<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:9pt" ><div dir="ltr" >Mark,</div>
<div dir="ltr" > </div>
<div dir="ltr" >to answer your questions:</div>
<div dir="ltr" > </div>
<div dir="ltr" ><div>> I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.<br>><br>> => This gets mapped to 'idmap config ... : unix_primary_group' in the<br>> => internal config.<br>><br>> Does that correspond to setting the smb.conf parameter<br>><br>> unix_primary_group = yes</div>
<div> </div>
<div>This corresponds to the smb.conf parameter 'idmap config DOMAIN :<br>unix_primary_group' = yes. This refers to the id mapping configuration<br>for the specified domain. See the idmap_ad man page for the Samba<br>documentation of this parameter.</div>
<div> </div>
<div>> Specifically, under Spectrum Scale 5.0.2, if I run:<br>><br>> mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad<br>><br>> (some args removed in this example), will that map the user's primary group to<br>><br>> the primaryGroupID supplied by AD<br>> or<br>> the primaryGroupID LDAP field<br>> or<br>> the gidNumber LDAP field</div>
<div> </div>
<div>This primary group in this configuration is the primary group in<br>Active Directory. This is stored in Active Directory in the<br>primaryGroupID field that refers to the RID of the primary group (the<br>last part of the SID of the group). This id mapping method currently<br>does not read the gidNumber of the user. In theory it would be<br>possible to add this similar to the 'unix_primary_group' from above,<br>but that should be treated as a new feature and requsting that through<br>a RFE would be appropriate.</div>
<div> </div>
<div>Regards,</div></div>
<div dir="ltr" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><span style="font-size:0.857em;" > </span></font></font></div>
<div dir="ltr" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><span style="font-size:0.857em;" ><span style="font-family: Verdana,Geneva,sans-serif;" >Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ<br>christof.schmitt@us.ibm.com || +1-520-799-2469 (T/L: 321-2469)</span></span></font></font></div></div></div></div></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: mark.bergman@uphs.upenn.edu<br>To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org><br>Cc: christof.schmitt@us.ibm.com<br>Subject: [EXTERNAL] Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system<br>Date: Thu, Jul 25, 2019 4:31 PM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >In the message dated: Thu, 24 May 2018 17:07:02 -0000,<br>The pithy ruminations from Christof Schmitt on<br>[Re: [gpfsug-discuss] Question concerning integration of CES with AD authentication system] were:<br>=><br><br>Following up on an old, old post...<br><br>=> > Basically Samba ignores the separate GID field in RFC2307bis, so one<br>=> > imagines the options for changing the LDAP attributes are none<br>=> > existent.<br>=> <br>=> mmuserauth now has an option to use either the gid from the actual primary<br>=> group or the gid defined for the user. See:<br>=> <br>=> <a href="https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/" target="_blank" >https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/</a><br>=> com.ibm.spectrum.scale.v5r00.doc/bl1adm_mmuserauth.htm<br>=> <br>=> --unixmap-domains unixDomainMap<br>=> [...]<br>=> win: Specifies the system to read the primary group set as Windows<br>=> primary group of a user on the Active Directory.<br>=> unix: Specifies the system to read the primary group as set in "UNIX<br>=> attributes" of a user on the Active Directory. <br>=> For example,<br>=> --unixmap-domains "MYDOMAIN1(20000-50000:unix);MYDOMAIN2<br>=> (100000-200000:win)"<br><br>I see this is refering to UNIX attributes within AD, but I'm curious about mapping to attributes in LDAP.<br><br>=> This gets mapped to 'idmap config ... : unix_primary_group' in the<br>=> internal config.<br><br>Does that correspond to setting the smb.conf parameter<br><br>unix_primary_group = yes<br><br><br><br><br>Specifically, under Spectrum Scale 5.0.2, if I run:<br><br>mmuserauth service create --data-access-method file --ldapmap-domains "DOMAIN(type=stand-alone:ldap_srv=ldapserver:range=1001-65535:usr_dn=ou=People,dc=DC,dc=TLD:grp_dn=ou=Group,dc=DC,dc=TLD)" --type ad<br><br>(some args removed in this example), will that map the user's primary group to<br><br>the primaryGroupID supplied by AD<br> or<br>the primaryGroupID LDAP field<br> or<br>the gidNumber LDAP field<br><br>or something else?<br><br>Thanks,<br><br>Mark<br><br><br>=><br>=> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ<br>=> christof.schmitt@us.ibm.com || +1-520-799-2469 (T/L: 321-2469)<br>=> </font></div></blockquote>
<div dir="ltr" > </div></div><BR>