[gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group

Sobey, Richard A r.sobey at imperial.ac.uk
Thu Mar 30 15:50:13 BST 2017


Did your AD team perchance define a group policy on the OU such that any object placed into that OU inherited a specific set of local administrators? That's the only way I can think that your NAS ended up with the calling user in the local admin group. 

I understand where you're coming from - we do not manage AD ourselves but we do not want Domain Admins to have administrator control of our CES nodes. So once it was joined to AD (with their help) I simply removed Domain Admins and added the storage team DL in its place.

But back to the original question, I'm afraid I do not know how to make CES add a specific user to its local administrator group.

Richard

-----Original Message-----
From: gpfsug-discuss-bounces at spectrumscale.org [mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Engeli Willi (ID SD)
Sent: 30 March 2017 15:24
To: gpfsug-discuss at spectrumscale.org
Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group

>-Last time I checked simply adding a normal computer object to the 
>domain
didn't add the account of the adding user to the local administrators group and CES is no exception.

We have been using before a competitor Product as a NAS system. With that system, we were able to define virtual NAS Servers, each one joined as an independent object to AD. When joined, we found the 'Domain Admin' group and the joining user as member of local administrators group of that virtual server.
Since out AD is quite big, it is structured into many OU. We as the Storage OU have OU admin rights, but we are not member of "Domain Admin" group.
Looking Back, we were able by ourselves to add the required groups as needed to the local Administrators group of the NAS server.
Why is this important? Since we have quit a mix of OS accessing our shares, some of the create exclusive access rights at the time they create profiles etc. At the end of the lifecycle, one needs to delete those files via the SMB / NFSV4 protocol, which is difficult if not having access rights. On the other hand, we have seen situations, where one OS corrupted the ACL and could not access anymore. Also this needs to be handled by us, giving us a hard time not being member of the administrators group. I.e. the MS tool subinacl does check the privileges before trying to modify ACLs, and if not being member of the Administrators group, not all required privileges are granted.

>-Is it a political reason why you cannot ask your Domain Admin team to 
>add
you to the admin group for your CES cluster object? From there you can manage it yourself.

Yes and no. We have a clear boundary, where we need to be able to manage the AD Objects, and for security reason it seems to make sense to not use Domain Admin Accounts for such kind of work (statement of our AD Group).

So much for the Situation, did I missed something?

Willi

-----Ursprüngliche Nachricht-----
Von: gpfsug-discuss-bounces at spectrumscale.org
[mailto:gpfsug-discuss-bounces at spectrumscale.org] Im Auftrag von gpfsug-discuss-request at spectrumscale.org
Gesendet: Donnerstag, 30. März 2017 16:02
An: gpfsug-discuss at spectrumscale.org
Betreff: gpfsug-discuss Digest, Vol 62, Issue 77

Send gpfsug-discuss mailing list submissions to
	gpfsug-discuss at spectrumscale.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://gpfsug.org/mailman/listinfo/gpfsug-discuss
or, via email, send a message with subject or body 'help' to
	gpfsug-discuss-request at spectrumscale.org

You can reach the person managing the list at
	gpfsug-discuss-owner at spectrumscale.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of gpfsug-discuss digest..."


Today's Topics:

   1. Spectrum Scale CES adds only Domain Admin to local
      Administrators group (Engeli  Willi (ID SD))
   2. Re: Spectrum Scale CES adds only Domain Admin to local
      Administrators group (Sobey, Richard A)
   3. Re: Spectrum Scale CES adds only Domain Admin to local
      Administrators group (Laurence Horrocks-Barlow)


----------------------------------------------------------------------

Message: 1
Date: Thu, 30 Mar 2017 13:29:26 +0000
From: "Engeli  Willi (ID SD)" <willi.engeli at id.ethz.ch>
To: "gpfsug-discuss at spectrumscale.org"
	<gpfsug-discuss at spectrumscale.org>
Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to
	local Administrators group
Message-ID:
	<D13CE1B679C6DC45A6A0DD4C2F8159F93E4AE1DB at MBX216.d.ethz.ch>
Content-Type: text/plain; charset="us-ascii"

Hi everybody,

In our organization, the management of AD is strictly separated from management of storage. Since we install spectrum scale with protocol SMB and NFS support, we need to join the systems to AD, and have at least the joining user added as well to the local administrators group.

 

Any idea of how to achieve this? Asking our Domain Admin is not the correct method to add other groups, this needs to be in our hands. 

 

Regards Willi

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at
tachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5461 bytes
Desc: not available
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/8e187e01/at
tachment-0001.p7s>

------------------------------

Message: 2
Date: Thu, 30 Mar 2017 13:53:15 +0000
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain
	Admin to local Administrators group
Message-ID:
	
<AMSPR06MB4057F08111EDB6EE5584F3EDF340 at AMSPR06MB405.eurprd06.prod.outlook.co
m>
	
Content-Type: text/plain; charset="us-ascii"

Last time I checked simply adding a normal computer object to the domain didn't add the account of the adding user to the local administrators group and CES is no exception.

Is it a political reason why you cannot ask your Domain Admin team to add you to the admin group for your CES cluster object? From there you can manage it yourself.

Richard

From: gpfsug-discuss-bounces at spectrumscale.org
[mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Engeli Willi (ID SD)
Sent: 30 March 2017 14:29
To: gpfsug-discuss at spectrumscale.org
Subject: [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group

Hi everybody,
In our organization, the management of AD is strictly separated from management of storage. Since we install spectrum scale with protocol SMB and NFS support, we need to join the systems to AD, and have at least the joining user added as well to the local administrators group.

Any idea of how to achieve this? Asking our Domain Admin is not the correct method to add other groups, this needs to be in our hands.

Regards Willi

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/385d486f/at
tachment-0001.html>

------------------------------

Message: 3
Date: Thu, 30 Mar 2017 15:02:19 +0100
From: Laurence Horrocks-Barlow <laurence at qsplace.co.uk>
To: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] Spectrum Scale CES adds only Domain
	Admin to local Administrators group
Message-ID: <2329870e-00f8-258c-187d-feec9589df93 at qsplace.co.uk>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

Hi Willi,

Could you just expand on your issue?

Are you requiring CES to bind to AD to allow authenticated users to access your NFS/SMB shares. However you require the ability to add additional groups to these users on the CES system?

Or are you trying to use your own account that can join the domain as a local admin on a CES node?

-- Lauz

On 30/03/2017 14:53, Sobey, Richard A wrote:
>
> Last time I checked simply adding a normal computer object to the 
> domain didn?t add the account of the adding user to the local 
> administrators group and CES is no exception.
>
> Is it a political reason why you cannot ask your Domain Admin team to 
> add you to the admin group for your CES cluster object? From there you 
> can manage it yourself.
>
> Richard
>
> *From:*gpfsug-discuss-bounces at spectrumscale.org
> [mailto:gpfsug-discuss-bounces at spectrumscale.org] *On Behalf Of 
> *Engeli Willi (ID SD)
> *Sent:* 30 March 2017 14:29
> *To:* gpfsug-discuss at spectrumscale.org
> *Subject:* [gpfsug-discuss] Spectrum Scale CES adds only Domain Admin 
> to local Administrators group
>
> Hi everybody,
>
> In our organization, the management of AD is strictly separated from 
> management of storage. Since we install spectrum scale with protocol 
> SMB and NFS support, we need to join the systems to AD, and have at 
> least the joining user added as well to the local administrators group.
>
> Any idea of how to achieve this? Asking our Domain Admin is not the 
> correct method to add other groups, this needs to be in our hands.
>
> Regards Willi
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://gpfsug.org/pipermail/gpfsug-discuss/attachments/20170330/fe1f178a/at
tachment.html>

------------------------------

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss


End of gpfsug-discuss Digest, Vol 62, Issue 77
**********************************************



More information about the gpfsug-discuss mailing list