[gpfsug-discuss] Spectrum Scale CES , SAMBA and AD keytab integration with userdefined authentication

valleru at cbio.mskcc.org valleru at cbio.mskcc.org
Thu May 3 20:14:57 BST 2018 

Hello All,

I am trying to export a single remote filesystem over NFS/SMB using GPFS CES. ( GPFS 5.0.0.2 and CentOS 7 ).

We need NFS exports to be accessible on client nodes, that use public key authentication and ldap authorization. I already have this working with a previous CES setup on user-defined authentication, where users can just login to the client nodes, and access NFS mounts.

However, i will also need SAMBA exports for the same GPFS filesystem with AD/kerberos authentication.
Previously, we used to have a working SAMBA export for a local filesystem with SSSD and AD integration with SAMBA as mentioned in the below solution from redhat.
https://access.redhat.com/solutions/2221561
We find the above as cleaner solution with respect to AD and Samba integration compared to centrify or winbind.

I understand that GPFS does offer AD authentication, however i believe i cannot use the same since NFS will need user-defined authentication and SAMBA will need AD authentication.

I have thus been trying to use user-defined authentication.
I tried to edit smb.cnf from GPFS ( with a bit of help from this blog, written by Simon. https://www.roamingzebra.co.uk/2015/07/smb-protocol-support-with-spectrum.html)

/usr/lpp/mmfs/bin/net conf list

realm = xxxx
workgroup = xxxx
security = ads
kerberos method = secrets and key tab
idmap config * : backend = tdb template
homedir = /home/%U
dedicated keytab file = /etc/krb5.keytab

I had joined the node to AD with realmd and i do get relevant AD info when i try:
/usr/lpp/mmfs/bin/net ads info

However, when i try to display keytab or add principals to keytab. It just does not work.
/usr/lpp/mmfs/bin/net ads keytab list  -> does not show the keys present in /etc/krb5.keytab.
/usr/lpp/mmfs/bin/net ads keytab add cifs -> does not add the keys to the /etc/krb5.keytab

As per the samba documentation, these two parameters should help samba automatically find the keytab file.
kerberos method = secrets and key tab
dedicated keytab file = /etc/krb5.keytab

I have not yet tried to see, if a SAMBA export is working with AD authentication but i am afraid it might not work.

Have anyone tried the AD integration with SSSD/SAMBA for GPFS, and any suggestions on how to debug the above would be really helpful.

Thanks,
Lohit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20180503/a2611be3/attachment-0001.htm>

More information about the gpfsug-discuss mailing list