<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
@font-face
{font-family:Menlo-Regular;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Monty, Simon, Christof,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Many thanks for your help. I found that the firewall wasn’t configured correctly – I made the assumption that the samba “service” enabled the ctdb port (4379 the next person searching for this) as well – enabling it manually and restarting the node has resolved it.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I need to investigate the issue of consistent uids / gids between my linux machines. Obviously very easy when you have full control over the AD, but as ours is a local AD (which I can control) and most of the user IDs coming over on a trust it is much more tricky.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Has anyone done an ldap set up where they are effectively adding extra user info (like uids / gids / samba info) to existing AD users without messing with the original AD?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Gethyn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> gpfsug-discuss-bounces@spectrumscale.org [mailto:gpfsug-discuss-bounces@spectrumscale.org] <b>On Behalf Of </b>Monty Poppe<br><b>Sent:</b> 25 February 2016 17:01<br><b>To:</b> gpfsug main discussion list<br><b>Subject:</b> Re: [gpfsug-discuss] Integration with Active Directory<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>All CES nodes should operate consistently across the cluster. Here are a few tips on debugging:</span><br><br><span style='font-size:10.0pt;font-family:"Menlo-Regular","serif"'>/usr/lpp/mmfs/bin/wbinfo</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>-p to ensure winbind is running properly</span><br><span style='font-size:10.0pt;font-family:"Menlo-Regular","serif"'>/usr/lpp/mmfs/bin/wbinfo</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>-P (capital P), to ensure winbind can communicate with AD server</span><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>ensure the first nameserver in /etc/resolv.conf points to your AD server (check all nodes)</span><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>mmuserauth service check --server-reachability for a more thorough validation that all nodes can communicate to the authentication server</span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you need to look at samba logs (/var/adm/ras/log.smbd & log.wb-<domainname>) to see what's going on, change samba log levels issue: </span><span style='font-size:10.0pt;font-family:"Menlo-Regular","serif"'>/usr/lpp/mmfs/bin/net conf setparm global 'log level' </span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>3. Don't forget to set back to 0 or 1 when you are done!</span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>If you're willing to go with a later release, AD authentication with LDAP ID mapping has been added as a feature in the 4.2 release. (</span><a href="https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en"><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>https://www-01.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_adwithldap.htm?lang=en</span></a><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>)</span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Monty Poppe<br>Spectrum Scale Test<br><a href="mailto:poppe@us.ibm.com">poppe@us.ibm.com</a><br>512-286-8047 T/L 363-8047</span><br><br><br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>From: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>"Simon Thompson (Research Computing - IT Services)" <<a href="mailto:S.J.Thompson@bham.ac.uk">S.J.Thompson@bham.ac.uk</a>></span><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>To: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>gpfsug main discussion list <<a href="mailto:gpfsug-discuss@spectrumscale.org">gpfsug-discuss@spectrumscale.org</a>></span><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Date: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>02/25/2016 07:19 AM</span><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Subject: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Re: [gpfsug-discuss] Integration with Active Directory</span><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Sent by: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a href="mailto:gpfsug-discuss-bounces@spectrumscale.org">gpfsug-discuss-bounces@spectrumscale.org</a></span><o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:#A0A0A0' align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Hi Gethyn,</span><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>From what I recall, CTDB used underneath is used to share the secret and only the primary named machine is joined, but CTDB and CES should work this backend part out for you.</span><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>I do have a question though, do you want to have consistent UIDs across other systems? For example if you plan to use NFS to other *nix systems, then you probably want to think about LDAP mapping and using custom auth (we do this as out AD doesn't contain UIDs either).</span><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Simon</span><br><br><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>From: </span></b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><</span><a href="mailto:gpfsug-discuss-bounces@spectrumscale.org"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>gpfsug-discuss-bounces@spectrumscale.org</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>> on behalf of "Longworth, Gethyn" <</span><a href="mailto:Gethyn.Longworth@Rolls-Royce.com"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Gethyn.Longworth@Rolls-Royce.com</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>><b><br>Reply-To: </b>"</span><a href="mailto:gpfsug-discuss@spectrumscale.org"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>gpfsug-discuss@spectrumscale.org</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>" <</span><a href="mailto:gpfsug-discuss@spectrumscale.org"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>gpfsug-discuss@spectrumscale.org</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>><b><br>Date: </b>Thursday, 25 February 2016 at 10:42<b><br>To: </b>"</span><a href="mailto:gpfsug-discuss@spectrumscale.org"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>gpfsug-discuss@spectrumscale.org</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>" <</span><a href="mailto:gpfsug-discuss@spectrumscale.org"><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>gpfsug-discuss@spectrumscale.org</span></a><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>><b><br>Subject: </b>[gpfsug-discuss] Integration with Active Directory</span><br><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Hi all,</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>I’m new to both GPFS and to this mailing list, so I thought I’d introduce myself and one of the issues I am having.</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>I am a consultant to Rolls-Royce Aerospace currently working on a large facilities project, part of my remit is to deliver a data system. We selected GPFS (sorry Spectrum Scale…) for this three clusters, with two of the clusters using storage provided by Spectrum Accelerate, and the other by a pair of IBM SANs and a tape library back up.</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>My current issue is to do with integration into Active Directory. I’ve configured my three node test cluster with two protocol nodes and a quorum (version 4.2.0.1 on RHEL 7.1) as the master for an automated id mapping system (we can’t use RFC2307, as our IT department don’t understand what this is), but the problem I’m having is to do with domain joins. The documentation suggests that using the CES cluster hostname to register in the domain will allow all nodes in the cluster to share the identity mapping, but only one of my protocol nodes will authenticate – I can run “id” on that node with a domain account and it provides the correct answer – whereas the other will not and denies any knowledge of the domain or user. From a GPFS point of view, this results in a degraded CES, SMB, NFS and AUTH state. My small amount of AD knowledge says that this is expected – a single entry (e.g. the cluster name) can only have one SID.</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>So I guess that my question is, what have I missed? Is there something in AD that I need to configure to make this work? Does one of the nodes in the cluster end up as the master and the other a subordinate? How do I configure that within the confines of mmuserauth?</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>As I said I am a bit new to this, and am essentially learning on the fly, so any pointers that you can provide would be appreciated!</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Cheers,</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><b><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#212100'>Gethyn Longworth</span></b><br><b><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#212100'>MEng CEng MIET </span></b><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#212100'>|<b>Consultant Systems Engineer</b> | </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:red'>AEROSPACE</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><br><span style='font-size:7.5pt;font-family:Webdings;color:#008250'>P </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#008250'>Please consider the environment before printing this email</span><br><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><tt><span style='font-size:10.0pt'>_______________________________________________</span></tt><span style='font-size:10.0pt;font-family:"Courier New"'><br><tt>gpfsug-discuss mailing list</tt><br><tt>gpfsug-discuss at spectrumscale.org</tt><br></span><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss"><tt><span style='font-size:10.0pt'>http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span></tt></a><span style='font-size:10.0pt;font-family:"Courier New"'><br></span><br><br><o:p></o:p></p></div></body></html>