[gpfsug-discuss] SMB and AD authentication
Yaron Daniel
YARD at il.ibm.com
Mon Feb 27 20:04:09 GMT 2017
Hi
What does the command return when you run it on the protocols nodes:
#id 'DOM\user'
Please follow this steps:
https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/ibmspectrumscale42_content.html
SA23-1452-06
05/2016
IBM Spectrum Scale V4.2: Administration and Programming Reference
Page - 135
Creating SMB share
Use the following information to create an SMB share:
1. Create the directory to be exported through SMB:
mmcrfileset fs01 fileset --inode-space=new
mmlinkfileset fs01 fileset -J /gpfs/fs01/fileset
mkdir /gpfs/fs01/fileset/smb
Note: IBM recommends an independent fileset for SMB shares.
Create a new independent fileset with these commands:
mmcrfileset fs01 fileset --inode-space=new
mmlinkfileset fs01 fileset -J /gpfs/fs01/fileset
If the directory to be exported does not exist, create the directory first
by running the following
command:
mkdir /gpfs/fs01/fileset/smb"
2. The recommended approach for managing access to the SMB share is to
manage the ACLs from a
Windows client machine. To change the ACLs from a Windows client, change
the owner of the share
folder to a user ID that will be used to make the ACL changes by running
the following command:
chown ?DOMAIN\smbadmin? /gpfs/fs01/fileset/smb
3. Create the actual SMB share on the existing directory:
mmsmb export add smbexport /gpfs/fs01/fileset/smb
Additional options can be set during share creation. For the documentation
of all supported options,
see ?mmsmb command? on page 663.
4. Verify that the share has been created:
mmsmb export list
5. Access the share from a Windows client using the user ID that has been
previously made the owner
of the folder.
6. Right-click the folder in the Windows Explorer, open the Security tab,
click Advanced, and modify
the Access Control List as required.
Note: An SMB share can only be created when the ACL setting of the
underlying file system is -k
nfsv4. In all other cases, mmsmb export create will fail with an error.
See ?Authorizing protocol users? on page 200 for details and limitations
Regards
Yaron Daniel
94 Em Ha'Moshavot Rd
Server, Storage and Data Services - Team Leader
Petach Tiqva, 49527
Global Technology Services
Israel
Phone:
+972-3-916-5672
Fax:
+972-3-916-5672
Mobile:
+972-52-8395593
e-mail:
yard at il.ibm.com
IBM Israel
From: "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 02/27/2017 09:50 PM
Subject: Re: [gpfsug-discuss] SMB and AD authentication
Sent by: gpfsug-discuss-bounces at spectrumscale.org
[root at n1 ~]# mmsmb export list share2
export path browseable guest ok smb encrypt
share2 /gpfs/fs1/sales yes no auto
[root at n1 ~]# ls -l /gpfs/fs1
total 0
drwxrwxrwx 2 root root 4096 Feb 25 12:33 sales
From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of Yaron Daniel
<YARD at il.ibm.com>
Reply-To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: Monday, February 27, 2017 at 1:46 PM
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] SMB and AD authentication
Hi
Can you show the share config + ls -l on the share Fileset/Directory from
the protocols nodes ?
Regards
Yaron Daniel
94 Em Ha'Moshavot Rd
Server, Storage and Data Services- Team Leader
Petach Tiqva, 49527
Global Technology Services
Israel
Phone:
+972-3-916-5672
Fax:
+972-3-916-5672
Mobile:
+972-52-8395593
e-mail:
yard at il.ibm.com
IBM Israel
From: "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 02/27/2017 09:41 PM
Subject: [gpfsug-discuss] SMB and AD authentication
Sent by: gpfsug-discuss-bounces at spectrumscale.org
For some reason, I just can?t seem to get this to work. I have configured
my protocol nodes to authenticate to AD using the following
mmuserauth service create --type ad --data-access-method file --servers
192.168.88.3 --user-name administrator --netbios-name scale --idmap-role
master --password ********* --idmap-range-size 1000000 --idmap-range
10000000-299999999 --enable-nfs-kerberos --unixmap-domains
'sirius(10000-20000)'
All goes well, I see the nodes in AD and all of the wbinfo commands show
good (id Sirius\\administrator doesn?t work though), but when I try to
mount an SMB share (after doing all the necessary mmsmb export stuff) I
get permission denied. I?m curious if I missed a step (followed the docs
pretty much to the letter). I?m trying Administrator, mark.bush, and a
dummy aduser I created. None seem to gain access to the share.
Protocol gurus help! Any ideas are appreciated.
Mark R. Bush| Storage Architect
Mobile: 210-237-8415
Twitter: @bushmr| LinkedIn: /markreedbush
10100 Reunion Place, Suite 500, San Antonio, TX 78216
www.siriuscom.com|mark.bush at siriuscom.com
This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
This message may be viewed by parties at Sirius Computer Solutions other
than those named in the message header. This message does not contain an
official representation of Sirius Computer Solutions. If you have received
this communication in error, notify Sirius Computer Solutions immediately
and (i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication. Thank you.
Sirius Computer Solutions _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1851 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1852 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0005.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 8746 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0002.png>
More information about the gpfsug-discuss
mailing list