Spectrum Scale - Security and Authentication

What is NIS ?

Source: ( http://searchnetworking.techtarget.com/definition/NIS )

NIS (Network Information System) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's domain name system (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks.

NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a UNIX-based program.

Although Sun and others offer proprietary versions, most NIS code has been released into the public domain and there are freeware versions available. NIS was originally called Yellow Pages but because someone already had a trademark by that name, it was changed to Network Information System. It is still sometimes referred to by the initials: "YP".

Source: ( https://en.wikipedia.org/wiki/Network_Information_Service )

To enable end-user read and write access to directories and files on the IBM Spectrum Scale system, you must configure the IBM Spectrum Scale environment for end-user authentication. Only one user authentication method for –data-access-method (file|object), and only one instance of that method can be supported at any given time.

One method to determine what access a user should be granted on IBM Spectrum Scale is by using communications with a remote server running Network Information Service (NIS) software. The NIS software provides information about NetGroup membership, and may optionally provide information about User ID Mapping. NetGroups are based on a server, not a user. The NIS server contains a list of NetGroups and the servers that are part of each NetGroup. When a server attempts to access the IBM Spectrum Scale, the NIS NetGroup support is used to determine if the server should be granted access. The IBM Spectrum Scale system supports netgroups using an NIS database. The IBM Spectrum Scale system supports netgroups only for the purpose of grouping hosts to restrict access to NFS file systems exported by the IBM Spectrum Scale system. You can define a netgroup host in one of the following formats:
     -> By name. For example, myhost
     -> By fully qualified domain name. For example, myhost.mydom.com
Because NFS inherently works with host names for netgroups, using IP addresses in netgroup definitions is not recommended.

Note: The host name in the netgroup definition must have both forward and reverse DNS lookup configured, so that the IBM Spectrum Scale system can resolve both the host name and the host IP address, with which the mount service is requested on the IBM Spectrum Scale system. Otherwise, a mount request fails with an access denied error. There is no IBM Spectrum Scale CLI command to verify how the IBM Spectrum Scale system resolves a netgroup reference.

'mmuserauth service create' man page:
  mmuserauth service create [-h|--help] --data-access-method {file|object} --type {ldap|local|ad|nis|userdefined} --servers [--base-dn]
    {[--enable-anonymous-bind]|[--user-name] [--password]} [--enable-server-tls] [--enable-ks-ssl]
    [--enable-kerberos] [--enable-nfs-kerberos] [--enable-ks-casigning]
    [--user-dn] [--group-dn] [--netgroup-dn]
    [--netbios-name] [--domain] [--idmap-role {master|subordinate}] [--idmap-range] [--idmap-range-size]
    [--user-objectclass] [--group-objectclass]
    [--user-name-attrib] [--user-id-attrib] [--user-mail-attrib] [--user-filter]
    [--ks-dns-name] [--ks-admin-user] [--ks-admin-pwd] [--ks-swift-user] [--ks-swift-pwd] [--ks-ext-endpoint]
    [--kerberos-server] [--kerberos-realm]

Setting NIS authentication for Spectrum Scale using installer

1) Obtain IBM Spectrum Scale build which is a self extracting package consisting of the following components:
  Installation Toolkit & license
  NFS (Ganesha)
  SMB (Samba)
  Object (Swift and Keystone)
  Performance monitoring tool (ZIMON)

2) Downloading and unpacking the software
Obtain from your IBM customer advocate the IBM Spectrum Scale self-extracting package:
  For SystemX systems:
  For Power systems:
The self-extracting package should be placed on the node that will run the installation toolkit.

3) Accepting the license in text-only mode
The --text-only flag is useful for viewing and accepting the license agreement if there is no available GUI.
  X86 example:
     ./Spectrum_Scale_install-4.1.1-0_x86_64-linux_standard_bvt_GSD --text-only
  Pseries example:
     ./Spectrum_Scale_install-4.1.1-0_ppc64-linux_standard_bvt_GSD --text-only

4) Completion of self-extracting package
Once the license has been accepted the packages will, by default, be extracted to: /usr/lpp/mmfs/4.1.1/

5) Use the installation toolkit to install GPFS following the procedure supplied with self-extracting package. A detailed GPFS installation procedure is beyond the scope of this document.

6) Deploy NFS protocol using installation toolkit.
On installer node:
  [root@cknode1 installer]# cd /usr/lpp/mmfs/4.1.1/
  [root@cknode1 4.1.1]# ./spectrumscale enable nfs

7) Run the following command with the authentication options you choose for –data-access-method file:
  [root@cknode1 installer]# ./spectrumscale auth file -h
     usage: spectrumscale auth file [-h] {ldap,ad,nis,none}
     positional arguments:
     {ldap,ad,nis,none} The type of File authentication to configure
     optional arguments:
     -h, --help show this help message and exit

8) Configuring NIS authentication using installation toolkit.
Run the following command to configure NIS authentication for IBM Spectrum Scale.
  [root@cknode1 installer]# ./spectrumscale auth file nis
  [ INFO ] A configuration template has been created at configuration/authconfig.txt. Please open this file in the text editor of your choice and complete the template.
  Would you like to open this file now? [Y/n]: y

  A template file will automatically open. Fill out this template. Save the file and close it. The settings will automatically be loaded for the install toolkit. For more details refer to the man page for mmcesuserauthcrservice.

Template before adding NIS server details:
Template after adding NIS server details:
Save the changes and close the template.

9) Now deploy the Spectrum Scale protocol stack on your defined environment:
  [root@cknode1 installer]# ./spectrumscale deploy
Note: Make sure all the required dependencies (sssd, ypbind, openldap-clients) are installed on all the protocol nodes before deploy.

10) Test NIS authentication service after deploy on IBM Spectrum Scale system.
  [root@cknode1 installer]# mmuserauth service list
  FILE access configuration : NIS
  DOMAIN   punenis3

Setting NIS authentication for Spectrum Scale using CLI

1) [root@cknode3 ~]# mmuserauth service create --type nis --data-access-method file --servers --domain punenis3
File authentication configuration completed successfully.

2) Test NIS authentication service after deploy on IBM Spectrum Scale system.
  [root@cknode1 installer]# mmuserauth service list
  FILE access configuration : NIS
  DOMAIN    punenis3

NFS and Netgroups testing for NIS based authentication for Spectrum Scale

1) Configured IBM Spectrum Scale system with NIS authentication containing netgroups
  [root@cknode1 installer]# mmuserauth service list
  FILE access configuration : NIS
  DOMAIN    punenis3

  [root@cknode3 ~]# ypcat -k netgroup
  netgroupHostNames (testnode1,,) (sbnode1,,)

  [root@cknode3 ~]# getent netgroup netgroupHostNames
  netgroupHostNames (testnode1,,) (sbnode1,,)

2) Checked the IP/Name resolution before an export
  [root@cknode3 ˜]# ping sbnode1
  PING dgnode1 ( 56(84) bytes of data.
  64 bytes from sbnode1 ( icmp_seq=1 ttl=64 time=0.627 ms

  [root@spnode3 ˜]# ping
  PING ( 56(84) bytes of data.
  64 bytes from icmp_seq=1 ttl=64 time=1.26 ms

3) Now created new export with netgroup containing hostnames.
  [root@cknode3 ~]# mmnfs export add /ibm/gpfs0/valid_netgroup_hostname --client @netgroupHostNames\(ACCESS_TYPE=RW,SQUASH=no_root_squash\)
  [root@cknode3 ~]# mmnfs export list
  Path    Delegations Clients
  /ibm/gpfs0/valid_netgroup_hostname none   @netgroupHostNames

4) Tried to mount the export from the client having its hostname entry in netgroup and hostname is resolved.
  [root@sbnode1 ~]# mount -o vers=4 /mnt/valid_netgroup_hostname/
  [root@sbnode1 ~]# cd /mnt/valid_netgroup_hostname/
  [root@sbnode1 valid_netgroup_hostname]# ls
  [root@sbnode1 valid_netgroup_hostname]# ls
  1 2

5) Tried to mount the export from the client with its hostname entry not in netgroup. The mount is not allowed. Says no such file or directory.
  [root@ sbnode2 ˜]# mkdir /mnt/valid_netgroup_hostname/
  [root@sbnode2 ~]# mount -o vers=4 /mnt/valid_netgroup_hostname/
  mount.nfs: mounting failed, reason given by server: No such file or directory

"These are my personal views and do not necessarily reflect that of my employer"