[gpfsug-discuss] ssh authentication on CES nodes

Ott Oopkaup ott.oopkaup at ut.ee
Tue Jul 23 14:23:11 BST 2024 

Hi all,

While not strictly by-the-book, we have ran SSSD alongside gpfs-winbind 
for ~7 years now. Might be a case of running the protocol nodes on RHEL 
exclusively, but we have never had any issues. Might help that our LDAP 
and AD are kept in sync as best as possible so any conflicts will still 
resolve to the same values.

Even further, thanks to some old legacy documentation I recently moved 
from regular gpfs-winbind (that was basically connected using net ads 
join) to actual mmuserauth and AD. In my mind, having even SSSD 
installed would already cause the library conflicts. Obviously, there 
are more than 2 ways to skin this particular cat and for a really dirty 
fix you could map the admin users locally with the same UIDS etc..

Best,

Ott Oopkaup
University of Tartu, High Performance Computing Centre
Systems Administrator

On 7/23/24 2:29 PM, Jonathan Buzzard wrote:
> On Tue, 2024-07-23 at 10:11 +0000, Paul Ward wrote:
>> Hi Ivano,
>>   
>> I am curious about this line of your message:
>> “For us that's quite annoying, since we can't login with our
>> personal/central accounts and then sudo.”
>>   
>> We only allow administrator access to the GPFS cluster via the EMS
>> nodes. We will be restricting them to MFA based access.
>> We then navigate to all other nodes from one of them.
>>
>>
> My guess would be that administrators log onto the cluster using their
> personal/central accounts and then use sudo to issue administrative
> commands. This creates a log of who issued what commands at what time.
> Useful when you have more than one administrator and provides a level
> of tracking.
>
> Though personally I think using your "personal" everyday account for
> this is suboptimal. Best practice would suggest have a separate
> personal administrator account. So for example in a previous life my
> normal everyday account was njab14 no different than anyone else's
> account, but my I had a separate account administrator account was
> sjab14. That could do things like sudo had rights in the AD etc. etc.
>
> You can also do things like create groups of users that can log onto
> things that normal users cant.
>
>
> JAB.
>

More information about the gpfsug-discuss mailing list