[gpfsug-discuss] SMB support and config

Simon Thompson (Research Computing - IT Services) S.J.Thompson at bham.ac.uk
Tue Jul 7 12:39:24 BST 2015 

So based on what I’m seeing ...

When you run mmstartup, the start process edits /etc/nsswitch.conf.

I’ve managed to make it work in my environment, but I had to edit the file
/usr/lpp/mmfs/bin/mmcesop to make it put ldap instead of winbind when it
starts up.

I also had to do some studious use of "net conf delparm” … Which is
probably not a good idea.

I did try using:
mmuserauth service create --type userdefined --data-access-method file


And the setting the "security = ADS” parameters by hand with "net conf”
(can’t do it with mmsmb), and a manual “net ads join" but I couldn’t get
it to authenticate clients properly. I can’t work out why just at the
moment.

But even then when mmshutdown runs, it still goes ahead and edits
/etc/nsswitch.conf

I’ve got a ticket open with IBM at the moment via our integrator to see
what they say.

But I’m not sure I like something going off and poking things like
/etc/nsswitch.conf at startup/shutdown. I can sorta see that at config
time, but when service start etc, I’m not sure I really like that idea!

Simon

On 06/07/2015 23:06, "Kallback-Rose, Kristy A" <kallbac at iu.edu> wrote:

>Just to chime in as another interested party, we do something fairly
>similar but use sssd instead of nslcd. Very interested to see how
>accommodating the IBM Samba is to local configuration needs.
>
>Best,
>Kristy
>
>On Jul 6, 2015, at 6:09 AM, Simon Thompson (Research Computing - IT
>Services) <S.J.Thompson at bham.ac.uk> wrote:
>
>> Hi,
>> 
>> (sorry, lots of questions about this stuff at the moment!)
>> 
>> I¹m currently looking at removing the sernet smb configs we had
>>previously
>> and moving to IBM SMB. I¹ve removed all the old packages and only now
>>have
>> gpfs.smb installed on the systems.
>> 
>> I¹m struggling to get the config tools to work for our environment.
>> 
>> We have MS Windows AD Domain for authentication. For various reasons,
>> however doesn¹t hold the UIDs/GIDs, which are instead held in a
>>different
>> LDAP directory.
>> 
>> In the past, we¹d configure the Linux servers running Samba so that
>>NSLCD
>> was configured to get details from the LDAP server. (e.g. getent passwd
>> would return the data for an AD user). The Linux boxes would also be
>> configured to use KRB5 authentication where users were allowed to ssh
>>etc
>> in for password authentication.
>> 
>> So as far as Samba was concerned, it would do ³security = ADS² and then
>> we¹d also have "idmap config * : backend = tdb2²
>> 
>> I.e. Use Domain for authentication, but look locally for ID mapping
>>data.
>> 
>> Now I can configured IBM SMB to use ADS for authentication:
>> 
>> mmuserauth service create  --type ad --data-access-method file
>> --netbios-name its-rds --user-name ADMINUSER --servers DOMAIN.ADF
>> --idmap-role subordinate
>> 
>> 
>> However I can¹t see anyway for me to manipulate the config so that it
>> doesn¹t use autorid. Using this we end up with:
>> 
>> mmsmb config list | grep -i idmap
>> idmap config * : backend         autorid
>> idmap config * : range           10000000-299999999
>> idmap config * : rangesize       1000000
>> idmap config * : read only       yes
>> idmap:cache                      no
>> 
>> 
>> It also adds:
>> 
>> mmsmb config list | grep -i auth
>> auth methods                     guest sam winbind
>> 
>> (though I don¹t think that is a problem).
>> 
>> 
>> I also can¹t change the idmap using the mmsmb command (I think would
>>look
>> like this):
>> # mmsmb config change --option="idmap config * : backend=tdb2"
>> idmap config * : backend=tdb2: [E] Unsupported smb option. More
>> information about smb options is availabe in the man page.
>> 
>> 
>> 
>> I can¹t see anything in the docs at:
>> 
>>http://www-01.ibm.com/support/knowledgecenter/#!/STXKQY_4.1.1/com.ibm.spe
>>ct
>> rum.scale.v4r11.adm.doc/bl1adm_configfileauthentication.htm
>> 
>> That give me a clue how to do what I want.
>> 
>> I¹d be happy to do some mixture of AD for authentication and LDAP for
>> lookups (rather than just falling back to ³local² from nslcd), but I
>>can¹t
>> see a way to do this, and ³manual² seems to stop ADS authentication in
>> Samba.
>> 
>> Anyone got any suggestions?
>> 
>> 
>> Thanks
>> 
>> Simon
>> 
>> 
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at gpfsug.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>_______________________________________________
>gpfsug-discuss mailing list
>gpfsug-discuss at gpfsug.org
>http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list