As part of the new feature added into Release 5.0.4 for
IBM™ Spectrum Scale, you can now configure authentication with AD + RFC2307 schema where the domains may have overlapping unixmap ranges
We have seen in some cases where there are two or more domains in an environment where the same users are registered in each domain. Till now domain needed to have a unique UNIXMAP Range within which users and groups are assigned the UID and GIDs respectively. Like in this case, user "John" in domain A and user "John" in Domain B are not the same, since each of them have a distinct SID and also each of them will have a distinct UID in the UNIX Attribute Field in case of RFC2307.
In case of AUTO IDmapping UID and GID generation is calculated based on the SID which is generated automatically. So, we cannot control the creation of UID and hence every time it will be a distinct UID even for same user across different domains.
To gain access across all the domains, each time new data is created, users from different domains need to be given access.
But it would be so much better if we could configure domains with overlapping IDmapping across all domains with AD+RFC2307 authentication configured.
So this way, we could map user "John" from Domain A to UID 20000 and also have user "John" from Domain B have UID as 20000.
Now each time new data is created and ACL is set for UID 20000, "John" from each domain who has UID as 20000 can access the data.
This makes the setup so much easier.
Here is how you can set it up.
Command Help:
Usage:
mmuserauth service create [-h|--help] --data-access-method {file|object} --type {ldap|local|ad|nis|userdefined} --servers [--base-dn]
{[--enable-anonymous-bind]|[--user-name] [--pwd-file]} [--enable-server-tls] [--enable-ks-ssl]
[--enable-kerberos] [--enable-nfs-kerberos]
[--user-dn] [--group-dn] [--netgroup-dn]
[--netbios-name] [--domain] [--idmap-role {master|subordinate}] [--idmap-range] [--idmap-range-size]
[--user-objectclass] [--group-objectclass]
[--user-name-attrib] [--user-id-attrib] [--user-mail-attrib] [--user-filter]
[--ks-dns-name] [--ks-admin-user] [--ks-swift-user] [--ks-ext-endpoint]
[--kerberos-server] [--kerberos-realm]
[--unixmap-domains]
[--enable-overlapping-unixmap-ranges] [--ldapmap-domains]
--enable-overlapping-unixmap-ranges is now a NEW FLAG added.
Using this flag you can indicate that the UNIXMAP ranges you will set, will have Overlapping unixmap ranges.
1. Configure Overlapping UNIXMAP Ranges with proposed flagIssue the
mmuserauth service create command as shown in the following example:
# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser
--netbios-name specscale --idmap-role master
--unixmap-domains "DOMAIN1(2000-4000); DOMAIN2(2000-4000)" --enable-overlapping-unixmap-rangesCopyThe system displays this output:
Enter Active Directory User 'adUser' password:
Enabling Overlapping unixmap ranges. Make sure that UIDs and GIDs are unique in order to avoid ACLs
or/and data access issues. See man mmuserauth for further details.File authentication configuration completed successfully.
2. To check the configuration, run the # mmuserauth service list command# mmuserauth service list
FILE access configuration : AD
PARAMETERS VALUES
-------------------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS "*"
USER_NAME specscale$
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS DOMAIN1(2000-4000:win);DOMAIN2(2000-4000:win)LDAPMAP_DOMAINS none
3. Setting overlapping UNIXMAP ranges, but without proposed flagYou will see error as follows:
# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser
--netbios-name specscale --idmap-role master
--unixmap-domains "SONAS(2000-4000); RIGEL(4000-6000)"Enter Active Directory User 'adUser' password:
AD Domain RIGEL range 4000-6000 overlaps with AD domain SONAS range of 2000-4000.
mmuserauth service create: Missing required parameter --enable-overlapping-unixmap-ranges to configure overlapping unixmap-domains ranges. See manpage mmuserauth for more details.mmuserauth service create: Command failed. Examine previous error messages to determine cause.
[root@c3n2 ~]#
4. Setting the flag but do not intend to set overlapping UNIXMAP rangesYou will see error like so:
# mmuserauth service create --data-access-method file --type ad --servers myADserver --user-name adUser
--netbios-name specscale --idmap-role master
--unixmap-domains "SONAS(2000-4000); RIGEL(5000-6000)" --enable-overlapping-unixmap-rangesEnter Active Directory User 'adUser' password:
mmuserauth service create: [E] Error: Missing overlapping unixmap-ranges when --enable-overlapping-unixmap-ranges option is used.mmuserauth service create: Command failed. Examine previous error messages to determine cause.
So now you know how to enable overlapping UNIXMAP ranges across multiple domains.
Do let us know if you have any queries and we will surely answer them.
You can also learn more about authentication and their types here:
IBM™ Spectrum Scale™ Authentication using Active Directory and RFC2307IBM™ Spectrum Scale™ Authentication using Active DirectoryIBM™ Spectrum Scale™ Authentication for File Access – Overview#ibm#IBMSoftwareDefinedStorage#Cloudstorage#IBMSpectrumScale#Softwaredefinedstorage#softwaredefinedstorage#spectrumscale