[gpfsug-discuss] SMB support and config

Simon Thompson (Research Computing - IT Services) S.J.Thompson at bham.ac.uk
Mon Jul 6 11:09:08 BST 2015 

Hi,

(sorry, lots of questions about this stuff at the moment!)

I¹m currently looking at removing the sernet smb configs we had previously
and moving to IBM SMB. I¹ve removed all the old packages and only now have
gpfs.smb installed on the systems.

I¹m struggling to get the config tools to work for our environment.

We have MS Windows AD Domain for authentication. For various reasons,
however doesn¹t hold the UIDs/GIDs, which are instead held in a different
LDAP directory.

In the past, we¹d configure the Linux servers running Samba so that NSLCD
was configured to get details from the LDAP server. (e.g. getent passwd
would return the data for an AD user). The Linux boxes would also be
configured to use KRB5 authentication where users were allowed to ssh etc
in for password authentication.

So as far as Samba was concerned, it would do ³security = ADS² and then
we¹d also have "idmap config * : backend = tdb2²

I.e. Use Domain for authentication, but look locally for ID mapping data.

Now I can configured IBM SMB to use ADS for authentication:

mmuserauth service create  --type ad --data-access-method file
--netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
--idmap-role subordinate


However I can¹t see anyway for me to manipulate the config so that it
doesn¹t use autorid. Using this we end up with:

mmsmb config list | grep -i idmap
idmap config * : backend         autorid
idmap config * : range           10000000-299999999
idmap config * : rangesize       1000000
idmap config * : read only       yes
idmap:cache                      no


It also adds:

mmsmb config list | grep -i auth
auth methods                     guest sam winbind

(though I don¹t think that is a problem).


I also can¹t change the idmap using the mmsmb command (I think would look
like this):
# mmsmb config change --option="idmap config * : backend=tdb2"
  idmap config * : backend=tdb2: [E] Unsupported smb option. More
information about smb options is availabe in the man page.



I can¹t see anything in the docs at:
http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spect
rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm

That give me a clue how to do what I want.

I¹d be happy to do some mixture of AD for authentication and LDAP for
lookups (rather than just falling back to ³local² from nslcd), but I can¹t
see a way to do this, and ³manual² seems to stop ADS authentication in
Samba.

Anyone got any suggestions?


Thanks

Simon

More information about the gpfsug-discuss mailing list