<font face="Verdana,Arial,Helvetica,sans-serif" size="2">Generally, i would advise against changing the global logging config. That change is easily picked up by other related processes, and then causes unwanted overhead. Today, the best way to change the logging for the AD integration would be to enable it in the running winbindd processes without changing the config:<br><br>mmdsh -N CesNodes /usr/lpp/mmfs/bin/smbcontrol winbindd debug 3<br>mmdsh -N CesNodes /usr/lpp/mmfs/bin/smbcontrol winbindd debug 1<br><br>For DNS servers, the requirement would be that all configured DNS servers on the protocol nodes, return the additional information required to locate the AD Domain Controllers. If the AD DCs are also running the DNS server, then only the AD DCs should be configured as DNS servers on the protocol nodes. One thing to check: After the configuring the AD authentication through mmuserauth, this command should return the list of AD DCs (check on all protocol nodes):<br><br>dig -t SRV _kerberos._tcp.$(/usr/lpp/mmfs/bin/net conf getparm global realm)<br><span><font size="2" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt"><div dir="ltr"><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><br>Regards,<br><br>Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ<br><a target="_blank" href="mailto:christof.schmitt@us.ibm.com">christof.schmitt@us.ibm.com</a> || +1-520-799-2469 (T/L: 321-2469)</font></div></div></font></span><br><br><font size="2" color="#000000" face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><font color="#990099"><a target="_blank" href="mailto:-----gpfsug-discuss-bounces@spectrumscale.org">-----gpfsug-discuss-bounces@spectrumscale.org</a> wrote: -----</font><div class="iNotesHistory" style="padding-left:5px;"><div style="padding-right:0px;padding-left:5px;border-left:solid black 2px;">To: gpfsug main discussion list <<a target="_blank" href="mailto:gpfsug-discuss@spectrumscale.org">gpfsug-discuss@spectrumscale.org</a>><br>From: Monty Poppe/Austin/IBM@IBMUS<br>Sent by: <a target="_blank" href="mailto:gpfsug-discuss-bounces@spectrumscale.org">gpfsug-discuss-bounces@spectrumscale.org</a><br>Date: 02/25/2016 10:02AM<br>Subject: Re: [gpfsug-discuss] Integration with Active Directory<br><br><font size="2" face="sans-serif">All CES nodes should operate consistently
across the cluster. Here are a few tips on debugging:</font><br><br><font size="2" face="Menlo-Regular">/usr/lpp/mmfs/bin/wbinfo</font><font size="2" face="sans-serif">-p to ensure winbind is running properly</font><br><font size="2" face="Menlo-Regular">/usr/lpp/mmfs/bin/wbinfo</font><font size="2" face="sans-serif">-P (capital P), to ensure winbind can communicate with AD server</font><br><font size="2" face="sans-serif">ensure the first nameserver in /etc/resolv.conf
points to your AD server (check all nodes)</font><br><font size="2" face="sans-serif">mmuserauth service check --server-reachability
for a more thorough validation that all nodes can communicate to
the authentication server</font><br><br><font size="2" face="sans-serif">If you need to look at samba logs (/var/adm/ras/log.smbd
& log.wb-<domainname>) to see what's going on, change samba log
levels issue: </font><font size="2" face="Menlo-Regular">/usr/lpp/mmfs/bin/net
conf setparm global 'log level' </font><font size="2" face="sans-serif">3.
Don't forget to set back to 0 or 1 when you are done!</font><br><br><font size="2" face="sans-serif">If you're willing to go with a later
release, AD authentication with LDAP ID mapping has been added as a feature
in the 4.2 release. (</font><a href="https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en"><font size="2" color="blue" face="sans-serif">https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en</font></a><font size="2" face="sans-serif">)</font><br><br><font size="2" face="sans-serif"><br>Monty Poppe<br>Spectrum Scale Test<br><a target="_blank" href="mailto:poppe@us.ibm.com">poppe@us.ibm.com</a><br>512-286-8047 T/L 363-8047</font><br><br><br><br><font size="1" color="#5f5f5f" face="sans-serif">From:
</font><font size="1" face="sans-serif">"Simon Thompson
(Research Computing - IT Services)" <<a target="_blank" href="mailto:S.J.Thompson@bham.ac.uk">S.J.Thompson@bham.ac.uk</a>></font><br><font size="1" color="#5f5f5f" face="sans-serif">To:
</font><font size="1" face="sans-serif">gpfsug main discussion
list <<a target="_blank" href="mailto:gpfsug-discuss@spectrumscale.org">gpfsug-discuss@spectrumscale.org</a>></font><br><font size="1" color="#5f5f5f" face="sans-serif">Date:
</font><font size="1" face="sans-serif">02/25/2016 07:19 AM</font><br><font size="1" color="#5f5f5f" face="sans-serif">Subject:
</font><font size="1" face="sans-serif">Re: [gpfsug-discuss]
Integration with Active Directory</font><br><font size="1" color="#5f5f5f" face="sans-serif">Sent by:
</font><font size="1" face="sans-serif"><a target="_blank" href="mailto:gpfsug-discuss-bounces@spectrumscale.org">gpfsug-discuss-bounces@spectrumscale.org</a></font><br><hr noshade=""><br><br><br><font size="2" face="Calibri">Hi Gethyn,</font><br><br><font size="2" face="Calibri">From what I recall, CTDB used underneath
is used to share the secret and only the primary named machine is joined,
but CTDB and CES should work this backend part out for you.</font><br><br><font size="2" face="Calibri">I do have a question though, do you want
to have consistent UIDs across other systems? For example if you plan to
use NFS to other *nix systems, then you probably want to think about LDAP
mapping and using custom auth (we do this as out AD doesn't contain UIDs
either).</font><br><br><font size="2" face="Calibri">Simon</font><br><br><font size="2" face="Calibri"><b>From: </b><</font><a href="mailto:gpfsug-discuss-bounces@spectrumscale.org"><font size="2" color="blue" face="Calibri"><u>gpfsug-discuss-bounces@spectrumscale.org</u></font></a><font size="2" face="Calibri">>
on behalf of "Longworth, Gethyn" <</font><a href="mailto:Gethyn.Longworth@Rolls-Royce.com"><font size="2" color="blue" face="Calibri"><u>Gethyn.Longworth@Rolls-Royce.com</u></font></a><font size="2" face="Calibri">><b><br>Reply-To: </b>"</font><a href="mailto:gpfsug-discuss@spectrumscale.org"><font size="2" color="blue" face="Calibri"><u>gpfsug-discuss@spectrumscale.org</u></font></a><font size="2" face="Calibri">"
<</font><a href="mailto:gpfsug-discuss@spectrumscale.org"><font size="2" color="blue" face="Calibri"><u>gpfsug-discuss@spectrumscale.org</u></font></a><font size="2" face="Calibri">><b><br>Date: </b>Thursday, 25 February 2016 at 10:42<b><br>To: </b>"</font><a href="mailto:gpfsug-discuss@spectrumscale.org"><font size="2" color="blue" face="Calibri"><u>gpfsug-discuss@spectrumscale.org</u></font></a><font size="2" face="Calibri">"
<</font><a href="mailto:gpfsug-discuss@spectrumscale.org"><font size="2" color="blue" face="Calibri"><u>gpfsug-discuss@spectrumscale.org</u></font></a><font size="2" face="Calibri">><b><br>Subject: </b>[gpfsug-discuss] Integration with Active Directory</font><br><br><font size="2" face="Calibri">Hi all,</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">I’m new to both GPFS and to this mailing
list, so I thought I’d introduce myself and one of the issues I am having.</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">I am a consultant to Rolls-Royce Aerospace
currently working on a large facilities project, part of my remit is to
deliver a data system. We selected GPFS (sorry Spectrum Scale…)
for this three clusters, with two of the clusters using storage provided
by Spectrum Accelerate, and the other by a pair of IBM SANs and a tape
library back up.</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">My current issue is to do with integration
into Active Directory. I’ve configured my three node test cluster
with two protocol nodes and a quorum (version 4.2.0.1 on RHEL 7.1) as the
master for an automated id mapping system (we can’t use RFC2307, as our
IT department don’t understand what this is), but the problem I’m having
is to do with domain joins. The documentation suggests that using
the CES cluster hostname to register in the domain will allow all nodes
in the cluster to share the identity mapping, but only one of my protocol
nodes will authenticate – I can run “id” on that node with a domain
account and it provides the correct answer – whereas the other will not
and denies any knowledge of the domain or user. From a GPFS point
of view, this results in a degraded CES, SMB, NFS and AUTH state. My
small amount of AD knowledge says that this is expected – a single entry
(e.g. the cluster name) can only have one SID.</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">So I guess that my question is, what have
I missed? Is there something in AD that I need to configure to make
this work? Does one of the nodes in the cluster end up as the master
and the other a subordinate? How do I configure that within the confines
of mmuserauth?</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">As I said I am a bit new to this, and am
essentially learning on the fly, so any pointers that you can provide would
be appreciated!</font><br><font size="2" face="Calibri"> </font><br><font size="2" face="Calibri">Cheers,</font><br><font size="2" face="Calibri"> </font><br><font size="1" color="#212100" face="Arial"><b>Gethyn Longworth</b></font><br><font size="1" color="#212100" face="Arial"><b>MEng CEng MIET </b>|<b>Consultant Systems Engineer</b> | </font><font size="1" color="red" face="Arial">AEROSPACE</font><br><font size="2" face="Calibri"> </font><br><font size="1" color="#008250" face="Webdings">P </font><font size="1" color="#008250" face="Arial">Please
consider the environment before printing this email</font><br><font size="2" face="Calibri"> </font><tt><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br></font></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><font size="2" face="Courier New,Courier,monospace">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</font></tt></a><tt><font size="2" face="Courier New,Courier,monospace"><br></font></tt><br><br><br><div><font size="2" face="Courier New,Courier,monospace">_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a><br></font></div></div></div></font></font><BR>