The document discusses IBM Spectrum Scale protocol authentication. It provides an overview of configuring file protocol authentication with Active Directory using RFC2307 ID mapping. It also discusses configuring object protocol authentication with a local user database. The authentication configuration is managed using the mmuserauth service command, which allows creating, listing, checking, and removing authentication configurations for file and object access protocols.
IBM Spectrum Scale Best Practices for Genomics Medicine WorkloadsUlf Troppens
Genomics medicine requires physicians, data scientists and researchers to analyze huge amounts of genomics data quickly. The IBM Spectrum Scale Best Practices for Genomics Medicine Workload provides composable infrastructure that enables IT architects to customize deployments for varying functional and performance needs. The described scale-out architecture is capable to store, access and manage genomics data from a few 100 TB to tens of PB. The solution integrates compute resources and an easy-to-use Web User Interface to submit high-throughput batch jobs to analyze genomics data sets. While the best practices are optimized for genomics medicine workloads, most of the settings are generic and applicable to other workloads and industries.
Increase security, evolve your datacentre, and innovate faster with Microsoft Windows Server 2016—the cloud-ready operating system.
Learn more about:
» Windows Server 2016 as the 4th Era of Windows Server
» Editions & features
» Hardware requirements
» Features:
• Nano server
• Containers
• Hyper-V Hot-Add Virtual Hardware
• Nested Virtualization
Reusing your existing software on Android
1. Runnig the existing software on Android
1.1 Rebuilding by Android tool chain
1.2 Running the binary as is
2. Running Android on your existing Linux environment
I show you 'Android on Ubuntu server'
The Network File System (NFS) Version 4 is a distributed file system similar to previous versions of NFS in its straightforward design, simplified error recovery, and independence of transport protocols and operating systems for file access in a heterogeneous network.
NFS, was developed by Sun Microsystems to provide distributed transparent file access in a heterogeneous network. It achieves this by being relatively simple in design and not relying too heavily on any particular file system model.
This presentation is based on the paper of “The NFS Version 4 Protocol” written by Brian Pawlowski, Spencer Shepler, Carl Beame, Brent Callaghan, Michael Eisler, David Noveck, David Robinson and Robert Thurlow.
IBM Spectrum Scale Best Practices for Genomics Medicine WorkloadsUlf Troppens
Genomics medicine requires physicians, data scientists and researchers to analyze huge amounts of genomics data quickly. The IBM Spectrum Scale Best Practices for Genomics Medicine Workload provides composable infrastructure that enables IT architects to customize deployments for varying functional and performance needs. The described scale-out architecture is capable to store, access and manage genomics data from a few 100 TB to tens of PB. The solution integrates compute resources and an easy-to-use Web User Interface to submit high-throughput batch jobs to analyze genomics data sets. While the best practices are optimized for genomics medicine workloads, most of the settings are generic and applicable to other workloads and industries.
Increase security, evolve your datacentre, and innovate faster with Microsoft Windows Server 2016—the cloud-ready operating system.
Learn more about:
» Windows Server 2016 as the 4th Era of Windows Server
» Editions & features
» Hardware requirements
» Features:
• Nano server
• Containers
• Hyper-V Hot-Add Virtual Hardware
• Nested Virtualization
Reusing your existing software on Android
1. Runnig the existing software on Android
1.1 Rebuilding by Android tool chain
1.2 Running the binary as is
2. Running Android on your existing Linux environment
I show you 'Android on Ubuntu server'
The Network File System (NFS) Version 4 is a distributed file system similar to previous versions of NFS in its straightforward design, simplified error recovery, and independence of transport protocols and operating systems for file access in a heterogeneous network.
NFS, was developed by Sun Microsystems to provide distributed transparent file access in a heterogeneous network. It achieves this by being relatively simple in design and not relying too heavily on any particular file system model.
This presentation is based on the paper of “The NFS Version 4 Protocol” written by Brian Pawlowski, Spencer Shepler, Carl Beame, Brent Callaghan, Michael Eisler, David Noveck, David Robinson and Robert Thurlow.
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments.
Enter The Matrix Securing Azure’s AssetsBizTalk360
This talk is mainly on the security aspects of Azure, in any context. you’ll get an overview on where security is handled, some practices and how to monitor and act accordingly to certain threats and issues. It will focus on IaaS, PaaS and SaaS. As security is an integral part of an environment, the integration aspect is not far away. Focus products include Azure and all related services.
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?Scott Hoag
Office 365 brings a host of productivity options, but one of the most overlooked components is how we'll authenticate to the Cloud. With Azure Active Directory (AAD) driving access and authentication to our Office 365 tenants, it is important to understand how we can interact with it. Join us as we explore Cloud Identity, Identity Federation, Directory Synchronization and most importantly Azure and its impacts on user experience and access of Office 365. Throughout this session, we'll answer the questions that impact you and how your decisions around identity shape your Office 365 experiences.
Cloud Security is critical to Data Security and Application Resilience against CyberAttacks. This talk looks at Security Best Practices that need to be practised.
This talk was presented at AWS Community Day Bengaluru 2019 by Amar Prusty, Cloud-Data Center Consultant Architect, DXC Technology
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCloudIDSummit
This session will offer practical solutions for managing the identity lifecycle in a federated, distributed and cloud-based system. Based on real-life deployments, you will learn how to solve problems beyond protocols and access, using tools like identity mapping, identity synchronization and attribute look-up. You’ll also get a perspective on technology that could change the way identity is managed—and stored—altogether.
Make sure you exercise due diligence when selecting a cloud service provider.
Make sure the cloud environment supports the regulatory requirements of your industry and data.
Conduct data classification to understand the sensitivity of your data before moving to the cloud.
Clearly define who owns the data and how it will be “returned” to you and the timing in the event you cancel your agreement.
Understand if you are leveraging the cloud in IaaS, PaaS, SaaS or other model.
[Mustafa Toroman, Saša Kranjac] More and more services we use every day are moving to cloud. This creates many challenges, especially if we look at things from security point of view. Taking services out of our datacenter, opens our data and services to new kind of threats but fortunately new tools are available to protect us. See from both perspectives how attackers can try to exploit our journey to cloud and how can we detect threats and stop attacks before they occur. We will show examples how Red Team attacks our Cloud and how Blue Team can detect and stop Red Team.
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
Lisa Grady, Senior Solutions Architect, Radiant Logic
You've federated access, but what about identity? Lisa Grady, technical guru at Radiant Logic, will offer concrete solutions for deploying an identity provider in a complex, federated and siloed world.
Proactive Threat Detection and Safeguarding of Data for Enhanced Cyber resili...Sandeep Patil
IBM Storages like IBM Spectrum Scale/IBM CLoud Object storage System integrate with leading SIEM like IBM QRadar / SPLUNK for proactive threat detection and Cyber Resiliency
Analytics with unified file and object Sandeep Patil
Presentation takes you through on way to achive in-place hadoop based analytics for your file and object data. Also give you example of storage integration with cloud congnitive services
In Place Analytics For File and Object DataSandeep Patil
Why would one want to get into this mess ? Would it not be nice to have a storage system that supports unified file and object, has inplace analytics support via Hadoop connectors, performance well, is scalable , has ability to seamlessly tier to other object stores or tape and is software defined. It sounds like a No Brainier !
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
1. User Group
2017
IBM Spectrum Scale 4.2.3
Protocol Authentication
Sandeep Patil
STSM, IBM Master Inventor
Kaustubh Katruwar
Spectrum Scale Auth Development
Shradha Thakare
Spectrum Scale Dev
2. Please note
IBM’s statements regarding its plans, directions, and intent
are subject to change or withdrawal without notice at IBM’s
sole discretion.
Information regarding potential future products is intended
to outline our general product direction and it should not be
relied on in making a purchasing decision.
The information mentioned regarding potential future
products is not a commitment, promise, or legal obligation
to deliver
any material, code or functionality. Information about
potential future products may not be incorporated into any
contract.
The development, release, and timing of any future features
or functionality described for our products remains at our
sole discretion.
Performance is based on measurements and projections
using standard IBM benchmarks in a
controlled environment. The actual throughput or
performance that any user will experience will vary
depending upon many factors, including considerations
such as the amount of multiprogramming in
the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve
results similar to those stated here.
3. Acknowledgement – Spectrum Scale Development Team
• Deepak Ghuge
• Ingo Meents
• Christof Schmitt
• Smita Raut
• Varun Mittal
• Bill Owen
• Sanjay Gandhi
• Brian Nelson
• Simon Lorenz
• Gautam Shah
• John Lewars
• Chetan Kulkarni
4. Authentication for Protocols - Basics
What is authentication?
• The objective of authentication is to verify the claimed identity
of users and components before access to the protected resource.
• Usually it is done by having the user enter a valid user name and
valid password before access is granted.
Authentication In IBM Spectrum Scale Protocol
• Ensures authenticated access to data exported by protocols
(NFS/SMB/Object)
• To enable read and write access to directories and files for the
users exported by IBM Spectrum Scale protocols , you must
configure user authentication on the system.
• Only one user authentication method, and only one instance of
that method, can be supported in a single cluster.
• The following authentication services can be configured with the IBM
Spectrum Scale™ system for file protocol access:
• Microsoft Active Directory (AD)
• Lightweight Directory Access Protocol (LDAP)
• Network Information Service (NIS) for NFS client access
• User defined
5. Identification - Basics
• The objective of identification is to identify users and infrastructure components which is basis of Authorization.
Identification methods include unique user IDs (such as different persons use different user IDs).
• Other methods include keys and finger prints (such as a public ssh key) and digital certificates (such as a certificate of
the web server).
User names and user IDs (UIDs):
• UNIX system and UNIX based appliances use user names and user identifiers (UID) to represent users of the system.
• When a user logs on to a UNIX system, the operating systems looks up their UID and then uses this UID for further
representation of the user.
Group names and Group IDs (GIDs)
• UNIX systems use groups to maintain sets of users which have the same permissions to access certain system
resources.
• Similar to user names and UIDs, a UNIX system also maintains group names and group identifiers (GIDs).
• A UNIX user might be a member of one or more groups, where one group is the primary or default group.
• UNIX groups are not nested: They contain users only but not other groups.
SID
• Windows and SMB client systems reference all operating system entities as resources. For example, users, groups,
computers, and so on.
• Each resource is represented by a security identifier (SID).
• Resource names and SIDs are stored locally in the Windows registry or in an external directory service such as Active
Directory or LDAP.
Directory Services
User names, UIDs, and the mapping of user names to UIDs along with Group Names, GIDs and their mapping are stored
locally in the /etc/passwd file. Or, they can be stored on an external directory service such as Microsoft Active Directory,
Services for Unix (SFU), Lightweight Directory Access Protocol (LDAP), or Network Information Service (NIS).
User Name: Penguin
UID: 9823
User Name: Penguin_Group
GID: 5000
User Name: Windows_User1
SID: S-1-5-21-917267712-1342860078-1792151419-500
6. UID/GID/SID mapping in IBM Spectrum Scale
• IBM Spectrum Scale stores all user data on Spectrum Scale file systems, which use UIDs and
GIDs for access control.
• For SMB access, IBM Spectrum Scale needs to map SIDs to UIDs and GIDs to enforce
access control. SIDs effectively are 128 bit values while GIDs and UIDs are limited to 32bit, so
a 1:1 mapping is not possible.
• NFS clients send the UID and GID of a user who requests access to a file.
• IBM Spectrum Scale uses the access control mechanism by comparing the received UID and
GID with the UIDs and GIDs stored in GPFS.
• The UIDs and GIDs used by the NFS clients must match the UIDs and GIDs stored inside
Spectrum Scale file system.
• When SMB clients using Windows connect to IBM Spectrum Scale configured with plain AD, it
first contacts the Active Directory to check for username and password combination. The auto
UID/GID created is then stored locally (in the idmap database) on IBM Spectrum Scale. For the
first time a user logs in, the ID mapping between SID and UID is created. After that, it is directly
picked up from the database. In case of mixed access from Windows and UNIX, Active Directory
with RFC 2307 or with LDAP is to be be used.
7. ID Mapping methods in IBM Spectrum Scale Required For NFS & SMB
Multiprotocol Access
The following methods are used to map Windows SID to UNIX UID and GID:
• External ID mapping methods
• A UID or GID of a user or group is created and stored in an external server.
• The external server administrator is responsible for creating or populating the UID/GID for the
user/group in their respective servers.
• The IBM Spectrum Scale system supports the following servers for external ID mapping:
• LDAP server, where the UID or GID is stored in a dedicated field in the user or group object on
the LDAP server.
• AD server with RFC2307 schema extension defined. The UID or GID of a user or group that
is defined in AD server is stored in a dedicated field of the user or group object.
• Internal ID mapping method
• Automatic ID mapping when AD-based authentication is used.
• Automatic ID mapping method uses a reserved ID range to allocate ID based on the following logic.
• A user or group in AD is identified by SID, which includes a component that is called RID.
Whenever a user or group from an AD domain accesses IBM Spectrum Scale™, a range is
allocated per AD domain. UID or GID is then allocated depending upon this range and the RID
of the user/group.
• For Example: S-1-5-21-3922795712-4076380459-2191511802-1304. Here:
• S – String is SID
• 1 – Revision Level
• 5 – Identifier Authority Value
• 21-3922795712-4076380459-2191511802 – Domain or Local Computer Identifier
• 1304 – Relative ID (RID)
8. IBM Spectrum Scale File Authentication Flow
• Authentication for NFS/SMB involves user credential validation and user identity management
which helps define ownership of data and is the foundational base for ACL for NFS and SMB
The following steps are involved in the user authentication
for file access:
1. User tries to connect to the IBM Spectrum
Scale™ system by using their credentials.
2. The IBM Spectrum Scale™ system contacts the
authentication server to validate the user.
3. The IBM Spectrum Scale™ system contacts the ID
map server that provides UIDs and GIDs of the user
and user group to verify the identity of the user.
4. If the user credentials are valid, the user gains access
to the system.
9. IBM Spectrum Scale Object Authentication Flow
Auth Flow
1. The user raises the access request to get access to
the object data.
2. The keystone server communicates with the
authentication server such as AD, LDAP, or a local
database. The keystone server interacts with the
authentication server for authentication,
authorization, and service end-point management.
3. If the user details are valid, the keystone server
interacts with the local database to determine the
user roles and issues a token to grant access to the
user.
4. The OpenStack identity service offers token-based
authentication for object access. When user
credentials are validated, the identity service issues
an authentication token, which the user provides in
subsequent requests. That is, the access request
also includes the token that is granted in step 3. The
token is an alphanumeric string of text that is used to
access OpenStack APIs and resources.
5. The authenticated user contacts the object storage
to access the data that is stored in it.
6. The object storage grants permission to the user to
work on the data based on the associated project ID
and user role.
10. Authentication Design Points For Spectrum Scale Protocols
• Well defined & consumable authentication management interfaces for FILE (NFS,SMB) and
OBJECT to ensure uniformness.
• Allow flexibility to configure Object and FILE with different authentication scheme to ensure wider
coverage of customer deployment.
• Ability to auto-suggest to help enforce common authentication scheme across FILE (SMB/NFS) and
OBJECT on the same cluster , when AD/LDAP is being used by either of them.
• Provide a "User Defined" auth mode to provide flexibility which allows customers to define authentication
setup the way they desire. IBM Spectrum Scale Auth CLI become dysfunctional in this mode.
• For FILE, support all required authentication schemes as supported in legacy NAS Systems to
ensure migration.
• For OBJECT support authentication of Swift with Keystone backed with AD, LDAP and database
(Posgress only). The authorization required by object will be stored only in database.
• Enhanced Problem Determination – Extract more of “Where is the exact problem/Is it related to
authentication” kind of authentication logs in FTDC for faster problem determination.
11. Authentication + ID map Schemes : Support Matrix for File Protocols
(NFS / SMB)
Configuring Authentication with AD Configuring Authentication with NIS
Configuring Authentication with LDAP
12. Authentication Schemes: Support Matrix for Object
Configuring Authentication with AD
Configuring Authentication with LDAP
Configuring Authentication with Local
13. Authentication Schemes: For Unified File and Object
What is Unified File and Object ?
• Unified File and Object allows accessing object using file interfaces
(SMB/NFS/POSIX) and accessing file using object interfaces (REST)
helps legacy applications designed for file to seamlessly start integrating
into the object world.
• It allows cloud data which is in form of objects to be accessed using
files using application designed to process files.
• Multi protocol access for file and object in the same namespace allows
supporting and hosting data oceans of different types with multiple access
options.
Configuring Authentication for Unified File and
Object
Only the following authentication mechanisms are supported when common
User ID is expected between File and Object Interface:
• Object configured with AD and File with the same AD where the
user/group ID is available on AD+RFC 2307
• Object configured with LDAP and File with the same LDAP where the
user/group ID is available on LDAP
Objects data accessed via file interface
File data accessed via object interface
14. Unified File and Object : Flexible Identity Management Modes
Support’s Two Identity Management Modes
Administrators can choose based on their need and use-case
Local_ID Unified_ID
Identity Management Modes
Object created by Object interface
will be owned by internal “swift” user
Application processing the object data
from file interface will need the required
file ACL to access the data.
Object authentication setup is
independent of File
Authentication setup
Object created from Object interface should be
owned by the user doing the Object PUT (i.e
FILE will be owned by UID/GID of the user)
Users from Object and File are expected to be
common auth and coming from same directory
service (only AD+RFC 2307 or LDAP)
Owner of the object will own and have
access to the data from file interface.
Suitable for unified file and object access for end
users. Leverage common ILM policies for file
and object data based on data ownership
Suitable when auth schemes for file and
object are different and unified access is for
applications
15. Spectrum Scale Protocol Authentication : High Level Overview
Linux
Keystone
Spectrum Scale Protocol Nodes
winbind ypbind SSSD
Posgress
AD LDAP NISMIT KDC
Users with AD/LDAP credential should be able to access FILE as well as Object
Auth configure CLI
For Keystone
Auth configure CLI
For File
Auth CLI
Common protocol Auth CLI
External
Auth Servers
16. IBM Spectrum Scale Authentication: The “mmuserauth” Command
# mmuserauth service <option>
• This command suite manages the authentication configuration of file and object access
protocols.
• The configuration allows protocol access methods to authenticate users who need to
access data that is stored on the system over these protocols.
• The different commands in the # mmuserauth service suite are:
• mmuserauth service create - Configures authentication for file and object
access protocols.
• mmuserauth service list - Displays the details of the authentication method
that is configured for both file and object access protocols.
• mmuserauth service check - Verifies the authentication method configuration
details for file and object access protocols. Validates the connectivity to the
configured authentication servers. It also supports corrections to the configuration
details on the erroneously configured protocol nodes.
• mmuserauth service remove - Removes the authentication method
configuration of file and object access protocols and ID maps if any.
17. Configure File and Object Auth
“mmuserauth service create”
Based on Auth type
- update the respective config
files
- restart the services
Check Auth config across the cluster
“mmuserauth service check”
Enable Required Protocols
List Configuration
(mmuserauth service list)
List File and Object
Auth config (separately)
Check if the
authentication is
consistent across the
cluster (protocol nodes)
with an option for
rectification (optional)
•Allow Export Creation for
NFS/SMB only when auth configured
•Allow Object IO
Cleanup authentication
(mmuserauth service remove)
Start the protocols
For Object, when it is being enabled admin will
be prompted if he wants to use external keystone
or host internal keystone and likewise it will do keystone
initialization
Object and File auth config
have to be done separately
because of semantic
differences
Note: For Object when the protocol is enabled it is automatically configured with keystone with local auth (if internal keystone was selected).
mmuserauth service create is required only if you want to configure object with AD/LDAP - this is unlike FILE where there is no local auth.
Disable Protocols
IBM Spectrum Scale Authentication: Life Cycle
18. Illustration : File Protocol Authentication with AD + RFC2307 ID
mapping
3. The system displays the following output:
FILE access configuration : AD
PARAMETERS VALUES
--------------------------------------------
-----
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME ess
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS DOMAIN(5000-20000)
LDAPMAP_DOMAINS none
OBJECT access not configured
PARAMETERS VALUES
4. Verify the user name resolution and that ID
on the system are pulled from RFC2307
attributes on the AD server.
# id DOMAINadministrator
uid=10002(DOMAINadministrator)
gid=10000(DOMAINdomain users)
groups=10000(DOMAINdomain users
1. Run the command as shown in example below:
# mmuserauth service create
--type ad --data-access-method file
--netbios-name ess
--user-name administrator
--idmap-role master --servers myADserver
--password Passw0rd
--idmap-range-size 1000000
--idmap-range
10000000-299999999
--unixmap-domains 'DOMAIN(5000-20000)’
2. Verify the authentication configuration
# mmuserauth service list
Note: The specified domain controller myADserver is only relevant for joining the
domain. After that step the configured DCs for the domain are queried from DNS and an
available one is automatically chosen.
The user account administrator is also only used for joining the domain and creating
or updating the machine account. After that, the protocol nodes use the machine account
to access AD.
19. Illustration : Object Protocol Authentication with Local
3. The system displays the following output:
FILE access not configured
PARAMETERS VALUES
--------------------------------------------
OBJECT access configuration : LOCAL
PARAMETERS VALUES
--------------------------------------------
ENABLE_KS_SSL false
ENABLE_KS_CASIGNING false
KS_ADMIN_USER admin
4. Verify the user name resolution and that ID
on the system are pulled from RFC2307
attributes on the AD server.
# id DOMAINadministrator
uid=10002(DOMAINadministrator)
gid=10000(DOMAINdomain users)
groups=10000(DOMAINdomain users
1. Run the command as shown in example below:
# mmuserauth service create --data-access-
method object --type local --ks-dns-name
c40bbc2xn3 --ks-admin-user admin --ks-
admin-pwd Passw0rd
2. Verify the authentication configuration
# mmuserauth service list
20. Basic Authentication Problem Determination CLI
# mmuserauth service check
1. This command can help determine any issues in authentication.
2. The above command verifies the authentication method configuration details for file and object access protocols.
3. The command validates the connectivity to the configured authentication servers.
4. It also supports corrections to the configuration details on the erroneously configured protocol nodes.
5. Without the parameter, --server-reachability, the command only validates whether the authentication configuration files are
consistent across the protocol nodes.
6. Use this flag to ensure if the external authentication server is reachable by each protocol node.
7. The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the
erroneous config files and service-related errors only.
8. To check whether the authentication configuration is consistent across the cluster and the required services are enabled and running,
issue this command:
# mmuserauth service check --data-access-method file --nodes cesNodes --rectify
The system displays output similar to this:
Userauth file check on node: dgnode3
Checking SSSD_CONF: OK
LDAP server status
LDAP server 192.0.2.18 : OK
Service 'sssd' status: OK
Userauth file check on node: dgnode2
dgnode2: not CES node. Ignoring...
9. To check whether the file authentication configuration is consistent across the cluster and the required services are enabled and running,
and if you do not want to correct the situation, issue this command:
# mmuserauth service check --data-access-method file --nodes cesNodes --rectify
22. Common Issues
• Issue: NFS users on UNIX clients are unable to access data because plain AD does not support Unix clients.
• How to debug this issue:
• Check for the UID or GID for the user or group, respectively, on Windows which has access to the file.
• Check the UID or GID for the UNIX user which is denied access.
• Typically, the UID and GID will not be the same. In this case, access is denied and this is expected behavior.
• The UID and GID for users on the Unix clients is typically a smaller value like less than 1024 as compared to the UID
or GID automatically created by IBM Spectrum Scale ™.
• Conclusion: If you have Unix users who want to access data, plain AD is not the correct authentication. You
should implement AD + RFC 2307 or AD + LDAP.
• How to correct this issue:
• The only way to do this is to clean up authentication by running the mmuserauth service remove command.
command.
• Use the --idmapDelete option to delete the id mapping that was created.
• Re-run the configuration command after choosing the correct method for your environment.
• Remember that data will be inaccessible because it will have ACLs with an older UID and GID.
• Best practice that should be followed:
• Have all the information about what clients need access to data. Based on RFC 2307client data access, decide upon
the best solution for you environment, which is typically AD + RFC 2307 or AD + LDAP.
Problem Determination Guide
23. Common Issues
• Issue: Users from another domain cannot access data even after plain AD is configured successfully.
• How to debug this issue:
• If data is inaccessible, the first thing you need to check is if the user that is trying to access it has sufficient ACLs. If not, provide
the ACLs and try again. Make sure that users from the other domain are added in the format “DOMAIN_NAMEusername” so
that it is resolved successfully.
• If ACLs are sufficient, and data is still inaccessible, check if the UID and GID for that user is resolvable. Use the following
command to check if the user or group has a UID or GID assigned.
Run the command:
# mmadquery list uids --filter=<username>
UIDS from server 9.122.122.27 (domain NASDOMAIN.COM)
#
• Check that the UID/GID are in the range specified. If not, correct the same in case of RFC2307 or LDAP ID mapping.
• If command throws an error then check for the trust direction between the said Domain and configured domain.
• Conclusion:
• Winbind internally uses the machine account for user or group attribute lookup. If 'machine account' has insufficient privileges to
read these attributes, IBM Spectrum Scale will not be able to read user and group information and hence will be unable to create
the UID and GID that is essential to access the system.
• This will require explicit read permissions for the IBM Spectrum Scale system machine account to read the user attributes.
• How to correct this issue:
• To rectify this issue, you need to 'Delegate Control' for the IBM Spectrum Scale computer account[object type] - to 'Read all user
information‘
• To do this, delegate control for the machine account to read user attributes as follows:
• In the Active Directory console tree, right-click the domain, select Delegate Control, click Next, click Add, and select the object
type Computers. In the object name field, enter the IBM Spectrum Scale system's machine account (the account created with
the netBIOS name under the Computers container). Click Next, and select Delegate the following common tasks. From the
displayed list, select Read all user information. Click Next, and then click Finish. If you have multiple IBM Spectrum Scale™
systems, you can create a group in Active Directory, add each IBM Spectrum Scale system machine account to that group, and
delegate control to that group.
• Best practice that should be followed:
• It is recommended that you check and confirm that the IBM Spectrum Scale computer account can read all user information.
Provide explicit permissions to read the user attributes by delegating control for the IBM Spectrum Scale™ computer account to
read all user information if not already set.
Problem Determination Guide
24. Common Issues
• Issue: AD successfully configured, yet some users cannot access data because the UID value is out of the Range set
• How to debug this issue:
• If data is inaccessible, the first thing you need to check is if the user that is trying to access it has sufficient ACLs. If not, provide
the ACLs and try again. Make sure that users from the other domain are added in the format “DOMAIN_NAMEusername” so
that it is resolved successfully.
• If ACLs are sufficient, and data is still inaccessible, check if the UID and GID for that user is resolvable. Use the following
command to check if the user or group has a UID or GID assigned.
Run the command:
# mmadquery list uids --filter=shradha
Password:
UIDS from server 9.122.122.27 (domain NASDOMAIN.COM)
User SID UID UIDNumber
--------- --------------------------------------------- ------- ---------
shradha n S-1-5-21-733047736-3426338400-2963614976-1218 shradha 30000
#
• Check that the UIDNumber/GID are in the range specified. Check for parameter “UNIXMAP_DOMAINS
DOMAIN(5000-20000)” in the output of command mmuserauth service list.
• As seen in example, the UIDNumber is higher than range. That is the reason for access failure. You may need to change Range
if all UID/GID are used up in the range.
• Conclusion:
• UID/GID for all users and groups must always be less than the rangesize specified in the mmuserauth service create
command. Its important to consider expansion in the future, and anticipate that number of users and groups will grow.
• How to correct this issue:
• The only way to correct this issue is to provide a range size that is high enough to anticipate future expansion of the number of
users and groups. However, this cannot be done directly on the setup especially for Automatic ID Mapping.
• You will need to run the mmuserauth service remove command to cleanup authorizations that were configured previously.
Rerun the command with the --idMapDelete option so that all UIDs and GIDs that were previously created are deleted.
• Decide on the new range size that will be feasible and rerun the mmuserauth service create command.
• Best practice that should be followed:
• It is recommended that you check and confirm that the IBM Spectrum Scale computer account can read all user information.
Provide explicit permissions to read the user attributes by delegating control for the IBM Spectrum Scale™ computer account to
read all user information if not already set.
Problem Determination Guide
25. Common Issues
• Issue: AD + RFC 2307 successfully configured, yet some users cannot access data – Primary group in Active Directory
does not have valid GID set.
• How to debug this issue:
• If data is inaccessible, the first thing you need to check is if the user that is trying to access it has sufficient ACLs. If not, provide
the ACLs and try again. Make sure that users from the other domain are added in the format “DOMAIN_NAMEusername” so
that it is resolved successfully.
• If ACLs are sufficient, and data is still inaccessible, check if the UID and GID for that user is resolvable. Use the following
command to check if the user or group has a UID or GID assigned.
Run the command:
# mmadquery list uids --filter=shradha
Password:
UIDS from server 9.122.122.27 (domain NASDOMAIN.COM)
User SID UID UIDNumber
--------- --------------------------------------------- ------- ---------
shradha n S-1-5-21-733047736-3426338400-2963614976-1218 shradha 20000
#
• If UIDNumber is within range, check if the user’s Primary group in Active directory has a valid GID value Set. This GID should
also be in the range.
• Conclusion:
• Access for those users and groups will be denied if UID or GID are not set correctly.
• In case of RFC2307, if a user’s Primary group in Active Directory has a missing GID, access is denied for the respective user.
• How to correct this issue:
• For that corresponding user, check for its Primary group in Active Directory.
• Check that the Group has a valid GID set. If not, update it in the Unix Attributes for that group.
• Best practice that should be followed:
• It is mandatory that the user’s UID and Primary Group in Active Directory are correctly set. The best practice is to verify these
steps are followed before trying to store data or access data.
Problem Determination Guide
26. Illustration: File Protocol Authentication With Automatic ID Mapping
1. Run the command as shown in example below:
# mmuserauth service create --type ad --
data-access-method file --netbios-name ess
--user-name administrator --idmap-role
master --servers myADserver --password
Passw0rd --idmap-range-size 1000000 --
idmap-range 10000000-299999999
2. Verify the authentication configuration
# mmuserauth service list
3. The system displays the following output:
FILE access configuration : AD
PARAMETERS VALUES
---------------------------------------
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME ess
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS none
OBJECT access not configured
PARAMETERS VALUES
---------------------------------------
1. Issue following command to check the
authentication details
# mmuserauth service check --type file --
nodes dgnode3 --server-reachability
2. The system displays the following output:
Userauth file check on node: dgnode3
Checking nsswitch file: OK
AD servers status
NETLOGON connection: OK
Domain join status: OK
Machine password status: OK
Service 'gpfs-winbind' status: OK
Object not configured
3. Verify the user resolution on the system:
# id "DOMAINuser1“
uid=12001172(DOMAINuser1)
gid=12001174(DOMAINgroup1) groups=12001174
(DOMAINgroup1),12001172(DOMAINuser1),1200
0513(DOMAINdomain users),
11000545(BUILTINusers)
Administration commands for Authentication
27. 3. The system displays the following output:
FILE access configuration : AD
PARAMETERS VALUES
-----------------------------------------------
--
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone:
range=1000-100000:
ldap_srv=myLDAPserver:usr_dn=ou=People,dc=examp
le,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=cn-
manager,dc=example,dc=com)
4. Verify the user name resolution on the
system. Confirm that the resolution is showing
IDs that are pulled from LDAP attributes on
the AD server.
# id DOMAINadministrator
uid=10002(DOMAINadministrator)
gid=10000(DOMAINdomain users)
groups=10000(DOMAINdomain users
Illustration of File Protocol Authentication with AD + LDAP ID
mapping
1. Run the command as shown in example below:
# mmuserauth service create
--data-access-method file --type
ad --servers myADserver --user-name
administrator --password Passw0rd
--netbios-name specscale
--idmap-role master
--ldapmap-domains "DOMAIN1(type=stand-
alone:range=1000-
100000:ldap_srv=myLDAPserver:usr_dn=ou=Peop
le,dc=example,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=
cn=manager,dc=example,dc=com:bind_dn_pwd=pa
ssword)“
2. Verify the authentication configuration
# mmuserauth service list
Administration commands for Authentication
28. Illustration of File Protocol Authentication with LDAP
1. Run the command as shown in example below:
# mmuserauth service create --type ldap
--data-access-method file --servers
192.0.2.18 --base-dn dc=example,dc=com -
-user-name cn=manager,dc=example,dc=com
--password secret --netbios-name ess
2. Verify the authentication configuration
# mmuserauth service list
3. The system displays the following output:
PARAMETERS VALUES
-----------------------------------------
ENABLE_SERVER_TLS false
ENABLE_KERBEROS false
USER_NAME
cn=manager,dc=example,dc=com
SERVERS 192.0.2.18
NETBIOS_NAME ess
BASE_DN dc=example,dc=com
USER_DN none
GROUP_DN none
NETGROUP_DN none
USER_OBJECTCLASS posixAccount
GROUP_OBJECTCLASS posixGroup
USER_NAME_ATTRIB cn
USER_ID_ATTRIB uid
KERBEROS_SERVER none
KERBEROS_REALM none
OBJECT access not configured
PARAMETERS VALUES
3. Issue following command to check the
authentication details
# mmuserauth service check --server-
reachability
4. The system displays output similar to this:
Userauth object check on node: vmnode2
Checking keystone.conf: OK
Checking wsgi-keystone.conf: OK
Checking
/etc/keystone/ssl/certs/signing_cert.pem: OK
Checking
/etc/keystone/ssl/private/signing_key.pem: OK
Checking
/etc/keystone/ssl/certs/signing_cacert.pem: OK
LDAP servers status
LDAP server 9.118.37.234 : OK
Service 'httpd' status: OK
Administration commands for Authentication
29. File Access Limitations in Authentication
1. AD based Authentication
a) No support is provided for migrating the internally generated user and group ID maps to an external ID mapping server.
b) This configuration can be used in a predominantly SMB only setup, where NFS users are not already present in the environment.
2. AD with RFC2307
a) Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains. The mmuserauth service
create command does not check the two-way trust between the native domain and the RFC2307 domain.
b) To access the IBM Spectrum Scale™ system, users and groups must have a valid UID/GID assigned to them in AD. Therefore, the user's
primary Microsoft Windows group must be assigned with a valid GID.
3. LDAP-based authentication
a) If multiple LDAP servers are specified during configuration, at any point in time, only one LDAP server is used.
b) Users with the same user name from different organizational units under the specified baseDN in the LDAP server are denied access to
SMB shares irrespective of the LDAP user suffix and LDAP group suffix values configured on the system.
c) LDAP referrals are not supported.
d) ACL management through windows clients is not supported.
e) Only LDAP servers that implement RFC2307 schema are supported.
4. General Limitations
a) When the SMB service is stopped on a protocol node, with any AD-based authentication method, the NFS-based access is also affected on
that protocol node.
b) Authentication configuration commands restart the IBM Spectrum Scale™ protocol services such as SMB and NFS.
c) For file data access, switching or migrating from one authentication method to another is not supported, because it might lead to loss of
access to the data on the system.
d) The IBM Spectrum Scale™ system does not support authentication servers (AD, LDAP, and NIS) that are running on virtual machines that
are stored on an SMB or NFS export.
e) The length of a user name or a group name of the users and group of users who need to access the data cannot be more than 32
characters.
f) The NFSV4 clients must be configured with the same authentication and ID mapping server as the IBM Spectrum Scale™ system.
g) To use NFSV4 ID mapping, you must set the NFS ID map domain on the IBM Spectrum Scale™ protocol nodes and you must configure the
same NFS ID map domain on every NFS client.
h) Netbios name length greater than 15 characters.
Problem Determination Guide