[gpfsug-discuss] Spectrum Scale CES adds only Domain Admin to local Administrators group
Christof Schmitt
christof.schmitt at us.ibm.com
Thu Mar 30 21:18:21 BST 2017
willi.engeli at id.ethz.ch wrote on 03/30/2017 07:23:40 AM:
> >-Last time I checked simply adding a normal computer object to the
domain
> didn't add the account of the adding user to the local administrators
group
> and CES is no exception.
>
> We have been using before a competitor Product as a NAS system. With
that
> system, we were able to define virtual NAS Servers, each one joined as
an
> independent object to AD. When joined, we found the 'Domain Admin' group
and
> the joining user as member of local administrators group of that virtual
> server.
> Since out AD is quite big, it is structured into many OU. We as the
Storage
> OU have OU admin rights, but we are not member of "Domain Admin" group.
> Looking Back, we were able by ourselves to add the required groups as
needed
> to the local Administrators group of the NAS server.
> Why is this important? Since we have quit a mix of OS accessing our
shares,
> some of the create exclusive access rights at the time they create
profiles
> etc. At the end of the lifecycle, one needs to delete those files via
the
> SMB / NFSV4 protocol, which is difficult if not having access rights. On
the
> other hand, we have seen situations, where one OS corrupted the ACL and
> could not access anymore. Also this needs to be handled by us, giving us
a
> hard time not being member of the administrators group. I.e. the MS tool
> subinacl does check the privileges before trying to modify ACLs, and if
not
> being member of the Administrators group, not all required privileges
are
> granted.
There is two parts to that in Spectrum Scale:
1) There is an option to declare a user as 'admin users'. The notion
there is that this user is mapped to root on access, thus this user
can always access files and fix access issues. The user defined here
should not be used for normal usage, this is only recommended for
data migrations and to fix access issues.
2) When joining Spectrum Scale to an Active Directory domain, the
Domain Admins groups is added to the internal Administrators group
(sometimes referred to as BUILTIN\Administrators). One way to change
the membership in that group would be through the MMC on a Windows
client. Initially only Domain Admins are allowed, a member of this
group would be required to add other users or groups. Alternatively,
the "net sam" interface can be used to modify the group from root
access on the protocol nodes:
/usr/lpp/mmfs/bin/net sam listmem Administrators
to list the members of the Administrators groups.
/usr/lpp/mmfs/bin/net sam addmem Administrators DOMAIN\user
to add a member.
/usr/lpp/mmfs/bin/net sam delmem Administrators DOMAIN\user
to remove a member
This is currently an untested feature and not exposed through the CLI.
If there is a need to have this exposed through the CLI or GUI,
that should be requested through a RFE so that it can feed into
the planning and prioritization for future releases.
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
More information about the gpfsug-discuss
mailing list