[gpfsug-discuss] CES and mmuserauth command

Christof Schmitt christof.schmitt at us.ibm.com
Fri Sep 2 19:20:45 BST 2016


After looking into this again, the source of confusion is probably from 
the fact that there are three different authentication schemes present 
here:

When configuring a LDAP server for file or object authentication, then the 
specified server, user and password are used during normal operations for 
querying user data. The same applies for configuring object authentication 
with AD; AD is here treated as a LDAP server.

Configuring AD for file authentication is different in that during the 
"mmuserauth service create", the machine account is created, and then that 
account is used to connect to a DC that is chosen from the DCs discovered 
through DNS and not necessarily the one used for the initial 
configuration.

I submitted an internal request to explain this better in the mmuserauth 
manpage.

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)



From:   Christof Schmitt/Tucson/IBM at IBMUS
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   08/26/2016 09:30 AM
Subject:        Re: [gpfsug-discuss] CES and mmuserauth command
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



The --user-name option applies to both, AD and LDAP authentication. In the 

LDAP case, this information is correct. I will try to get some 
clarification added for the AD case.

The same applies to the information shown in "service list". There is a 
common field that holds the information and the parameter from the initial 

"service create" is stored there. The meaning is different for AD and 
LDAP: For LDAP it is the username being used to access the LDAP server, 
while in the AD case it was only the user initially used until the machine 

account was created.

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)



From:   Jan-Frode Myklebust <janfrode at tanso.net>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   08/26/2016 05:59 AM
Subject:        Re: [gpfsug-discuss] CES and mmuserauth command
Sent by:        gpfsug-discuss-bounces at spectrumscale.org




On Fri, Aug 26, 2016 at 1:49 AM, Christof Schmitt <
christof.schmitt at us.ibm.com> wrote:

When joinging the AD domain, --user-name, --password and --server are only
used to initially identify and logon to the AD and to create the machine
account for the cluster. Once that is done, that information is no longer
used, and e.g. the account from --user-name could be deleted, the password
changed or the specified DC could be removed from the domain (as long as
other DCs are remaining).


That was my initial understanding of the --user-name, but when reading the 

man-page I get the impression that it's also used to do connect to AD to 
do user and group lookups:

------------------------------------------------------------------------------------------------------
‐‐user‐name userName
         Specifies the user name to be used to perform operations
         against the authentication server. The specified user
         name must have sufficient permissions to read user and
         group attributes from the authentication server. 
-------------------------------------------------------------------------------------------------------

Also it's strange that "mmuserauth service list" would list the USER_NAME 
if it was only somthing that was used at configuration time..?



  -jf_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss




_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss








More information about the gpfsug-discuss mailing list