Now that we have seen how to configure IBM Spectrum Scale™ with Automatic ID Mapping for Windows Only environment, we can move to configuring Active directory for Mixed Environment.
For a mixed environment which comprises of Windows Clients as well as UNIX clients for FILE access, we support:
Here RFC2307 and LDAP are used as the ID Mapping server while AD is used for authentication.
Configuring AD-based authentication with RFC2307 ID mapping
This configuration is useful when you are planning to use any pre-existing UNIX client or NFS and SMB protocols for data access with the AFM feature of the IBM Spectrum Scale™ system. In this configuration we also support NFSV3 with Kereberos along with NFSV4 with and without Kerberos.
Command to Configure Plain AD with RFC2307
Issue the mmuserauth service create command as shown in the following example:
# mmuserauth service create –type ad –data-access-method file –netbios-name specscale –user-name administrator –idmap-role master –servers myADserver –password Passw0rd –idmap-range-size 1000000 –idmap-range 10000000-299999999 –unixmap-domains ‘DOMAIN1(5000-20000)’
The NetBIOS name must be selected carefully. If there are name collisions across multiple IBM Spectrum Scale™ clusters, or between the AD Domain and the NetBIOS name, the configuration does not work properly.
Important: ID Mappings are always created only on the “master” system. On the “subordinate” system, these ID Mappings have to be imported from the “master” system.
Important: Choose the range size value carefully because range size cannot be changed after the first AD domain is defined on the IBM Spectrum Scale™ system.
Here L1-H1 is the low-high range for that domain between which the UID and GID exist. This value needs to be appropriately pre-filled into “UNIX Attributes” tab for each user on that domain by the AD Administrator. Also, its primary group must have a valid GID which is also in the range specified.
Note: With this type of configuration you can also pass the flag, –enable-nfs-kerberos which will enable Kerberized NFSv4-based access to exports.
Check Manpage of mmuserauth for more information on the different parameters that can be used and their details.
If successful, the system displays the following output:
File Authentication configuration completed successfully.
Verify the authentication configuration by issuing the command as shown below:
# mmuserauth service list
The system displays the following output:
FILE access configuration : AD
OBJECT access not configured
So, as you can see, the output above lists the Authentication Configuration details like the Server used for Authentication, the NetBios name assigned. The ID Map range and range size along with the UNIX Map Domains and their details.