IBM Spectrum Scale Authentication for Protocols

User Group
2017
IBM Spectrum Scale 4.2.3
Protocol Authentication
Sandeep Patil
STSM, IBM Master Inventor
Kaustubh Katruwar
Spectrum Scale Auth Development
Shradha Thakare
Spectrum Scale Dev

Please note
IBM’s statements regarding its plans, directions, and intent
are subject to change or withdrawal without notice at IBM’s
sole discretion.
Information regarding potential future products is intended
to outline our general product direction and it should not be
relied on in making a purchasing decision.
The information mentioned regarding potential future
products is not a commitment, promise, or legal obligation
to deliver
any material, code or functionality. Information about
potential future products may not be incorporated into any
contract.
The development, release, and timing of any future features
or functionality described for our products remains at our
sole discretion.
Performance is based on measurements and projections
using standard IBM benchmarks in a
controlled environment. The actual throughput or
performance that any user will experience will vary
depending upon many factors, including considerations
such as the amount of multiprogramming in
the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve
results similar to those stated here.

Acknowledgement – Spectrum Scale Development Team
• Deepak Ghuge
• Ingo Meents
• Christof Schmitt
• Smita Raut
• Varun Mittal
• Bill Owen
• Sanjay Gandhi
• Brian Nelson
• Simon Lorenz
• Gautam Shah
• John Lewars
• Chetan Kulkarni

Authentication for Protocols - Basics
What is authentication?
• The objective of authentication is to verify the claimed identity
of users and components before access to the protected resource.
• Usually it is done by having the user enter a valid user name and
valid password before access is granted.
Authentication In IBM Spectrum Scale Protocol
• Ensures authenticated access to data exported by protocols
(NFS/SMB/Object)
• To enable read and write access to directories and files for the
users exported by IBM Spectrum Scale protocols , you must
configure user authentication on the system.
• Only one user authentication method, and only one instance of
that method, can be supported in a single cluster.
• The following authentication services can be configured with the IBM
Spectrum Scale™ system for file protocol access:
• Microsoft Active Directory (AD)
• Lightweight Directory Access Protocol (LDAP)
• Network Information Service (NIS) for NFS client access
• User defined

Identification - Basics
• The objective of identification is to identify users and infrastructure components which is basis of Authorization.
Identification methods include unique user IDs (such as different persons use different user IDs).
• Other methods include keys and finger prints (such as a public ssh key) and digital certificates (such as a certificate of
the web server).
User names and user IDs (UIDs):
• UNIX system and UNIX based appliances use user names and user identifiers (UID) to represent users of the system.
• When a user logs on to a UNIX system, the operating systems looks up their UID and then uses this UID for further
representation of the user.
Group names and Group IDs (GIDs)
• UNIX systems use groups to maintain sets of users which have the same permissions to access certain system
resources.
• Similar to user names and UIDs, a UNIX system also maintains group names and group identifiers (GIDs).
• A UNIX user might be a member of one or more groups, where one group is the primary or default group.
• UNIX groups are not nested: They contain users only but not other groups.
SID
• Windows and SMB client systems reference all operating system entities as resources. For example, users, groups,
computers, and so on.
• Each resource is represented by a security identifier (SID).
• Resource names and SIDs are stored locally in the Windows registry or in an external directory service such as Active
Directory or LDAP.
Directory Services
User names, UIDs, and the mapping of user names to UIDs along with Group Names, GIDs and their mapping are stored
locally in the /etc/passwd file. Or, they can be stored on an external directory service such as Microsoft Active Directory,
Services for Unix (SFU), Lightweight Directory Access Protocol (LDAP), or Network Information Service (NIS).
User Name: Penguin
UID: 9823
User Name: Penguin_Group
GID: 5000
User Name: Windows_User1
SID: S-1-5-21-917267712-1342860078-1792151419-500

UID/GID/SID mapping in IBM Spectrum Scale
• IBM Spectrum Scale stores all user data on Spectrum Scale file systems, which use UIDs and
GIDs for access control.
• For SMB access, IBM Spectrum Scale needs to map SIDs to UIDs and GIDs to enforce
access control. SIDs effectively are 128 bit values while GIDs and UIDs are limited to 32bit, so
a 1:1 mapping is not possible.
• NFS clients send the UID and GID of a user who requests access to a file.
• IBM Spectrum Scale uses the access control mechanism by comparing the received UID and
GID with the UIDs and GIDs stored in GPFS.
• The UIDs and GIDs used by the NFS clients must match the UIDs and GIDs stored inside
Spectrum Scale file system.
• When SMB clients using Windows connect to IBM Spectrum Scale configured with plain AD, it
first contacts the Active Directory to check for username and password combination. The auto
UID/GID created is then stored locally (in the idmap database) on IBM Spectrum Scale. For the
first time a user logs in, the ID mapping between SID and UID is created. After that, it is directly
picked up from the database. In case of mixed access from Windows and UNIX, Active Directory
with RFC 2307 or with LDAP is to be be used.

ID Mapping methods in IBM Spectrum Scale Required For NFS & SMB
Multiprotocol Access
The following methods are used to map Windows SID to UNIX UID and GID:
• External ID mapping methods
• A UID or GID of a user or group is created and stored in an external server.
• The external server administrator is responsible for creating or populating the UID/GID for the
user/group in their respective servers.
• The IBM Spectrum Scale system supports the following servers for external ID mapping:
• LDAP server, where the UID or GID is stored in a dedicated field in the user or group object on
the LDAP server.
• AD server with RFC2307 schema extension defined. The UID or GID of a user or group that
is defined in AD server is stored in a dedicated field of the user or group object.
• Internal ID mapping method
• Automatic ID mapping when AD-based authentication is used.
• Automatic ID mapping method uses a reserved ID range to allocate ID based on the following logic.
• A user or group in AD is identified by SID, which includes a component that is called RID.
Whenever a user or group from an AD domain accesses IBM Spectrum Scale™, a range is
allocated per AD domain. UID or GID is then allocated depending upon this range and the RID
of the user/group.
• For Example: S-1-5-21-3922795712-4076380459-2191511802-1304. Here:
• S – String is SID
• 1 – Revision Level
• 5 – Identifier Authority Value
• 21-3922795712-4076380459-2191511802 – Domain or Local Computer Identifier
• 1304 – Relative ID (RID)

IBM Spectrum Scale File Authentication Flow
• Authentication for NFS/SMB involves user credential validation and user identity management
which helps define ownership of data and is the foundational base for ACL for NFS and SMB
The following steps are involved in the user authentication
for file access:
1. User tries to connect to the IBM Spectrum
Scale™ system by using their credentials.
2. The IBM Spectrum Scale™ system contacts the
authentication server to validate the user.
3. The IBM Spectrum Scale™ system contacts the ID
map server that provides UIDs and GIDs of the user
and user group to verify the identity of the user.
4. If the user credentials are valid, the user gains access
to the system.

IBM Spectrum Scale Object Authentication Flow
Auth Flow
1. The user raises the access request to get access to
the object data.
2. The keystone server communicates with the
authentication server such as AD, LDAP, or a local
database. The keystone server interacts with the
authentication server for authentication,
authorization, and service end-point management.
3. If the user details are valid, the keystone server
interacts with the local database to determine the
user roles and issues a token to grant access to the
user.
4. The OpenStack identity service offers token-based
authentication for object access. When user
credentials are validated, the identity service issues
an authentication token, which the user provides in
subsequent requests. That is, the access request
also includes the token that is granted in step 3. The
token is an alphanumeric string of text that is used to
access OpenStack APIs and resources.
5. The authenticated user contacts the object storage
to access the data that is stored in it.
6. The object storage grants permission to the user to
work on the data based on the associated project ID
and user role.

Authentication Design Points For Spectrum Scale Protocols
• Well defined & consumable authentication management interfaces for FILE (NFS,SMB) and
OBJECT to ensure uniformness.
• Allow flexibility to configure Object and FILE with different authentication scheme to ensure wider
coverage of customer deployment.
• Ability to auto-suggest to help enforce common authentication scheme across FILE (SMB/NFS) and
OBJECT on the same cluster , when AD/LDAP is being used by either of them.
• Provide a "User Defined" auth mode to provide flexibility which allows customers to define authentication
setup the way they desire. IBM Spectrum Scale Auth CLI become dysfunctional in this mode.
• For FILE, support all required authentication schemes as supported in legacy NAS Systems to
ensure migration.
• For OBJECT support authentication of Swift with Keystone backed with AD, LDAP and database
(Posgress only). The authorization required by object will be stored only in database.
• Enhanced Problem Determination – Extract more of “Where is the exact problem/Is it related to
authentication” kind of authentication logs in FTDC for faster problem determination.

Authentication + ID map Schemes : Support Matrix for File Protocols
(NFS / SMB)
Configuring Authentication with AD Configuring Authentication with NIS
Configuring Authentication with LDAP

Authentication Schemes: Support Matrix for Object
Configuring Authentication with AD
Configuring Authentication with LDAP
Configuring Authentication with Local

Authentication Schemes: For Unified File and Object
What is Unified File and Object ?
• Unified File and Object allows accessing object using file interfaces
(SMB/NFS/POSIX) and accessing file using object interfaces (REST)
helps legacy applications designed for file to seamlessly start integrating
into the object world.
• It allows cloud data which is in form of objects to be accessed using
files using application designed to process files.
• Multi protocol access for file and object in the same namespace allows
supporting and hosting data oceans of different types with multiple access
options.
Configuring Authentication for Unified File and
Object
Only the following authentication mechanisms are supported when common
User ID is expected between File and Object Interface:
• Object configured with AD and File with the same AD where the
user/group ID is available on AD+RFC 2307
• Object configured with LDAP and File with the same LDAP where the
user/group ID is available on LDAP
Objects data accessed via file interface
File data accessed via object interface

Unified File and Object : Flexible Identity Management Modes
 Support’s Two Identity Management Modes
 Administrators can choose based on their need and use-case
Local_ID Unified_ID
Identity Management Modes
Object created by Object interface
will be owned by internal “swift” user
Application processing the object data
from file interface will need the required
file ACL to access the data.
Object authentication setup is
independent of File
Authentication setup
Object created from Object interface should be
owned by the user doing the Object PUT (i.e
FILE will be owned by UID/GID of the user)
Users from Object and File are expected to be
common auth and coming from same directory
service (only AD+RFC 2307 or LDAP)
Owner of the object will own and have
access to the data from file interface.
Suitable for unified file and object access for end
users. Leverage common ILM policies for file
and object data based on data ownership
Suitable when auth schemes for file and
object are different and unified access is for
applications

Spectrum Scale Protocol Authentication : High Level Overview
Linux
Keystone
Spectrum Scale Protocol Nodes
winbind ypbind SSSD
Posgress
AD LDAP NISMIT KDC
Users with AD/LDAP credential should be able to access FILE as well as Object
Auth configure CLI
For Keystone
Auth configure CLI
For File
Auth CLI
Common protocol Auth CLI
External
Auth Servers

IBM Spectrum Scale Authentication: The “mmuserauth” Command
# mmuserauth service <option>
• This command suite manages the authentication configuration of file and object access
protocols.
• The configuration allows protocol access methods to authenticate users who need to
access data that is stored on the system over these protocols.
• The different commands in the # mmuserauth service suite are:
• mmuserauth service create - Configures authentication for file and object
access protocols.
• mmuserauth service list - Displays the details of the authentication method
that is configured for both file and object access protocols.
• mmuserauth service check - Verifies the authentication method configuration
details for file and object access protocols. Validates the connectivity to the
configured authentication servers. It also supports corrections to the configuration
details on the erroneously configured protocol nodes.
• mmuserauth service remove - Removes the authentication method
configuration of file and object access protocols and ID maps if any.

Configure File and Object Auth
“mmuserauth service create”
Based on Auth type
- update the respective config
files
- restart the services
Check Auth config across the cluster
“mmuserauth service check”
Enable Required Protocols
List Configuration
(mmuserauth service list)
List File and Object
Auth config (separately)
Check if the
authentication is
consistent across the
cluster (protocol nodes)
with an option for
rectification (optional)
•Allow Export Creation for
NFS/SMB only when auth configured
•Allow Object IO
Cleanup authentication
(mmuserauth service remove)
Start the protocols
For Object, when it is being enabled admin will
be prompted if he wants to use external keystone
or host internal keystone and likewise it will do keystone
initialization
Object and File auth config
have to be done separately
because of semantic
differences
Note: For Object when the protocol is enabled it is automatically configured with keystone with local auth (if internal keystone was selected).
mmuserauth service create is required only if you want to configure object with AD/LDAP - this is unlike FILE where there is no local auth.
Disable Protocols
IBM Spectrum Scale Authentication: Life Cycle

Illustration : File Protocol Authentication with AD + RFC2307 ID
mapping
3. The system displays the following output:
FILE access configuration : AD
PARAMETERS VALUES
--------------------------------------------
-----
ENABLE_NFS_KERBEROS false
SERVERS myADserver
USER_NAME administrator
NETBIOS_NAME ess
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
IDMAP_RANGE_SIZE 1000000
UNIXMAP_DOMAINS DOMAIN(5000-20000)
LDAPMAP_DOMAINS none
OBJECT access not configured
PARAMETERS VALUES
4. Verify the user name resolution and that ID
on the system are pulled from RFC2307
attributes on the AD server.
# id DOMAINadministrator
uid=10002(DOMAINadministrator)
gid=10000(DOMAINdomain users)
groups=10000(DOMAINdomain users
1. Run the command as shown in example below:
# mmuserauth service create
--type ad --data-access-method file
--netbios-name ess
--user-name administrator
--idmap-role master --servers myADserver
--password Passw0rd
--idmap-range-size 1000000
--idmap-range
10000000-299999999
--unixmap-domains 'DOMAIN(5000-20000)’
2. Verify the authentication configuration
# mmuserauth service list
Note: The specified domain controller myADserver is only relevant for joining the
domain. After that step the configured DCs for the domain are queried from DNS and an
available one is automatically chosen.
The user account administrator is also only used for joining the domain and creating
or updating the machine account. After that, the protocol nodes use the machine account
to access AD.

Illustration : Object Protocol Authentication with Local
FILE access not configured
PARAMETERS VALUES
--------------------------------------------
OBJECT access configuration : LOCAL
PARAMETERS VALUES
--------------------------------------------
ENABLE_KS_SSL false
ENABLE_KS_CASIGNING false
KS_ADMIN_USER admin
4. Verify the user name resolution and that ID
on the system are pulled from RFC2307
attributes on the AD server.
# mmuserauth service create --data-access-
method object --type local --ks-dns-name
c40bbc2xn3 --ks-admin-user admin --ks-
admin-pwd Passw0rd

Basic Authentication Problem Determination CLI
# mmuserauth service check
1. This command can help determine any issues in authentication.
2. The above command verifies the authentication method configuration details for file and object access protocols.
3. The command validates the connectivity to the configured authentication servers.
4. It also supports corrections to the configuration details on the erroneously configured protocol nodes.
5. Without the parameter, --server-reachability, the command only validates whether the authentication configuration files are
consistent across the protocol nodes.
6. Use this flag to ensure if the external authentication server is reachable by each protocol node.
7. The --rectify or -r option cannot fix server reachability errors. Specifying that option with --server-reachability may fix the
erroneous config files and service-related errors only.
8. To check whether the authentication configuration is consistent across the cluster and the required services are enabled and running,
issue this command:
# mmuserauth service check --data-access-method file --nodes cesNodes --rectify
The system displays output similar to this:
Userauth file check on node: dgnode3
Checking SSSD_CONF: OK
LDAP server status
LDAP server 192.0.2.18 : OK
Service 'sssd' status: OK
dgnode2: not CES node. Ignoring...
9. To check whether the file authentication configuration is consistent across the cluster and the required services are enabled and running,
and if you do not want to correct the situation, issue this command:
# mmuserauth service check --data-access-method file --nodes cesNodes --rectify

Common Issues
• Issue: NFS users on UNIX clients are unable to access data because plain AD does not support Unix clients.
• How to debug this issue:
• Check for the UID or GID for the user or group, respectively, on Windows which has access to the file.
• Check the UID or GID for the UNIX user which is denied access.
• Typically, the UID and GID will not be the same. In this case, access is denied and this is expected behavior.
• The UID and GID for users on the Unix clients is typically a smaller value like less than 1024 as compared to the UID
or GID automatically created by IBM Spectrum Scale ™.
• Conclusion: If you have Unix users who want to access data, plain AD is not the correct authentication. You
should implement AD + RFC 2307 or AD + LDAP.
• How to correct this issue:
• The only way to do this is to clean up authentication by running the mmuserauth service remove command.
command.
• Use the --idmapDelete option to delete the id mapping that was created.
• Re-run the configuration command after choosing the correct method for your environment.
• Remember that data will be inaccessible because it will have ACLs with an older UID and GID.
• Best practice that should be followed:
• Have all the information about what clients need access to data. Based on RFC 2307client data access, decide upon
the best solution for you environment, which is typically AD + RFC 2307 or AD + LDAP.
Problem Determination Guide

Common Issues
• Issue: Users from another domain cannot access data even after plain AD is configured successfully.
• If data is inaccessible, the first thing you need to check is if the user that is trying to access it has sufficient ACLs. If not, provide
the ACLs and try again. Make sure that users from the other domain are added in the format “DOMAIN_NAMEusername” so
that it is resolved successfully.
• If ACLs are sufficient, and data is still inaccessible, check if the UID and GID for that user is resolvable. Use the following
command to check if the user or group has a UID or GID assigned.
Run the command:
# mmadquery list uids --filter=<username>
UIDS from server 9.122.122.27 (domain NASDOMAIN.COM)
#
• Check that the UID/GID are in the range specified. If not, correct the same in case of RFC2307 or LDAP ID mapping.
• If command throws an error then check for the trust direction between the said Domain and configured domain.
• Conclusion:
• Winbind internally uses the machine account for user or group attribute lookup. If 'machine account' has insufficient privileges to
read these attributes, IBM Spectrum Scale will not be able to read user and group information and hence will be unable to create
the UID and GID that is essential to access the system.
• This will require explicit read permissions for the IBM Spectrum Scale system machine account to read the user attributes.
• To rectify this issue, you need to 'Delegate Control' for the IBM Spectrum Scale computer account[object type] - to 'Read all user
information‘
• To do this, delegate control for the machine account to read user attributes as follows:
• In the Active Directory console tree, right-click the domain, select Delegate Control, click Next, click Add, and select the object
type Computers. In the object name field, enter the IBM Spectrum Scale system's machine account (the account created with
the netBIOS name under the Computers container). Click Next, and select Delegate the following common tasks. From the
displayed list, select Read all user information. Click Next, and then click Finish. If you have multiple IBM Spectrum Scale™
systems, you can create a group in Active Directory, add each IBM Spectrum Scale system machine account to that group, and
delegate control to that group.
• It is recommended that you check and confirm that the IBM Spectrum Scale computer account can read all user information.
Provide explicit permissions to read the user attributes by delegating control for the IBM Spectrum Scale™ computer account to
read all user information if not already set.

Common Issues
• Issue: AD successfully configured, yet some users cannot access data because the UID value is out of the Range set
Run the command:
# mmadquery list uids --filter=shradha
Password:
User SID UID UIDNumber
--------- --------------------------------------------- ------- ---------
shradha n S-1-5-21-733047736-3426338400-2963614976-1218 shradha 30000
#
• Check that the UIDNumber/GID are in the range specified. Check for parameter “UNIXMAP_DOMAINS
DOMAIN(5000-20000)” in the output of command mmuserauth service list.
• As seen in example, the UIDNumber is higher than range. That is the reason for access failure. You may need to change Range
if all UID/GID are used up in the range.
• Conclusion:
• UID/GID for all users and groups must always be less than the rangesize specified in the mmuserauth service create
command. Its important to consider expansion in the future, and anticipate that number of users and groups will grow.
• The only way to correct this issue is to provide a range size that is high enough to anticipate future expansion of the number of
users and groups. However, this cannot be done directly on the setup especially for Automatic ID Mapping.
• You will need to run the mmuserauth service remove command to cleanup authorizations that were configured previously.
Rerun the command with the --idMapDelete option so that all UIDs and GIDs that were previously created are deleted.
• Decide on the new range size that will be feasible and rerun the mmuserauth service create command.
• It is recommended that you check and confirm that the IBM Spectrum Scale computer account can read all user information.
Provide explicit permissions to read the user attributes by delegating control for the IBM Spectrum Scale™ computer account to
read all user information if not already set.

Common Issues
• Issue: AD + RFC 2307 successfully configured, yet some users cannot access data – Primary group in Active Directory
does not have valid GID set.
Run the command:
# mmadquery list uids --filter=shradha
Password:
User SID UID UIDNumber
--------- --------------------------------------------- ------- ---------
shradha n S-1-5-21-733047736-3426338400-2963614976-1218 shradha 20000
#
• If UIDNumber is within range, check if the user’s Primary group in Active directory has a valid GID value Set. This GID should
also be in the range.
• Conclusion:
• Access for those users and groups will be denied if UID or GID are not set correctly.
• In case of RFC2307, if a user’s Primary group in Active Directory has a missing GID, access is denied for the respective user.
• For that corresponding user, check for its Primary group in Active Directory.
• Check that the Group has a valid GID set. If not, update it in the Unix Attributes for that group.
• It is mandatory that the user’s UID and Primary Group in Active Directory are correctly set. The best practice is to verify these
steps are followed before trying to store data or access data.

Illustration: File Protocol Authentication With Automatic ID Mapping
# mmuserauth service create --type ad --
data-access-method file --netbios-name ess
--user-name administrator --idmap-role
master --servers myADserver --password
Passw0rd --idmap-range-size 1000000 --
idmap-range 10000000-299999999
PARAMETERS VALUES
---------------------------------------
SERVERS myADserver
NETBIOS_NAME ess
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS none
PARAMETERS VALUES
---------------------------------------
1. Issue following command to check the
authentication details
# mmuserauth service check --type file --
nodes dgnode3 --server-reachability
Checking nsswitch file: OK
AD servers status
NETLOGON connection: OK
Domain join status: OK
Machine password status: OK
Service 'gpfs-winbind' status: OK
Object not configured
3. Verify the user resolution on the system:
# id "DOMAINuser1“
uid=12001172(DOMAINuser1)
gid=12001174(DOMAINgroup1) groups=12001174
(DOMAINgroup1),12001172(DOMAINuser1),1200
0513(DOMAINdomain users),
11000545(BUILTINusers)
Administration commands for Authentication

PARAMETERS VALUES
-----------------------------------------------
--
SERVERS myADserver
NETBIOS_NAME specscale
IDMAP_ROLE master
IDMAP_RANGE 10000000-299999999
UNIXMAP_DOMAINS none
LDAPMAP_DOMAINS DOMAIN1(type=stand-alone:
range=1000-100000:
ldap_srv=myLDAPserver:usr_dn=ou=People,dc=examp
le,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=cn-
manager,dc=example,dc=com)
4. Verify the user name resolution on the
system. Confirm that the resolution is showing
IDs that are pulled from LDAP attributes on
the AD server.
Illustration of File Protocol Authentication with AD + LDAP ID
mapping
# mmuserauth service create
--data-access-method file --type
ad --servers myADserver --user-name
administrator --password Passw0rd
--netbios-name specscale
--idmap-role master
--ldapmap-domains "DOMAIN1(type=stand-
alone:range=1000-
100000:ldap_srv=myLDAPserver:usr_dn=ou=Peop
le,dc=example,dc=com:
grp_dn=ou=Groups,dc=example,dc=com:bind_dn=
cn=manager,dc=example,dc=com:bind_dn_pwd=pa
ssword)“

Illustration of File Protocol Authentication with LDAP
# mmuserauth service create --type ldap
--data-access-method file --servers
192.0.2.18 --base-dn dc=example,dc=com -
-user-name cn=manager,dc=example,dc=com
--password secret --netbios-name ess
PARAMETERS VALUES
-----------------------------------------
ENABLE_SERVER_TLS false
ENABLE_KERBEROS false
USER_NAME
cn=manager,dc=example,dc=com
SERVERS 192.0.2.18
NETBIOS_NAME ess
BASE_DN dc=example,dc=com
USER_DN none
GROUP_DN none
NETGROUP_DN none
USER_OBJECTCLASS posixAccount
GROUP_OBJECTCLASS posixGroup
USER_NAME_ATTRIB cn
USER_ID_ATTRIB uid
KERBEROS_SERVER none
KERBEROS_REALM none
PARAMETERS VALUES
3. Issue following command to check the
authentication details
# mmuserauth service check --server-
reachability
4. The system displays output similar to this:
Userauth object check on node: vmnode2
Checking keystone.conf: OK
Checking wsgi-keystone.conf: OK
Checking
/etc/keystone/ssl/certs/signing_cert.pem: OK
Checking
/etc/keystone/ssl/private/signing_key.pem: OK
Checking
/etc/keystone/ssl/certs/signing_cacert.pem: OK
LDAP servers status
LDAP server 9.118.37.234 : OK
Service 'httpd' status: OK

File Access Limitations in Authentication
1. AD based Authentication
a) No support is provided for migrating the internally generated user and group ID maps to an external ID mapping server.
b) This configuration can be used in a predominantly SMB only setup, where NFS users are not already present in the environment.
2. AD with RFC2307
a) Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains. The mmuserauth service
create command does not check the two-way trust between the native domain and the RFC2307 domain.
b) To access the IBM Spectrum Scale™ system, users and groups must have a valid UID/GID assigned to them in AD. Therefore, the user's
primary Microsoft Windows group must be assigned with a valid GID.
3. LDAP-based authentication
a) If multiple LDAP servers are specified during configuration, at any point in time, only one LDAP server is used.
b) Users with the same user name from different organizational units under the specified baseDN in the LDAP server are denied access to
SMB shares irrespective of the LDAP user suffix and LDAP group suffix values configured on the system.
c) LDAP referrals are not supported.
d) ACL management through windows clients is not supported.
e) Only LDAP servers that implement RFC2307 schema are supported.
4. General Limitations
a) When the SMB service is stopped on a protocol node, with any AD-based authentication method, the NFS-based access is also affected on
that protocol node.
b) Authentication configuration commands restart the IBM Spectrum Scale™ protocol services such as SMB and NFS.
c) For file data access, switching or migrating from one authentication method to another is not supported, because it might lead to loss of
access to the data on the system.
d) The IBM Spectrum Scale™ system does not support authentication servers (AD, LDAP, and NIS) that are running on virtual machines that
are stored on an SMB or NFS export.
e) The length of a user name or a group name of the users and group of users who need to access the data cannot be more than 32
characters.
f) The NFSV4 clients must be configured with the same authentication and ID mapping server as the IBM Spectrum Scale™ system.
g) To use NFSV4 ID mapping, you must set the NFS ID map domain on the IBM Spectrum Scale™ protocol nodes and you must configure the
same NFS ID map domain on every NFS client.
h) Netbios name length greater than 15 characters.

IBM Spectrum Scale Authentication for Protocols

More Related Content

What's hot

Similar to IBM Spectrum Scale Authentication for Protocols

More from Sandeep Patil

Recently uploaded

IBM Spectrum Scale Authentication for Protocols