Lets look at some of the Important and yet common questions regarding configuration of Authentication with Plain AD and Automatic ID Mapping. This is mainly for FILE access using CES Protocols.
1. Will NFS be supported with Plain AD setup and AUTO ID Map?
>> No, with Plain AD Setup, NFS access is not supported. However this does not mean you cannot create shares. You can if the NFS service is enabled. However, you will not be able to provide access to both Unix users and Windows users.
2. Can Authentication be changed later if we plan to bring in NFS clients or Unix users?
>> This is a very important question. Regarding modifying Authentication from what I have seen in past, many assume that its OK to add additional RFC2307 or LDAP along with Auto ID Mapping later since the MATRIX does show that AD + RFC2307 or AD + LDAP is a valid configuration. However, the answer to this question is WE DO NOT SUPPORT MODIFYING AUTHENTICATION that has been once setup especially after data has been created or migrated. Hence, its VERY IMPORTANT that you consider all scenarios, foresee whether you need to add UNIX clients, take into consideration the growth of company and hence number of users and groups which means decide on the right range for the AUTO IDMaps and RFC2307/LDAP Ranges. Yes, we have different schemes for Authentication and ID Mapping that we support. But once chosen you need to stick to it. Hence, before migrating data, you can test different methods and choose the one that fits in your environment.
3. Can ID Map range size and range be changed once authentication is configured with AD + Automatic ID Mapping?
>> You can only change the higher value of the ID Map range to increase the number of ranges or allow more no. of domains. You cannot change the range size once the ID Map has been generated. Hence, its advised to plan correctly for the no. of users and groups considering the future growth in the company.
4. Can the details of users and groups on the AD Server be checked from IBM Spectrum Scale™?
>> Yes, Indeed! You can now check different attributes of Users, Groups and Domain from the IBM Spectrum Scale™ system using the tool “mmadquery” which was developed to query the AD server for such details. Currently the tool only works for AD environment and not NIS or LDAP.
5. Is there any specific setting to be done on the AD server for successful configuration with IBM Spectrum Scale™?
>> No, there is no specific setting or changes that needs to be done on the AD server. Any user that can create a machine account on the Server, read trust information and machine accounts if already created before hand, can be used for configuring authentication. The user need not be an administrator user.
6. Are users from trusted domains able to authenticate and access data on IBM Spectrum Scale?
>> Yes, if all the other domains are in TWO WAY trust with the domain you have configured IBM Spectrum Scale™, all those users from the trusted domains will be able to authenticate and access data successfully provided they are authorised and have the required ACLs.
7. What happens if the UID or GID value exceeds the range configured?
>> If for example, the range provided is 3000000-5000000 and range size is 99999, it means only 99999 users are eligible to access the system. The first range that will get assigned is from 3000000-3099999. If there are more than 99999 users in the domain, the next bucket range is used, so the IDs will be generated from, 3100000-3199999. Now maximum of 20 domains are only supported with 99999 capacity for each. Hence, its important to consider growth of company and in turn the number of Users and Groups that will access the system.The same logic goes for AD + RFC2037, AD+LDAP and LDAP Ranges.
8. What if the AD server with which Authentication is configured is DOWN? Will access be affected?
>> The AD Server details that is provided during the configuration of authentication is only used to communicate with the server and create the Machine Account. Once authentication is successfully configured, all communication to the Domain Controller happens via the DNS. The DNS is queried for the IP address of the closest DC and is then communicated. Hence, its important that there are multiple DCs serving the same domain for high availability.
9. Should authentication configured on IBM Spectrum Scale™ be cleaned up and reconfigured with new DC details in case the AD server that was used for configuration is to be removed from domain and new DC is to be added?
>> You need not make any changes on the IBM Spectrum Scale™ in case you want to remove any DC or add any new DC. This is to be take care of only on the AD side, externally to our system.
As mentioned earlier, The AD Server details that is provided during the configuration of authentication is only used to communicate with the server and create the Machine Account. Once authentication is successfully configured, all communication to the Domain Controller happens via the DNS. The DNS is queried for the IP address of the closest DC and is then communicated. Make sure the DNS is updated with the new DC details and old DC details are removed.
10. Can a DR System be configured with Plain AD + Automatic ID Mapping? How can the same ID Mappings be generated on the DR site for AUTO ID Mapping setup?
>> In this case we need to configure the Primary System as “Master” and the DR site as “Subordinate”. Once we have configured AUTO ID Mapping or Plain AD on the Master, we must export the ID Mappings using the commands available. On the DR Site we then import the ID Mappings. After this, we can copy data from Master to Subordinate.
When NEW Users are added on Master, its OK to not copy on the subordinate. This is because subordinate system now has the details of ID Mappings. It can calculate and generate the Same Deterministic ID Map as on the Master. The only time you will need to re-export the ID Maps from Master is when there is a NEW Domain trusting the domain configured. Once the ID Maps are exported into subordinate, it will automatically generate deterministic ID Maps in future.
Important Note: It is the responsibility of the System Admin to export the ID Maps on the subordinate the first time and whenever a new Domain is in the environment.
Hope this was helpful. Let me know if you have any more queries.
You can check out “IBM Spectrum Scale™ Authentication using Active Directory” for more details on Authentication using Active Directory.