[gpfsug-discuss] SS 4.2.1 + CES NFS / SMB
Andy Parker1
andy_parker1 at uk.ibm.com
Tue Nov 15 15:34:49 GMT 2016
Thanks for the responses, using iptrace on AIX I was able to confirm that
indeed the following is passed and cannot be matched by the AIX NFSV4
client.
SPECTRUMSCALE\testuser1 at virtual1.com . This is in the response packet
sent back from the CES server to the AIX NFSV4 client.
Sent by Spectrum CES SPECTRUMSCALE\testuser1 at virtual1.com
Expected by AIX NFSV4 testuser1 at virtual1.com
!!!!!!!! NO MATCH !!!!!!!
00000200 00000180 00000001 00000024 53504543 |...........$SPEC|
00000210 5452554d 5343414c 455c7465 73747573 |TRUMSCALE\testus|
00000220 65723140 76697274 75616c31 2e636f6d |er1 at virtual1.com|
00000230 0000001f 53504543 5452554d 5343414c |....SPECTRUMSCAL|
00000240 455c7465 73744076 69727475 616c312e |E\test at virtual1.|
00000250 636f6d00 00000000 00000000 00000000 |com.............|
Out of interest I setup an AIX 7.1 NFSV4 Server and AIX 7.1 NFSV4 client
both authenticating against the AD LDAP. This worked
fine. I suspect this is because the AIX LDAP (Posix) does attribute
mapping so we only see the UID not DOMAIN\uid ..
vi /etc/security/ldap/ldap.cfg
<extract>
# AIX-LDAP attribute map path.
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
# grep -i uid sfur2user.map
username SEC_CHAR uid s na yes
id SEC_INT uidNumber s na yes
I wonder if Solaris 10/11 and HP-UX 11 are also not supported using NFSv4.
Does anyone know if the SpectrumScale CES (NFS/SMB) has a supported
operating systems list published. I checked here but nothing found.
http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1adm_authenticationlimitations.htm
# Going Forward
Initially we want to provide only NFS and SMB CesNode services. So we
based our decision to use AD + RFC2307
based on this table, believing that it would provide what we need today
and future proof us a little by potentially allowing
expansion to OBJ in the future.
http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1ins_authconcept.htm
NFSv4 is pretty mandatory in our design, we want to get rid of using
Netgroup's and NFS V3 UID/GID mapping which as weak security.
Ideally on day one we would want NFSV4 and Kerberos to provide better
security for our clients. Its also likely that in the future corporate
security policies may ban netgroup's for NFS authorization so using NFSv4
+ kerberos would position my department well for future changes.
Based on the table I guess I need to setup LDAP / TLS / Kerberos as the
authentication service which will cover all bases expect OBJECT.
Thanks again for everyone's comments, this was my first post and the
responses were all very welcome.
Rgds Andy
Andy Parker
Cloud & Development Platforms (C&DP)
Andy_Parker1 at uk.ibm.com
Desk: DW1B14
Tel: 37-245326 (01962-815326)
Post: MP100, IBM Hursley Park, Winchester, SO21 2JN
From: "Chetan R Kulkarni" <chetkulk at in.ibm.com>
To: gpfsug-discuss at spectrumscale.org
Date: 15/11/2016 06:01
Subject: [gpfsug-discuss] SS 4.2.1 + CES NFS / SMB
Sent by: gpfsug-discuss-bounces at spectrumscale.org
>> Summary / Question:
>> Can anybody explain why I do not see userID / Group names when viewing
>> via a NFS4 client and ideally how to fix this.
This is not supported by Spectrum Scale (i.e. NFSv4 mount/access on AIX
clients with AD+RFC2307 file authentication).
Reason being AIX client integrates with AD like LDAP i.e. AIX client can't
resolve the user in format "DOMAIN\user".
NFSv4 server returns user in "DOMAIN\user" format and as AIX client
doesn't understand "DOMAIN\user"; it translates to "nobody". Hence you see
"nobody" under AIX NFSv4 mount.
Please note that; with RHEL clients we see correct ownership under NFSv4
mounts. This is because RHEL clients integrate with AD as pure AD client
(using winbind or SSSD) i.e. users resolve successfully in "DOMAIN\user"
format on RHEL clients.
Thanks,
Chetan._______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20161115/9a90e35a/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list