[gpfsug-discuss] gpfsug-discuss Digest, Vol 76, Issue 71
Dorigo Alvise (PSI)
alvise.dorigo at psi.ch
Wed May 23 08:42:59 BST 2018
ops sorry! wrong window!
please remove it...
sorry.
Alvise Dorigo
________________________________________
From: Dorigo Alvise (PSI)
Sent: Wednesday, May 23, 2018 9:41 AM
To: gpfsug main discussion list
Subject: RE: [gpfsug-discuss] gpfsug-discuss Digest, Vol 76, Issue 71
Hi Felix,
yes please, configure jumbo frames for both ports.
And yes, I'll check the cable (I used an old one, without any label 25G).
thanks,
A
________________________________________
From: gpfsug-discuss-bounces at spectrumscale.org [gpfsug-discuss-bounces at spectrumscale.org] on behalf of hopii at interia.pl [hopii at interia.pl]
Sent: Tuesday, May 22, 2018 9:43 PM
To: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 76, Issue 71
Thank you for reply.
Because I didn't already know what to do, was just playing with different options including 'security = ADS' .
Anyway, the problem is solved, not sure if it was a bug but
the client Centos 7.4 couldn't connect to spectrum scale node RH 7.5, resulting the errors provided before.
After client upgrade from Centos 7.4 to latest Centos 7.5, without any changes to configuration, smb with kerberos works perfectly fine.
Thank you again,
d.
Od: gpfsug-discuss-request at spectrumscale.org
Do: gpfsug-discuss at spectrumscale.org;
Wysłane: 1:06 Sobota 2018-05-19
Temat: gpfsug-discuss Digest, Vol 76, Issue 71
> Send gpfsug-discuss mailing list submissions to
> gpfsug-discuss at spectrumscale.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> or, via email, send a message with subject or body 'help' to
> gpfsug-discuss-request at spectrumscale.org
>
> You can reach the person managing the list at
> gpfsug-discuss-owner at spectrumscale.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of gpfsug-discuss digest..."
>
>
> Today's Topics:
>
> 1. Spectrum Scale CES , SAMBA, LDAP kerberos authentication
> issue (hopii at interia.pl)
> 2. Re: Spectrum Scale CES , SAMBA, LDAP kerberos authentication
> issue (Christof Schmitt)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 18 May 2018 20:53:57 +0200
> From: hopii at interia.pl
> To: gpfsug-discuss at spectrumscale.org
> Subject: [gpfsug-discuss] Spectrum Scale CES , SAMBA, LDAP kerberos
> authentication issue
> Message-ID:
> Content-Type: text/plain; charset="UTF-8"
>
> Hi there,
>
> I'm just learning, trying to configure Spectrum Scale: SMB File Authentication using LDAP (IPA) with kerberos, and been struggling with it for a couple of days, without success.
>
> Users on spectrum cluster and client machine are authenticated properly, so ldap should be fine.
> NFS mount with keberos works with no issues as well.
>
> But I ran out of ideas how to configure SMB using LDAP with kerberos.
>
> I could messed up with netbios names, as am not sure which one to use, from cluster node, from protocol node, exactly which one.
> But error message seems to point to keytab file, which is present on both, server and client nodes.
>
> I ran into simillar post, dated few days ago, so I'm not the only one.
> https://www.mail-archive.com/gpfsug-discuss@spectrumscale.org/msg03919.html
>
>
> Below is my configuration and error message, and I'd appreciate any hints or help.
>
> Thank you,
> d.
>
>
>
> Error message from /var/adm/ras/log.smbd
>
> [2018/05/18 13:51:58.853681, 3] ../auth/gensec/gensec_start.c:918(gensec_register)
> GENSEC backend 'ntlmssp_resume_ccache' registered
> [2018/05/18 13:51:58.859984, 0] ../source3/librpc/crypto/gse.c:586(gse_init_server)
> smb_gss_krb5_import_cred failed with [Unspecified GSS failure. Minor code may provide more information: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]
> [2018/05/18 13:51:58.860151, 1] ../auth/gensec/gensec_start.c:698(gensec_start_mech)
> Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>
>
>
> Cluster nodes
> spectrum1.example.com RedHat 7.4
> spectrum2.example.com RedHat 7.4
> spectrum3.example.com RedHat 7.4
>
> Protocols nodes:
> labs1.example.com
> lasb2.example.com
> labs3.example.com
>
>
> ssipa.example.com Centos 7.5
>
>
>
> spectrum scale server:
>
> [root at spectrum1 security]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 host/labs1.example.com at example.com
> 1 host/labs1.example.com at example.com
> 1 host/labs2.example.com at example.com
> 1 host/labs2.example.com at example.com
> 1 host/labs3.example.com at example.com
> 1 host/labs3.example.com at example.com
> 1 nfs/labs1.example.com at example.com
> 1 nfs/labs1.example.com at example.com
> 1 nfs/labs2.example.com at example.com
> 1 nfs/labs2.example.com at example.com
> 1 nfs/labs3.example.com at example.com
> 1 nfs/labs3.example.com at example.com
> 1 cifs/labs1.example.com at example.com
> 1 cifs/labs1.example.com at example.com
> 1 cifs/labs2.example.com at example.com
> 1 cifs/labs2.example.com at example.com
> 1 cifs/labs3.example.com at example.com
> 1 cifs/labs3.example.com at example.com
>
>
>
>
> [root at spectrum1 security]# net conf list
> [global]
> disable netbios = yes
> disable spoolss = yes
> printcap cache time = 0
> fileid:algorithm = fsname
> fileid:fstype allow = gpfs
> syncops:onmeta = no
> preferred master = no
> client NTLMv2 auth = yes
> kernel oplocks = no
> level2 oplocks = yes
> debug hires timestamp = yes
> max log size = 100000
> host msdfs = yes
> notify:inotify = yes
> wide links = no
> log writeable files on exit = yes
> ctdb locktime warn threshold = 5000
> auth methods = guest sam winbind
> smbd:backgroundqueue = False
> read only = no
> use sendfile = no
> strict locking = auto
> posix locking = no
> large readwrite = yes
> aio read size = 1
> aio write size = 1
> force unknown acl user = yes
> store dos attributes = yes
> map readonly = yes
> map archive = yes
> map system = yes
> map hidden = yes
> ea support = yes
> groupdb:backend = tdb
> winbind:online check timeout = 30
> winbind max domain connections = 5
> winbind max clients = 10000
> dmapi support = no
> unix extensions = no
> socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPCNT=4 TCP_KEEPIDLE=240 TCP_KEEPINTVL=15
> strict allocate = yes
> tdbsam:map builtin = no
> aio_pthread:aio open = yes
> dfree cache time = 100
> change notify = yes
> max open files = 20000
> time_audit:timeout = 5000
> gencache:stabilize_count = 10000
> server min protocol = SMB2_02
> server max protocol = SMB3_02
> vfs objects = shadow_copy2 syncops gpfs fileid time_audit
> smbd profiling level = on
> log level = 1
> logging = syslog at 0 file
> smbd exit on ip drop = yes
> durable handles = no
> ctdb:smbxsrv_open_global.tdb = false
> mangled names = illegal
> include system krb5 conf = no
> smbd:async search ask sharemode = yes
> gpfs:sharemodes = yes
> gpfs:leases = yes
> gpfs:dfreequota = yes
> gpfs:prealloc = yes
> gpfs:hsm = yes
> gpfs:winattr = yes
> gpfs:merge_writeappend = no
> fruit:metadata = stream
> fruit:nfs_aces = no
> fruit:veto_appledouble = no
> readdir_attr:aapl_max_access = false
> shadow:snapdir = .snapshots
> shadow:fixinodes = yes
> shadow:snapdirseverywhere = yes
> shadow:sort = desc
> nfs4:mode = simple
> nfs4:chown = yes
> nfs4:acedup = merge
> add share command = /usr/lpp/mmfs/bin/mmcesmmccrexport
> change share command = /usr/lpp/mmfs/bin/mmcesmmcchexport
> delete share command = /usr/lpp/mmfs/bin/mmcesmmcdelexport
> server string = IBM NAS
> client use spnego = yes
> kerberos method = system keytab
> ldap admin dn = cn=Directory Manager
> ldap ssl = start tls
> ldap suffix = dc=example,dc=com
> netbios name = spectrum1
> passdb backend = ldapsam:"ldap://ssipa.example.com"
> realm = example.com
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> password server = ssipa.example.com
> idmap:cache = no
> idmap config * : read only = no
> idmap config * : backend = autorid
> idmap config * : range = 10000000-299999999
> idmap config * : rangesize = 1000000
> workgroup = labs1
> ntlm auth = yes
>
> [share1]
> path = /ibm/gpfs1/labs1
> guest ok = no
> browseable = yes
> comment = jas share
> smb encrypt = disabled
>
>
> [root at spectrum1 ~]# mmsmb export list
> export path browseable guest ok smb encrypt
> share1 /ibm/gpfs1/labs1 yes no disabled
>
>
>
> userauth command:
> mmuserauth service create --type ldap --data-access-method file --servers ssipa.example.com --base-dn dc=example,dc=com --user-name 'cn=Directory Manager' --netbios-name labs1 --enable-server-tls --enable-kerberos --kerberos-server ssipa.example.com --kerberos-realm example.com
>
>
> root at spectrum1 ~]# mmuserauth service list
> FILE access configuration : LDAP
> PARAMETERS VALUES
> -------------------------------------------------
> ENABLE_SERVER_TLS true
> ENABLE_KERBEROS true
> USER_NAME cn=Directory Manager
> SERVERS ssipa.example.com
> NETBIOS_NAME spectrum1
> BASE_DN dc=example,dc=com
> USER_DN none
> GROUP_DN none
> NETGROUP_DN none
> USER_OBJECTCLASS posixAccount
> GROUP_OBJECTCLASS posixGroup
> USER_NAME_ATTRIB cn
> USER_ID_ATTRIB uid
> KERBEROS_SERVER ssipa.example.com
> KERBEROS_REALM example.com
>
> OBJECT access not configured
> PARAMETERS VALUES
> -------------------------------------------------
>
> net ads keytab list -> does not show any keys
>
>
> LDAP user information was updated with Samba attributes according to the documentation:
> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.0/com.ibm.spectrum.scale.v5r00.doc/bl1adm_updateldapsmb.htm
>
>
> [root at spectrum1 ~]# pdbedit -L -v
> Can't find include file /var/mmfs/ces/smb.conf.0.0.0.0
> Can't find include file /var/mmfs/ces/smb.conf.internal.0.0.0.0
> No builtin backend found, trying to load plugin
> Module 'ldapsam' loaded
> db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x4d2a432b
> db_open_ctdb: opened database 'secrets.tdb' with dbid 0x7132c184
> smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SPECTRUM1))]
> StartTLS issued: using a TLS connection
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> smbldap_search_paged: base => [dc=example,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
> smbldap_search_paged: search was successful
> init_sam_from_ldap: Entry found for user: jas
> ---------------
> Unix username: jas
> NT username: jas
> Account Flags: [U ]
> User SID: S-1-5-21-2394233691-157776895-1049088601-1281201008
> Forcing Primary Group to 'Domain Users' for jas
> Primary Group SID: S-1-5-21-2394233691-157776895-1049088601-513
> Full Name: jas jas
> Home Directory: \\spectrum1\jas
> HomeDir Drive:
> Logon Script:
> Profile Path: \\spectrum1\jas\profile
> Domain: SPECTRUM1
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Thu, 17 May 2018 14:08:01 EDT
> Password can change: Thu, 17 May 2018 14:08:01 EDT
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
>
> Client keytab file:
> [root at test ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 host/test.example.com at example.com
> 1 host/test.example.com at example.com
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 May 2018 23:05:56 +0000
> From: "Christof Schmitt"
> To: gpfsug-discuss at spectrumscale.org
> Subject: Re: [gpfsug-discuss] Spectrum Scale CES , SAMBA, LDAP
> kerberos authentication issue
> Message-ID:
>
>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL:
>
> ------------------------------
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
> End of gpfsug-discuss Digest, Vol 76, Issue 71
> **********************************************
>
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list