Security and Authentication

What is Active Directory and why RFC2307 ?

To enable read and write access to directories and files for the users on the IBM Spectrum Scale system, you must configure user authentication on the system. Only one user authentication method, and only one instance of that method, can be supported.

The following authentication services can be configured with the IBM Spectrum Scale system for file protocol access:

  • Microsoft Active Directory (AD)
  • Lightweight Directory Access Protocol (LDAP)
  • Network Information Service (NIS) for NFS client access
  • User defined

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.

ID mapping

The authentication of the user or groups of users is also associated with the identification of their unique identifiers. To support data access to Microsoft Windows clients (SMB protocol) and to allow interoperability, that is, to share data among UNIX and Windows clients (SMB and NFS protocols), the IBM Spectrum Scale system must map Windows SID to UNIX UID/GID. This process is referred to as ID mapping and the map is referred to as ID map. The ID mapping can be done either internally in the IBM Spectrum Scale system or in an external authentication server.

External ID mapping methods
  • RFC2307 when AD-based authentication is used
  • LDAP when LDAP-based authentication is used
  • Internal ID mapping method
  • Automatic ID mapping when AD-based authentication is used

External ID mapping

A UID or GID of a user or group is created and stored in an external server such as Microsoft Active Directory, NIS server, or LDAP server. External ID mapping is useful when user UID or group GID is preexisting in the environment. For example, if NFS client with UID and GID as 100 exists in the environment, and you want a certain share to be accessed by both SMB and NFS client, then you can use an external ID mapping server, assign UID/GID 100 to the SMB user, and thus, allow both SMB and NFS client to access same data.

Note: The external server administrator is responsible for creating or populating the UID/GID for the user/group in their respective servers.

The IBM Spectrum Scale supports the following servers for external ID mapping:

LDAP server, where the UID or GID is stored in a dedicated field in the user or group object on the LDAP server.

AD server with RFC2307 schema extension defined. The UID or GID of a user or group that is defined in AD server is stored in a dedicated field of the user or group object.

Internal ID mapping

UID or GID of a user or group is created automatically by the IBM Spectrum Scale system and stored in the internal repositories.

'mmuserauth service create' man page:
  Usage:
  mmuserauth service create [-h|--help] --data-access-method {file|object} --type {ldap|local|ad|nis|userdefined} --servers [--base-dn]
    {[--enable-anonymous-bind]|[--user-name] [--password]} [--enable-server-tls] [--enable-ks-ssl]
    [--enable-kerberos] [--enable-nfs-kerberos] [--enable-ks-casigning]
    [--user-dn] [--group-dn] [--netgroup-dn]
    [--netbios-name] [--domain] [--idmap-role {master|subordinate}] [--idmap-range] [--idmap-range-size]
    [--user-objectclass] [--group-objectclass]
    [--user-name-attrib] [--user-id-attrib] [--user-mail-attrib] [--user-filter]
    [--ks-dns-name] [--ks-admin-user] [--ks-admin-pwd] [--ks-swift-user] [--ks-swift-pwd] [--ks-ext-endpoint]
    [--kerberos-server] [--kerberos-realm]
    [--unixmap-domains]

Setting AD with RFC2307 authentication for Spectrum Scale using installer

1) Obtain IBM Spectrum Scale build which is a self extracting package consisting of the following components:
Installation Toolkit & license
  GPFS
  NFS (Ganesha)
  SMB (Samba)
  Object (Swift and Keystone)
  Performance monitoring tool (ZIMON)

2) Downloading and unpacking the software
Obtain from your IBM customer advocate the IBM Spectrum Scale self-extracting package:
  For SystemX systems:
      Spectrum_Scale_install-4.1.1.0_x86_64-linux_standard_bvt_GSD
  For Power systems:
      Spectrum_Scale_install-4.1.1.0_ppc64-linux_standard_bvt_GSD
The self-extracting package should be placed on the node that will run the installation toolkit.

3) Accepting the license in text-only mode
The --text-only flag is useful for viewing and accepting the license agreement if there is no available GUI.
  X86 example:
      ./Spectrum_Scale_install-4.1.1-0_x86_64-linux_standard_bvt_GSD --text-only
  Pseries example:
      ./Spectrum_Scale_install-4.1.1-0_ppc64-linux_standard_bvt_GSD --text-only

4) Completion of self-extracting package
Once the license has been accepted the packages will, by default, be extracted to: /usr/lpp/mmfs/4.1.1/

5) Use the installation toolkit to install GPFS following the procedure supplied with self-extracting package. A detailed GPFS installation procedure is beyond the scope of this document.

6) Deploy NFS and SMB protocol using installation toolkit.
On installer node:
  [root@sbnode1 installer]# cd /usr/lpp/mmfs/4.1.1/
  [root@sbnode1 4.1.1]# ./spectrumscale enable nfs
  [root@sbnode1 4.1.1]# ./spectrumscale enable smb

7) Run the following command with the authentication options you choose for –data-access-method file:
  [root@sbnode1 installer]# ./spectrumscale auth file -h
  usage: spectrumscale auth file [-h] {ldap,ad,nis,none}
  positional arguments:
    {ldap,ad,nis,none} The type of File authentication to configure
  optional arguments:
    -h, --help show this help message and exit

8) Configuring AD with RFC2307 authentication using installation toolkit.
Run the following command to configure AD with RFC2307 authentication for IBM Spectrum Scale.
  [root@sbnode1 installer]# ./spectrumscale auth file ad
  [ INFO ] A configuration template has been created at configuration/authconfig.txt. Please open this file in the text editor of your choice and complete the template.
Would you like to open this file now? [Y/n]: y

A template file will automatically open. Fill out this template. Save the file and close it. The settings will automatically be loaded for the install toolkit. For more details refer to the man page for mmcesuserauthcrservice.

Template before adding AD with RFC2307 authentication details:
Template after adding AD with RFC2307 authentication details:

9) Now deploy the Spectrum Scale protocol stack on your defined environment:
  [root@sbnode1 installer]# ./spectrumscale deploy
  Note: Make sure all the required dependencies (sssd, ypbind, openldap-clients) are installed on all the protocol nodes before deploy.

10) Test AD with RFC2307 authentication service after deploy on IBM Spectrum Scale system.
  [root@sbnode1 installer]# mmuserauth service list
  FILE access configuration : AD
  PARAMETERS   VALUES
  -------------------------------------------------
  SERVERS   9.118.37.186
  USER_NAME   administrator
  NETBIOS_NAME   vmnode
  IDMAP_ROLE   master
  IDMAP_RANGE   10000000-299999999
    IDMAP_RANGE_SIZE   1000000
UNIXMAP_DOMAINS   specscale(10000-20000)
  -------------------------------------------------

Setting AD with RFC2307 authentication for Spectrum Scale using CLI

1) [root@sbnode3 ~]# mmuserauth service create --type ad --data-access-method file --servers 9.118.37.186 --user-name administrator --netbios-name vmnode --idmap-role master --password Passw0rd --idmap-range-size 1000000 --idmap-range 10000000-299999999 --unixmap-domains ‘specscale(10000-20000)’
File authentication configuration completed successfully.

2) Test AD with RFC2307 authentication service after deploy on IBM Spectrum Scale system.
[root@sbnode1 installer]# mmuserauth service list
  FILE access configuration : AD
  PARAMETERS   VALUES
  -------------------------------------------------
  SERVERS    9.118.37.186
  USER_NAME   administrator
  NETBIOS_NAME   vmnode
  IDMAP_ROLE    master
  IDMAP_RANGE   10000000-299999999
  IDMAP_RANGE_SIZE   1000000
  UNIXMAP_DOMAINS   specscale(10000-20000)
  -------------------------------------------------

NFS and SMB testing for AD with RFC2307 based authentication for Spectrum Scale

1) Configured IBM Spectrum Scale system with AD with RFC2307 authentication.
  [root@sbnode1 installer]# mmuserauth service list
  FILE access configuration : AD
  PARAMETERS   VALUES
  -------------------------------------------------
  SERVERS   9.118.37.186
  USER_NAME   administrator
  NETBIOS_NAME   vmnode
  IDMAP_ROLE   master
  IDMAP_RANGE   10000000-299999999
  IDMAP_RANGE_SIZE   1000000
  UNIXMAP_DOMAINS   specscale(10000-20000)
-------------------------------------------------

[root@sbnode3 ~]# mmuserauth service check --server-reachability -N all --type file
  sbnode1: not CES node. Ignoring...
  sbnode2: not CES node. Ignoring...
  Userauth file check on node: sbnode3
    AD servers status
    NETLOGON connection: OK
    Domain join status: OK
    Machine password status: OK
  Service 'winbindd' status: OK
  Userauth file check on node: sbnode4
  AD servers status
    NETLOGON connection: OK
    Domain join status: OK
    Machine password status: OK
  Service 'winbindd' status: OK

Listing Users:
  [root@sbnode3 ~]# wbinfo -u | grep 'specscaleuser'
    SPECSCALE\specscaleuser1_grp1
    SPECSCALE\specscaleuser2_grp1
    SPECSCALE\specscaleuser1_grp2
    SPECSCALE\specscaleuser2_grp2
    SPECSCALE\specscaleuser1_grp3
    SPECSCALE\specscaleuser2_grp3

Listing Groups:
  [root@sbnode3 ~]# wbinfo -g | grep 'specscalegroup'
    SPECSCALE\specscalegroup1
    SPECSCALE\specscalegroup2
    SPECSCALE\specscalegroup3
    SPECSCALE\specscalegroup4
    SPECSCALE\specscalegroup5

  [root@sbnode3 ~]# id SPECSCALE\\specscaleuser1_grp1
    uid=10001(SPECSCALE\specscaleuser1_grp1) gid=10001(SPECSCALE\domain users) groups=10001(SPECSCALE\domain users),10002(SPECSCALE\specscalegroup1),10000001(BUILTIN\users)

2) Checked the IP/Name resolution before an export
  [root@sbnode3 ~]# cat /etc/resolv.conf
  nameserver 9.118.37.186

3) Now create new NFS and SMB export with same path or different path.
  Note: We used same path in example to demonstrate multi-protocol test senario.
  [root@sbnode3 gpfs0]# mmnfs export add /ibm/gpfs0/multi_protocol_share --client \*\ (ACCESS_TYPE=RW,SQUASH=no_root_squash\)

  [root@sbnode3 gpfs0]# mmnfs export list
  Path Delegations Clients
  --------------------------------------------------------
  /ibm/gpfs0/multi_protocol_share none *

  [root@sbnode3 gpfs0]# mmsmb export add multi_protocol_share /ibm/gpfs0/multi_protocol_share

  [root@sbnode3 gpfs0]# mmsmb export list
  [command]   /usr/lpp/mmfs/bin/mmcessmblsexport
  [verb]   list
  [options]  
  expor  t path   guest ok
  multi_protocol_share   /ibm/gpfs0/multi_protocol_share   no
  Warning:
    Unused options suppressed in display:
    "browseable"

4) Tried to mount the NFS export from the linux client configured against same AD server with RFC2307.
  [root@ADClientNode mnt]# mount -t nfs -o vers=4 10.0.100.135:/ibm/gpfs0/multi_protocol_share /mnt/multi_protocol
  [root@ADClientNode mnt]# cd /mnt/multi_protocol
  [root@ADClientNode multi_protocol]# mkdir 1
  [root@ADClientNode multi_protocol]# ls
  1

5) Tried to mount the SMB export from the windows client.
  C:\Users\IBM_ADMIN> net use z: \\10.0.100.135\multi_protocol_share /USER:SPECSCALE\specscaleuser1_grp1 Passw0rd

6) Now perform IO using NFS and SMB mounts on the same share.

Note: For authentication type AD+RFC2307, multi protocol support i.e., accessing same share is allowed only between NFSv4 and SMB. NFSv3 with SMB protocol access on the same export is not supported in AD with RFC2307 configuration.

"These are my personal views and do not necessarily reflect that of my employer"