<html><body><p><font size="2">Hello.</font><br><br><font size="2">the user name should not matter for operations beyon domain join.</font><br><br><font size="2">mmuserauth man page:</font><br><br><font size="2">--user-name userName</font><br><font size="2"> </font><br><font size="2">....</font><br><br><font size="2"> In case of --type ad with</font><br><font size="2"> --data-access-method file, the specified username</font><br><font size="2"> is used to join the cluster to AD domain. It results in</font><br><font size="2"> creating a machine account for the cluster based on the</font><br><font size="2"> --netbios-name specified in the command. After</font><br><font size="2"> successful configuration, the cluster connects with its</font><br><font size="2"> machine account, and not the user used during the domain</font><br><font size="2"> join. So the specified username after domain join has no</font><br><font size="2"> role to play in communication with the AD domain</font><br><font size="2"> controller and can be even deleted from the AD server.</font><br><font size="2"> The cluster can still keep using AD for authentication</font><br><font size="2"> via the machine account created.<br></font><br><br><font size="2" face="Arial">Mit freundlichen Grüßen / Kind regards</font><br><br><b><font face="Arial">Dr. Markus Rohwedder</font></b><br><br><font size="1" face="Arial">Spectrum Scale GUI Development</font><table border="0" cellspacing="0" cellpadding="0"><tr valign="top"><td class="small_font" width="600" colspan="4" valign="middle"><hr width="100%" size="2" align="left" style="color:#0055AA; "></td></tr>
<tr valign="top"><td class="small_font" width="600" colspan="4" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td></tr>
<tr valign="top"><td class="inner" width="39" valign="middle"><font size="1" color="#0055AA" face="Arial">Phone:</font></td><td class="inner" width="157" valign="middle"><font size="1" color="#0055AA" face="Arial">+49 7034 6430190</font></td><td class="inner" width="246" valign="middle"><font size="1" color="#0055AA" face="Arial"> IBM Deutschland Research & Development</font></td><td width="158" rowspan="4" valign="middle"><div align="right"><img src="cid:2__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" width="158" height="40" align="bottom"></div></td></tr>
<tr valign="top"><td class="inner" width="39" valign="middle"><font size="1" color="#0055AA" face="Arial">E-Mail:</font></td><td class="inner" width="157" valign="middle"><font size="1" color="#0055AA" face="Arial">rohwedder@de.ibm.com</font></td><td class="inner" width="246" valign="middle"><font size="1" color="#0055AA" face="Arial"> Am Weiher 24</font></td></tr>
<tr valign="top"><td class="inner" width="39" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td><td class="inner" width="157" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td><td class="inner" width="246" valign="middle"><font size="1" color="#0055AA" face="Arial"> 65451 Kelsterbach</font></td></tr>
<tr valign="top"><td class="inner" width="39" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td><td class="inner" width="157" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td><td class="inner" width="246" valign="middle"><font size="1" color="#0055AA" face="Arial"> Germany</font></td></tr>
<tr valign="top"><td class="small_font" width="600" colspan="4" valign="middle"><hr width="100%" size="2" align="left" style="color:#0055AA; "></td></tr>
<tr valign="top"><td class="small_font" width="600" colspan="4" valign="middle"><img width="1" height="1" src="cid:1__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt=""></td></tr></table><br><img width="16" height="16" src="cid:3__=8FBB086DDFD97E078f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for "Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,"><font size="2" color="#424282">"Andrew Beattie" ---04.09.2018 15:18:43---Hi Richard,</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">"Andrew Beattie" <abeattie@au1.ibm.com></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">gpfsug-discuss@spectrumscale.org</font><br><font size="2" color="#5F5F5F">Cc: </font><font size="2">gpfsug-discuss@spectrumscale.org</font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">04.09.2018 15:18</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">Re: [gpfsug-discuss] CES file authentication - bind account deleted?</font><br><font size="2" color="#5F5F5F">Sent by: </font><font size="2">gpfsug-discuss-bounces@spectrumscale.org</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><font face="Arial">Hi Richard,</font><br><font face="Arial"> </font><br><font face="Arial">If you are setting up Protocol authentication against the active directory,</font><br><font face="Arial">would you not choose to use a service account that isn't going to get deleted?</font><br><font face="Arial"> </font><br><font face="Arial">If you choose to use an user account of a Sys Admin who has Domain admin privileges and they leave the company and their account is deleted, you would almost certainly have issues with the Scale cluster trying to validate users permissions and having scale get an error from AD when the credentials that it uses are no longer valid.</font><br><font face="Arial"> </font><br><font face="Arial"> </font><br><b><font color="#7C7C5F">Andrew Beattie</font></b><br><b><font size="2">Software Defined Storage - IT Specialist</font></b><br><b><font size="1" color="#336699">Phone: </font></b><font size="1">614-2133-7927</font><br><b><font size="1" color="#336699">E-mail: </font></b><a href="mailto:abeattie@au1.ibm.com"><u><font size="1" color="#555555">abeattie@au1.ibm.com</font></u></a><br><font face="Arial"> </font><br><font face="Arial"> </font><br><font face="Arial">----- Original message -----<br>From: "Sobey, Richard A" <r.sobey@imperial.ac.uk><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: "'gpfsug-discuss@spectrumscale.org'" <gpfsug-discuss@spectrumscale.org><br>Cc:<br>Subject: [gpfsug-discuss] CES file authentication - bind account deleted?<br>Date: Tue, Sep 4, 2018 8:45 AM<br> </font><p><font face="Arial">Hi all,</font><p><font face="Arial"> </font><p><font face="Arial">I don’t like using long subject lines as a rule so it probably doesn’t make sense, but consider:</font><p><font face="Arial"> </font><p><font face="Courier New">FILE access configuration : AD</font><p><font face="Courier New">PARAMETERS VALUES</font><p><font face="Courier New">-------------------------------------------------</font><p><font face="Courier New">ENABLE_NFS_KERBEROS true</font><p><font face="Courier New">SERVERS domaincontroller.ic.ac.uk</font><p><font face="Courier New">USER_NAME joebloggs@IC.AC.UK</font><p><font face="Courier New">NETBIOS_NAME store</font><p><font face="Courier New">IDMAP_ROLE master</font><p><font face="Courier New">IDMAP_RANGE 10000000-299999999</font><p><font face="Courier New">IDMAP_RANGE_SIZE 1000000</font><p><font face="Courier New">UNIXMAP_DOMAINS IC(500 - 2000000)</font><p><font face="Courier New">LDAPMAP_DOMAINS none</font><p><font face="Arial"> </font><p><font face="Arial">If “joebloggs” was to leave the organization and that account deleted from Active Directory, what is the impact on file authentication in CES?</font><p><font face="Arial"> </font><p><font face="Arial">Thanks</font><p><font face="Arial">Richard</font><p><tt><font size="2">_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org</font></tt><tt><u><font size="2" color="#0000FF"><br></font></u></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank"><tt><u><font size="2" color="#0000FF">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</font></u></tt></a><br><font face="Arial"> </font><br><tt><font size="2">_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br></font></tt><tt><font size="2"><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font></tt><tt><font size="2"><br></font></tt><br><br><BR>
</body></html>