<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:9pt" ><div dir="ltr" ><div>> Project SMB shares have export ACLs (as in "mmsmb exportacl ..")<br>> limiting share access to the project's member group, in addition to the<br>> NFSv4 ACLs.<br>><br>> We also want to limit access to SMB shares to project subnets.<br>> There is no way to specify that with "mmsmb", but we have found<br>><br>> /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet><br>><br>> to be working, at least with some limited testing: share access is<br>> actually limited to the specified subnets. The additional settings<br>> seems to be stored in CTDB under /var/lib/ctdb/persistent.<br>><br>> We assume that the "net conf setparm" method is not officially supported<br>> by IBM. Although it seems to be working, we wonder if it is a good idea<br>> to implement it. For instance, we are wondering if the additional<br>> settings will survive later ESS code upgrades, and if it will scale to<br>> thousands of SMB shares.</div>
<div> </div>
<div>Officially Scale only supports Samba options that can be set through<br>the GUI or the mmsmb CLI. Everything else set through 'net conf' has<br>not been tested and is not supported. In this specific case, this is<br>likely to work, and it should also be preserved across code upgrades,<br>but again, this is not an official support statement.</div>
<div> </div>
<div>This is also not a new request, there is also a pending RFE to make<br>this an official Scale feature:<br><a href="https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534">https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=141534</a></div>
<div> </div>
<div>Regards,</div></div>
<div dir="ltr" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" > </div>
<div dir="ltr" ><span style="font-size:10pt;" ><span style="font-family:Arial,Helvetica,sans-serif;" ><strong>Christof Schmitt</strong></span></span></div>
<div dir="ltr" ><span style="font-size:10pt;" >Software Engineer</span></div>
<div dir="ltr" ><span style="font-size:10pt;" >IBM Systems, Spectrum Scale Development</span></div>
<div dir="ltr" ><span style="font-size:10pt;" ><span style="font-family:Arial,Helvetica,sans-serif;" >+1 520 799 2469</span></span></div>
<div dir="ltr" ><span style="font-size:10pt;" ><span style="font-family:Arial,Helvetica,sans-serif;" >christof.schmitt@us.ibm.com</span></span></div>
<div dir="ltr" ><span style="font-size:10pt;" ><span style="font-family:Arial,Helvetica,sans-serif;" >@chsc Twitter</span></span></div>
<div dir="ltr" > </div>
<div dir="ltr" ><span style="font-size:10pt;" >IBM</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: Helge Hauglin <helge.hauglin@usit.uio.no><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug-discuss@spectrumscale.org<br>Cc:<br>Subject: [EXTERNAL] [gpfsug-discuss] Limiting CES SMB shares to specific subnets<br>Date: Tue, Feb 9, 2021 9:10 AM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >Hi.<br><br>We have an ESS 5.0.4.3 cluster with a CES cluster serving files with<br>NFSv4 ACLs to NFS and SMB clients. This system is used for<br>sensitive research data, and will the next years house thousands of<br>research projects, which will have to be strictly separated. Each<br>project has its own subnet for the project linux and windows hosts.<br><br>Project directories are independent filesets in file systems, each<br>project directory has NFSv4 ACLs giving acces to only the project group.<br>Project NFS shares are limited to each project's subnet.<br><br>Project SMB shares have export ACLs (as in "mmsmb exportacl ..")<br>limiting share access to the project's member group, in addition to the<br>NFSv4 ACLs.<br><br>We also want to limit access to SMB shares to project subnets.<br>There is no way to specify that with "mmsmb", but we have found<br><br> /usr/lpp/mmfs/bin/net conf setparm <share> "hosts allow" <subnet><br><br>to be working, at least with some limited testing: share access is<br>actually limited to the specified subnets. The additional settings<br>seems to be stored in CTDB under /var/lib/ctdb/persistent.<br><br>We assume that the "net conf setparm" method is not officially supported<br>by IBM. Although it seems to be working, we wonder if it is a good idea<br>to implement it. For instance, we are wondering if the additional<br>settings will survive later ESS code upgrades, and if it will scale to<br>thousands of SMB shares.<br><br>We are considering doing the SMB subnet limiting outside CES, but that would<br>add complexity and overhead, so we are not very keen on that.<br><br>What do other IBM ESS customers do, do you have any advice for us?<br>Yea or nay?<br><br><br>Regards,<br><br>Helge Hauglin<br><br>----------------------------------------------------------------<br>Mr. Helge Hauglin, Senior Engineer<br>System administrator<br>Center for Information Technology, University of Oslo, Norway<br><br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a> </font><br> </div></blockquote>
<div dir="ltr" > </div></div><BR>