[gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local

Engeli Willi (ID SD) willi.engeli at id.ethz.ch
Fri Mar 31 12:46:02 BST 2017 

Hi Christoph,
This solved my issues in most areas.
Now I will probably add our Storage Management Group to local Administrators
group, this way we are able to use all strong utilities like subinacl etc,
and will be able to migrate to Spectrum Scale using robocopy with /ZB option
working properly.

For our Share-responsible Administrator we probably will add their
Management user to the 'admin Users' option of the specific share allowing
them to do wat ever they need to do, knowing that some tools may work with
limitations. 

Do you know if we may also add a builtin group named BackupOperators?

Regards
Willi

-----Ursprüngliche Nachricht-----
Von: gpfsug-discuss-bounces at spectrumscale.org
[mailto:gpfsug-discuss-bounces at spectrumscale.org] Im Auftrag von
gpfsug-discuss-request at spectrumscale.org
Gesendet: Freitag, 31. März 2017 13:00
An: gpfsug-discuss at spectrumscale.org
Betreff: gpfsug-discuss Digest, Vol 62, Issue 82

Send gpfsug-discuss mailing list submissions to
	gpfsug-discuss at spectrumscale.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://gpfsug.org/mailman/listinfo/gpfsug-discuss
or, via email, send a message with subject or body 'help' to
	gpfsug-discuss-request at spectrumscale.org

You can reach the person managing the list at
	gpfsug-discuss-owner at spectrumscale.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of gpfsug-discuss digest..."


Today's Topics:

   1. Re: Spectrum Scale CES adds only Domain Admin to local
      Administrators group (Christof Schmitt)


----------------------------------------------------------------------

Message: 1
Date: Thu, 30 Mar 2017 13:18:21 -0700
From: "Christof Schmitt" <christof.schmitt at us.ibm.com>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain
	Admin to local Administrators group
Message-ID:
	
<OFA3AD3B5D.41825BBB-ON072580F3.005CF921-072580F3.006F8B12 at notes.na.collabse
rv.com>
	
Content-Type: text/plain; charset="US-ASCII"

willi.engeli at id.ethz.ch wrote on 03/30/2017 07:23:40 AM:

> >-Last time I checked simply adding a normal computer object to the
domain
> didn't add the account of the adding user to the local administrators
group
> and CES is no exception.
> 
> We have been using before a competitor Product as a NAS system. With
that
> system, we were able to define virtual NAS Servers, each one joined as
an
> independent object to AD. When joined, we found the 'Domain Admin' 
> group
and
> the joining user as member of local administrators group of that 
> virtual server.
> Since out AD is quite big, it is structured into many OU. We as the
Storage
> OU have OU admin rights, but we are not member of "Domain Admin" group.
> Looking Back, we were able by ourselves to add the required groups as
needed
> to the local Administrators group of the NAS server.
> Why is this important? Since we have quit a mix of OS accessing our
shares,
> some of the create exclusive access rights at the time they create
profiles
> etc. At the end of the lifecycle, one needs to delete those files via
the
> SMB / NFSV4 protocol, which is difficult if not having access rights. 
> On
the
> other hand, we have seen situations, where one OS corrupted the ACL 
> and could not access anymore. Also this needs to be handled by us, 
> giving us
a
> hard time not being member of the administrators group. I.e. the MS 
> tool subinacl does check the privileges before trying to modify ACLs, 
> and if
not
> being member of the Administrators group, not all required privileges
are
> granted.

There is two parts to that in Spectrum Scale:

1) There is an option to declare a user as 'admin users'. The notion  there
is that this user is mapped to root on access, thus this user  can always
access files and fix access issues. The user defined here  should not be
used for normal usage, this is only recommended for  data migrations and to
fix access issues.

2) When joining Spectrum Scale to an Active Directory domain, the  Domain
Admins groups is added to the internal Administrators group  (sometimes
referred to as BUILTIN\Administrators). One way to change  the membership in
that group would be through the MMC on a Windows  client. Initially only
Domain Admins are allowed, a member of this  group would be required to add
other users or groups. Alternatively,  the "net sam" interface can be used
to modify the group from root  access on the protocol nodes:

/usr/lpp/mmfs/bin/net sam listmem Administrators to list the members of the
Administrators groups.

/usr/lpp/mmfs/bin/net sam addmem Administrators  DOMAIN\user to add a
member.

/usr/lpp/mmfs/bin/net sam delmem Administrators DOMAIN\user to remove a
member

This is currently an untested feature and not exposed through the CLI.
If there is a need to have this exposed through the CLI or GUI, that should
be requested through a RFE so that it can feed into the planning and
prioritization for future releases.

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)




------------------------------

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


End of gpfsug-discuss Digest, Vol 62, Issue 82
**********************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20170331/d0c13867/attachment-0001.bin>

More information about the gpfsug-discuss mailing list