Continuing with the series of blogs on Authentication, let’s see the details on how we can configure IBM Spectrum Scale™ with Active Directory.
Configuring IBM Spectrum Scale™ Authentication using Active Directory
You can configure authentication using Active Directory to enable read and write access to the files and directories. AD-based authentication can be configured with the following ID mapping methods:
We will see AD + Automatic ID mapping in detail and the command details to configure the same. Just to recap, here is the Authentication Support Matrix. You can see here the protocols we support with AD depending on the different ID Mapping techniques you choose.
I highly recommend that you understand the matrix thoroughly during the planning phase so that you choose the right authentication method depending on the protocols you will be using, not just for today, but also considering the future. We do not support migration of authentication and cleaning up authentication to reconfigure, may lead to loss of data access. Once authentication is configured, it needs to remain the same till the life of the product.
So, if you plan to have mixed protocols ever, plan for it today itself and configure authentication accordingly.
Active Directory with Automatic ID Mapping
In this case, the Active directory is used as the authentication server while the UID and GID for each user and group is stored within the IBM Spectrum Scale™ system. The UID and GIDs are generated automatically. For more information on how the IDs are generated you can refer to the article “IBM Spectrum Scale™ Authentication for File Access – Overview”
AD + Automatic ID Mapping is used when you have ONLY SMB Access and you do not use multiprotocol access. This is usually a good choice when you have ONLY Windows clients in your environment.
If tomorrow you decide to have NFS clients too, or NFS Access, you will NOT be able to add RFC2307 or LDAP. It is not as simple as cleaning up authentication and re-configuring AD + RFC2307 or AD + LDAP. The UIDs and GIDs generated for users and groups in automatic ID Mapping needs to match the user’s UID or group’s GID on UNIX in order to work smoothly.
Command to Configure Plain AD with Automatic ID Mapping
Issue the mmuserauth service create command as shown in the following example:
# mmuserauth service create –type ad –data-access-method file –netbios-name specscale –user-name administrator –idmap-role master –servers myADserver –password Passw0rd –idmap-range-size 1000000 –idmap-range 10000000-299999999
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly.
Important: ID Mappings are always created only on the “master” system. On the “subordinate” system, these ID Mappings have to be imported from the “master” system.
Important: Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale™ system.
Check Manpage of mmuserauth for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:
File Authentication configuration completed successfully.
Verify the authentication configuration by issuing the command as shown below:
# mmuserauth service list
The system displays the following output:
FILE access configuration : AD
OBJECT access not configured
So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the ID Map Role of the system.
FAQ on AD Based Authentication with Automatic ID Mapping:
Check out the article, “10 Frequently asked Questions on configuring Authentication using AD + AUTO ID mapping on IBM Spectrum Scale™.” for list of commonly asked questions and their answers.