File and Object Storage

 View Only

How to add Linux machine as Active Directory client to access IBM Spectrum Scale™?

By Archive User posted Wed April 29, 2020 08:02 AM

  
So you want to access data on IBM Spectrum Scale from your Linux Client and using FILE protocols like CIFS, then read along to learn how to configure your Linux machine as a client to your Active Directory.

This article will show you to configure client with PLAIN AD IDmaping. I will prepare another one for configuring with RHEL2307 IDMapping which is useful for NFS File Protocols and Kerberos access.

All these steps are to be done on the Client machine.

Here are some information of my setup before we get started:
1. AD server IP - 192.168.122.121
2. DNS is same - 192.168.122.121
3. Linux Client IP - 192.168.122.90
4. Cluster IP - 192.168.122.139
5. AD Domain Name - AD2012.spectrum
6. Linux Client Name - redstone
7. Spectrum Scale Clustername - specscale
8. Test users we will work with - ad2012user1, ad2012user2
9. CES IP for specscale - 192.168.122.166, 192.168.122.176 and 192.168.122.186

So, let's get started.

1. Edit the /etc/resolv.conf file to point to the correct DNS.

[root@redstone ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 9.18.76.121

2. Update Hostname of the client machine to be part of domain like so:

[root@redstone ~]# hostname
redstone.ad2012.spectrum

3. Update the /etc/hosts file to add IP addresses of cluster, AD server and FQDN of itself.

# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.122.166 specscale1.AD2012.SPECTRUM
192.168.122.176 specscale2.AD2012.SPECTRUM
192.168.122.186 specscale3.AD2012.SPECTRUM

192.168.122.121 AD2012.SPECTRUM AD2012 ad2012.spectrum ad2012
192.168.122.90 redstone.AD2012.SPECTRUM redstone

Also make sure all these entries are also found in the DNS.

4. If the client is a newly installed OS, many packages would be missing. So make sure you install all required packages.
I am listing few that I had to install during this configuration and thought it may help you too.

samba pam-krb5
samba-client.x86_64
samba-winbind.x86_64
samba-winbind-modules.x86_64
bind-utils
net-tools
ntp


5. Update the /etc/samba/smb.conf file to

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
workgroup = AD2012
security = ADS
password server = 192.168.122.121
realm = AD2012.spectrum
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
template shell = /bin/bash
idmap config * : rangesize = 1000000
idmap config * : range = 10000000-299999999
idmap config * : backend = autorid
kerberos method = secrets and keytab
cups options = raw

passdb backend = tdbsam

printing = cups
printcap name = cups
load printers = yes
cups options = raw

** Update all variables according to your variable names.

6. Now Start Samba service.

systemctl status smb.service
service smb restart

If it fails, check if any other parameter is wrongly set in this smb.conf file. Go through the parameters again and check for the values set according to your setup.

Should Look like this:

[root@redstone ~]# systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-18 04:12:52 CST; 9min ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 12423 (smbd)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/smb.service
├─12423 /usr/sbin/smbd --foreground --no-process-group
├─12425 /usr/sbin/smbd --foreground --no-process-group
├─12426 /usr/sbin/smbd --foreground --no-process-group
└─12427 /usr/sbin/smbd --foreground --no-process-group


7. Now start winbind services.
[root@redstone ~]# service winbind restart
Redirecting to /bin/systemctl restart winbind.service

It should look like this:

[root@redstone ~]# service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2020-03-18 04:29:05 CST; 3s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 12495 (winbindd)
Status: "winbindd: ready to serve connections..."
CGroup: /system.slice/winbind.service
├─12495 /usr/sbin/winbindd --foreground --no-process-group
└─12497 /usr/sbin/winbindd --foreground --no-process-group


8. Edit the /etc/nsswitch.conf file.
Make sure it looks like this so that you can also use id command to read UID and GID etc..

passwd: winbind sss files
shadow: files sss
group: winbind sss files

First it should contact winbind to get user details. By default it would be "files" first. Need to change that.

9. Edit the /etc/krb5.conf file.

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = AD2012.SPECTRUM
# default_realm = EXAMPLE.COM


[realms]
AD2012.SPECTRUM = {
kdc = 9.18.76.121:88
}


# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }


[domain_realm]
.ad2012.spectrum = AD2012.SPECTRUM
ad2012.spectrum = AD2012.SPECTRUM

# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM


10. Now Join the Domain
Before that, make sure you have added client Host IP in DNS of AD server.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- AD2012
Joined 'REDSTONE' to dns domain 'ad2012.spectrum'

Now your client is successfully part of the AD server.
Check with command, wbinfo -u


[root@redstone ~]# wbinfo -u
AD2012\administrator
AD2012\guest
AD2012\krbtgt
AD2012\ad2016$
AD2012\child2012$
AD2012\ad2012user1
AD2012\rfc2012user1
AD2012\overlap1
AD2012\adminuser
AD2012\chad2012$
AD2012\adcons$
AD2012\ad2008r2$
AD2012\rfc2012user2
AD2012\ad2012user2
[root@redstone ~]#


So, do try this out and get your own AD clients to access data from IBM Spectrum Scale™.

#Softwaredefinedstorage
#IBMSoftwareDefinedStorage
#IBMSpectrumScale
#IBMSoftware
0 comments
3 views

Permalink