the tool to get as much information about the users and groups and Auth related settings.

3. Check if DC is UP and Running
Sometimes you may want to check if your DC is connected correctly. To do this, you can use this tool to check the DC too.
Run the following:
# mmadquery list dc

DC from server X.X.X.X (domain DOMAIN.COM)
DC Hostname
-------------- ------------------------

You can also use this tool to check if all the settings are OK. Here you can use the commands option "check" and check for users GID and UID by using --filter option to search for specific user or group.

This tool can also be used to check the stats for users and UID.
# mmadquery stats

mmadquery stats user list number of user defined on AD Server by group and with a total
mmadquery stats uids list number of mapped, un-mapped and total user defined on AD Server

For more information you can check the Manpage for mmadquery in the knowledge center.


So, now you know more about this tool and should be able to use it to diagnose your authentication and access related issues.
Feel free to comment if you have any queries and I will be glad to help answer them.