<div dir="ltr"><div><div><div><div>Sorry to see no authoritative answers yet.. I'm doing lots of CES installations, but have not quite yet gotten the full understanding of this..<br><br></div>Simple stuff first:<br><br>--servers You can only have one with AD.<br><br>--enable-kerberos shouldn't be used, as that's only for LDAP according to the documentation. Guess kerberos is implied with AD.<br><br>--idmap-role -- I've been using "master". Man-page says<br><br> ID map role of a stand‐alone or singular system deployment must be selected "master"<br><br><br></div>What the idmap options seems to be doing is configure the idmap options for Samba. Maybe best explained by: <br><br> <a href="https://wiki.samba.org/index.php/Idmap_config_ad">https://wiki.samba.org/index.php/Idmap_config_ad</a><br><br><br></div>Your suggested options will then give you the samba idmap configuration:<br><br> idmap config * : rangesize = 1000000<br> idmap config * : range = 3000000-3500000<br> idmap config * : read only = no<br> idmap:cache = no<br> idmap config * : backend = autorid<br><br> idmap config DOMAIN : schema_mode = rfc2307<br> idmap config DOMAIN : range = 500-2000000<br> idmap config DOMAIN : backend = ad<br><br></div>Most likely you want to replace DOMAIN by your AD domain name.. So the --idmap options sets some defaults, that you probably won't care about, since all your users are likely covered by the specific "idmap config DOMAIN" config.<br><div><div><br></div><div>Hope this helps somewhat, now I'll follow up with something I'm wondering myself...:<br><br></div><div>Is the netbios name just a name, without any connection to anything in AD?<br><br></div><div>Is the --user-name/--password a one-time used account that's only necessary when executing the mmuserauth command, or will it also be for communication between CES and AD while the services are running?<br><br><br><br></div><div> -jf<br></div><div><br><br><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 22, 2016 at 1:59 PM, Sobey, Richard A <span dir="ltr"><<a href="mailto:r.sobey@imperial.ac.uk" target="_blank">r.sobey@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="#0563C1" vlink="#954F72" lang="EN-GB">
<div>
<p class="MsoNormal">Hi all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">We’re just about to start testing a new CES 4.2.0 cluster and at the stage of “joining” the cluster to our AD. What’s the bare minimum we need to get going with this? My Windows guy (who is more Linux but whatever) has suggested the following:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">mmuserauth service create --type ad --data-access-method file<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--netbios-name store --user-name USERNAME --password
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--enable-nfs-kerberos --enable-kerberos<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--servers list,of,servers<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--idmap-range-size 1000000 --idmap-range 3000000 - 3500000 --unixmap-domains 'DOMAIN<a href="tel:%28500%20-%202000000" value="+15002000000" target="_blank">(500 - 2000000</a>)'<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">He has also asked what the following is:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--idmap-role ???<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:#1f497d">--idmap-range-size ??<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">All our LDAP GID/UIDs are coming from a system outside of GPFS so do we leave this blank, or say master Or, now I’ve re-read and mmuserauth page, is this purely for when you have AFM relationships and one GPFS cluster (the subordinate /
the second cluster) gets its UIDs and GIDs from another GPFS cluster (the master / the first one)?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">For idmap-range-size is this essentially the highest number of users and groups you can have defined within Spectrum Scale? (I love how I’m using GPFS and SS interchangeably.. forgive me!)<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Many thanks<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Richard<u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333;background:white"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333;background:white"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333;background:white">Richard Sobey<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333">Storage Area Network (SAN) Analyst<br>
<span style="background:white">Technical Operations, ICT<br>
Imperial College London<br>
South Kensington<br>
403, City & Guilds Building<br>
London SW7 2AZ<br>
Tel: <a href="tel:%2B44%20%280%2920%207594%206915" value="+442075946915" target="_blank">+44 (0)20 7594 6915</a><br>
Email: </span></span><span><a href="mailto:r.sobey@imperial.ac.uk" target="_blank"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue;background:white">r.sobey@imperial.ac.uk</span></a></span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333;background:white"><br>
</span><span><a href="http://www.imperial.ac.uk/admin-services/ict/" target="_blank"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue;background:white">http://www.imperial.ac.uk/<wbr>admin-services/ict/</span></a></span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333;background:white"><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://spectrumscale.org" rel="noreferrer" target="_blank">spectrumscale.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" rel="noreferrer" target="_blank">http://gpfsug.org/mailman/<wbr>listinfo/gpfsug-discuss</a><br>
<br></blockquote></div><br></div>