[gpfsug-discuss] CES and mmuserauth command
Christof Schmitt
christof.schmitt at us.ibm.com
Fri Sep 2 19:20:45 BST 2016
After looking into this again, the source of confusion is probably from
the fact that there are three different authentication schemes present
here:
When configuring a LDAP server for file or object authentication, then the
specified server, user and password are used during normal operations for
querying user data. The same applies for configuring object authentication
with AD; AD is here treated as a LDAP server.
Configuring AD for file authentication is different in that during the
"mmuserauth service create", the machine account is created, and then that
account is used to connect to a DC that is chosen from the DCs discovered
through DNS and not necessarily the one used for the initial
configuration.
I submitted an internal request to explain this better in the mmuserauth
manpage.
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
From: Christof Schmitt/Tucson/IBM at IBMUS
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 08/26/2016 09:30 AM
Subject: Re: [gpfsug-discuss] CES and mmuserauth command
Sent by: gpfsug-discuss-bounces at spectrumscale.org
The --user-name option applies to both, AD and LDAP authentication. In the
LDAP case, this information is correct. I will try to get some
clarification added for the AD case.
The same applies to the information shown in "service list". There is a
common field that holds the information and the parameter from the initial
"service create" is stored there. The meaning is different for AD and
LDAP: For LDAP it is the username being used to access the LDAP server,
while in the AD case it was only the user initially used until the machine
account was created.
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
From: Jan-Frode Myklebust <janfrode at tanso.net>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 08/26/2016 05:59 AM
Subject: Re: [gpfsug-discuss] CES and mmuserauth command
Sent by: gpfsug-discuss-bounces at spectrumscale.org
On Fri, Aug 26, 2016 at 1:49 AM, Christof Schmitt <
christof.schmitt at us.ibm.com> wrote:
When joinging the AD domain, --user-name, --password and --server are only
used to initially identify and logon to the AD and to create the machine
account for the cluster. Once that is done, that information is no longer
used, and e.g. the account from --user-name could be deleted, the password
changed or the specified DC could be removed from the domain (as long as
other DCs are remaining).
That was my initial understanding of the --user-name, but when reading the
man-page I get the impression that it's also used to do connect to AD to
do user and group lookups:
------------------------------------------------------------------------------------------------------
‐‐user‐name userName
Specifies the user name to be used to perform operations
against the authentication server. The specified user
name must have sufficient permissions to read user and
group attributes from the authentication server.
-------------------------------------------------------------------------------------------------------
Also it's strange that "mmuserauth service list" would list the USER_NAME
if it was only somthing that was used at configuration time..?
-jf_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list