[gpfsug-discuss] SMB and AD authentication

Yaron Daniel YARD at il.ibm.com
Mon Feb 27 20:04:09 GMT 2017 

Hi

What does the command return when you run it on the protocols nodes:
#id 'DOM\user'

Please follow this steps:

https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.0/ibmspectrumscale42_content.html


SA23-1452-06
05/2016

IBM Spectrum Scale V4.2: Administration and Programming Reference

Page - 135
Creating SMB share
Use the following information to create an SMB share:
1. Create the directory to be exported through SMB:
mmcrfileset fs01 fileset --inode-space=new
mmlinkfileset fs01 fileset -J /gpfs/fs01/fileset
mkdir /gpfs/fs01/fileset/smb
Note: IBM recommends an independent fileset for SMB shares.
Create a new independent fileset with these commands:
mmcrfileset fs01 fileset --inode-space=new
mmlinkfileset fs01 fileset -J /gpfs/fs01/fileset
If the directory to be exported does not exist, create the directory first 
by running the following
command:
mkdir /gpfs/fs01/fileset/smb"
2. The recommended approach for managing access to the SMB share is to 
manage the ACLs from a
Windows client machine. To change the ACLs from a Windows client, change 
the owner of the share
folder to a user ID that will be used to make the ACL changes by running 
the following command:
chown ?DOMAIN\smbadmin? /gpfs/fs01/fileset/smb
3. Create the actual SMB share on the existing directory:
mmsmb export add smbexport /gpfs/fs01/fileset/smb
Additional options can be set during share creation. For the documentation 
of all supported options,
see ?mmsmb command? on page 663.
4. Verify that the share has been created:
mmsmb export list
5. Access the share from a Windows client using the user ID that has been 
previously made the owner
of the folder.
6. Right-click the folder in the Windows Explorer, open the Security tab, 
click Advanced, and modify
the Access Control List as required.
Note: An SMB share can only be created when the ACL setting of the 
underlying file system is -k
nfsv4. In all other cases, mmsmb export create will fail with an error.
See ?Authorizing protocol users? on page 200 for details and limitations

 
Regards
 


 
 
Yaron Daniel
 94 Em Ha'Moshavot Rd

Server, Storage and Data Services - Team Leader  
 Petach Tiqva, 49527
Global Technology Services
 Israel
Phone:
+972-3-916-5672
 
 
Fax:
+972-3-916-5672
 
 
Mobile:
+972-52-8395593
 
 
e-mail:
yard at il.ibm.com
 
 
IBM Israel
 
 
 
 

 



From:   "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:   02/27/2017 09:50 PM
Subject:        Re: [gpfsug-discuss] SMB and AD authentication
Sent by:        gpfsug-discuss-bounces at spectrumscale.org



[root at n1 ~]# mmsmb export list share2
 
export   path              browseable   guest ok   smb encrypt
share2   /gpfs/fs1/sales   yes          no         auto
 
[root at n1 ~]# ls -l /gpfs/fs1
total 0
drwxrwxrwx 2 root root 4096 Feb 25 12:33 sales
 
 
From: <gpfsug-discuss-bounces at spectrumscale.org> on behalf of Yaron Daniel 
<YARD at il.ibm.com>
Reply-To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: Monday, February 27, 2017 at 1:46 PM
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] SMB and AD authentication
 
Hi

Can you show the share config + ls -l on the share Fileset/Directory from 
the protocols nodes ?

  
Regards
 


 
 
Yaron Daniel
 94 Em Ha'Moshavot Rd

Server, Storage and Data Services- Team Leader 
 Petach Tiqva, 49527
Global Technology Services
 Israel
Phone:
+972-3-916-5672
 
 
Fax:
+972-3-916-5672
 
 
Mobile:
+972-52-8395593
 
 
e-mail:
yard at il.ibm.com
 
 
IBM Israel
 
 
 
 
 
 



From:        "Mark.Bush at siriuscom.com" <Mark.Bush at siriuscom.com>
To:        gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date:        02/27/2017 09:41 PM
Subject:        [gpfsug-discuss] SMB and AD authentication
Sent by:        gpfsug-discuss-bounces at spectrumscale.org




For some reason, I just can?t seem to get this to work.  I have configured 
my protocol nodes to authenticate to AD using the following 
 
mmuserauth service create --type ad --data-access-method file --servers 
192.168.88.3 --user-name administrator --netbios-name scale --idmap-role 
master --password ********* --idmap-range-size 1000000 --idmap-range 
10000000-299999999 --enable-nfs-kerberos --unixmap-domains 
'sirius(10000-20000)'
 
 
All goes well, I see the nodes in AD and all of the wbinfo commands show 
good (id Sirius\\administrator doesn?t work though), but when I try to 
mount an SMB share (after doing all the necessary mmsmb export stuff) I 
get permission denied.  I?m curious if I missed a step (followed the docs 
pretty much to the letter).  I?m trying Administrator, mark.bush, and a 
dummy aduser I created.  None seem to gain access to the share. 
 
Protocol gurus help!  Any ideas are appreciated.
 
 

Mark R. Bush| Storage Architect
Mobile: 210-237-8415 
Twitter: @bushmr| LinkedIn: /markreedbush
10100 Reunion Place, Suite 500, San Antonio, TX 78216
www.siriuscom.com|mark.bush at siriuscom.com
  
This message (including any attachments) is intended only for the use of 
the individual or entity to which it is addressed and may contain 
information that is non-public, proprietary, privileged, confidential, and 
exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any use, dissemination, 
distribution, or copying of this communication is strictly prohibited. 
This message may be viewed by parties at Sirius Computer Solutions other 
than those named in the message header. This message does not contain an 
official representation of Sirius Computer Solutions. If you have received 
this communication in error, notify Sirius Computer Solutions immediately 
and (i) destroy this message if a facsimile or (ii) delete this message 
immediately if this is an electronic communication. Thank you. 
Sirius Computer Solutions _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
 _______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1851 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1852 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0005.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 8746 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170227/546afbc2/attachment-0002.png>

More information about the gpfsug-discuss mailing list