[gpfsug-discuss] SS 4.2.1 + CES NFS / SMB

Andy Parker1 andy_parker1 at uk.ibm.com
Tue Nov 15 15:34:49 GMT 2016


Thanks for the responses,  using iptrace on AIX I was able to confirm that 
indeed the following is passed and cannot be matched by the AIX NFSV4 
client. 
SPECTRUMSCALE\testuser1 at virtual1.com .  This is in the response packet 
sent back from the CES server to the AIX NFSV4 client.

Sent by Spectrum CES     SPECTRUMSCALE\testuser1 at virtual1.com
Expected by AIX NFSV4   testuser1 at virtual1.com
!!!!!!!! NO MATCH !!!!!!!

00000200     00000180 00000001 00000024 53504543     |...........$SPEC|
00000210     5452554d 5343414c 455c7465 73747573     |TRUMSCALE\testus|
00000220     65723140 76697274 75616c31 2e636f6d     |er1 at virtual1.com|
00000230     0000001f 53504543 5452554d 5343414c     |....SPECTRUMSCAL|
00000240     455c7465 73744076 69727475 616c312e     |E\test at virtual1.|
00000250     636f6d00 00000000 00000000 00000000     |com.............|

Out of interest I setup an AIX 7.1 NFSV4  Server and AIX 7.1 NFSV4 client 
both authenticating against the AD LDAP.  This worked
fine.  I suspect this is because the AIX LDAP (Posix) does attribute 
mapping so we only see the UID not DOMAIN\uid ..

vi /etc/security/ldap/ldap.cfg
<extract>
# AIX-LDAP attribute map path.
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map

# grep -i uid sfur2user.map 
username        SEC_CHAR        uid                     s       na yes
id              SEC_INT         uidNumber               s       na yes

I wonder if Solaris 10/11 and HP-UX 11 are also not supported using NFSv4. 
 Does anyone know if the SpectrumScale CES (NFS/SMB) has a supported
operating systems list published.  I checked here but nothing found.

http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1adm_authenticationlimitations.htm

# Going Forward

Initially we want to provide only NFS and SMB CesNode services.  So we 
based our decision to use AD + RFC2307 
based on this table, believing that it would provide what we need today 
and future proof us a little by potentially allowing
expansion to OBJ in the future. 

http://www.ibm.com/support/knowledgecenter/STXKQY_4.2.1/com.ibm.spectrum.scale.v4r21.doc/bl1ins_authconcept.htm

NFSv4 is pretty mandatory in our design, we want to get rid of using 
Netgroup's and NFS V3 UID/GID mapping which as weak security.
Ideally on day one we would want NFSV4 and Kerberos to provide better 
security for our clients.  Its also likely that in the future corporate
security policies may ban netgroup's for NFS authorization so using NFSv4 
+ kerberos would position my department well for future changes.

Based on the table I guess I need to setup LDAP / TLS / Kerberos as the 
authentication service which will cover all bases expect OBJECT.

Thanks again for everyone's comments, this was my first post and the 
responses were all very welcome.

Rgds Andy


 Andy Parker
Cloud & Development Platforms (C&DP) 



Andy_Parker1 at uk.ibm.com
Desk: DW1B14 




Tel: 37-245326 (01962-815326)
Post: MP100, IBM Hursley Park, Winchester, SO21 2JN






From:   "Chetan R Kulkarni" <chetkulk at in.ibm.com>
To:     gpfsug-discuss at spectrumscale.org
Date:   15/11/2016 06:01
Subject:        [gpfsug-discuss]  SS 4.2.1 + CES NFS / SMB
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



>> Summary / Question:
>> Can anybody explain why I do not see userID / Group names when  viewing 

>> via a NFS4 client and ideally how to fix this.

This is not supported by Spectrum Scale (i.e. NFSv4 mount/access on AIX 
clients with AD+RFC2307 file authentication). 

Reason being AIX client integrates with AD like LDAP i.e. AIX client can't 
resolve the user in format "DOMAIN\user".
NFSv4 server returns user in "DOMAIN\user" format and as AIX client 
doesn't understand "DOMAIN\user"; it translates to "nobody". Hence you see 
"nobody" under AIX NFSv4 mount.

Please note that; with RHEL clients we see correct ownership under NFSv4 
mounts. This is because RHEL clients integrate with AD as pure AD client 
(using winbind or SSSD) i.e. users resolve successfully in "DOMAIN\user" 
format on RHEL clients.

Thanks,
Chetan._______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss



Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20161115/9a90e35a/attachment-0002.htm>


More information about the gpfsug-discuss mailing list