Authentication limitations
Consider the following authentication limitations when you configure and manage the IBM Spectrum® Scale system:
Object access limitations
- Only single AD server is used. If the configured AD server is down, the Keystone authentication fails.
- Does not support multiple AD Domains.
- Only Windows 2008 R2 and later are supported.
- Authentication is supported only for read access to the AD server. You cannot create a new user and modify or delete an existing user from the IBM Storage Scale system. Only the AD server administrator can do these tasks.
- Only single LDAP server is used. If the configured LDAP server is down, the Keystone authentication fails.
- Only LDAP servers compatible with LDAP RFC 4511 are supported.
- Authentication is supported only for read access to the LDAP server. You cannot create a new user and modify or delete an existing user from the IBM Storage Scale system. Only the LDAP server administrator can do these tasks.
File access limitations
AD based authentication
NFS with server-side group lookup and Active Directory authentication is only supported for Kerberized NFS access. The reason behind this is that obtaining the group membership of a user on a CES node is only possible after you authenticate the user authenticated on that node. With SMB, each new session is authenticated initially, which is sufficient to provide that information. With NFS, only Kerberized access can reliably provide the required information when you are using the Active Directory.
- No support is provided for migrating the internally generated user and group ID maps to an external ID-mapping server. If data is stored on the IBM Storage Scale system with AD and automatic ID mapping, adding RFC2307 later requires the UIDs and GIDs. These UIDs and GIDs are used internally by the IBM Storage Scale system match the UIDs and GIDs that are stored in RFC2307. Matching is not possible if UIDs and GIDs, which are conflicting, are already stored in RFC2307. To avoid potential conflicts, configure the IBM Storage Scale system by using AD and RFC2307 from the beginning.
- Although AD along with automatic ID mapping can be used to have the same ID maps between systems that are in AFM relationship, this configuration is not a complete replacement for RFC2307. This configuration can be used in a predominantly SMB only setup, where NFS users are not already present in the environment. If NFS users are preexisting in the customer environment and these users intend to access the data with SMB users, then RFC2307 is mandatory.
- When AD-based authentication is used, SMB protocol access is kerberized by default. Access the system by using the netbios name that is specified in the command.
- Enabling RFC2307 for a trusted domain requires a two-way trust between the native and the trusted domains.
- To access the IBM Storage Scale system, users and groups must have a valid UID/GID assigned to them in AD. For user access, the windows group membership is evaluated on the IBM Storage Scale system. Hence, accessing a user's primary group is considered as the Microsoft Windows Primary group and not the UNIX primary group that is listed in the UNIX attribute tab in the user's properties. Therefore, the user's primary Microsoft Windows group must be assigned with a valid GID.
- The mmuserauth service create command does not check the two-way trust between the native domain and the RFC2307 domain that is required for ID-mapping services to function properly. The customer is responsible for configuring the two-way trust relationship between these domains. The customer is responsible for assigning UIDs to users and GIDs to groups. The command does not return an error if a UID or GID is not assigned.
System Security Services Daemon (SSSD) should not be running on CES nodes when AD-based authentication is used. The AD-based authentication uses samba winbind process. Enabling SSSD when winbind is running on CES nodes might create library conflict. This conflict might affect the SSSD and/or IBM Storage Scale authentication.
LDAP-based authentication
- Users with the same username from different organizational units under the specified baseDN in the LDAP server are denied access to SMB shares irrespective of the LDAP user suffix and LDAP group suffix values configured on the system.
- If multiple LDAP servers are specified during configuration, at any point in time, only one LDAP server is used.
- LDAP referrals are not supported.
- ACL management through windows clients is not supported.
- Only LDAP servers that implement RFC2307 schema are supported. IBM Storage Scale Protocol LDAP authentication is verified and tested against Linux OpenLDAP server. Other LDAP servers such as FreeIPA, RedHat IDM might work but are not Certified with IBM Storage Scale.
NIS-based authentication
- NIS configuration with an IPv6 address is not supported.
- NIS authentication is not supported for RHEL 9.
General limitations for file access
- When the SMB service is stopped on a protocol node, with any AD-based authentication method, the NFS-based access is also affected on that protocol node.
- When Microsoft Active Directory (AD) is used as an
authentication system, the IBM Storage Scale system supports
only the NetBIOS logon name for authentication and not the User Principle Name (UPN). Active
Directory replaces some of the special characters that are used in the UPN with the underscore
character (hexadecimal value 0x5F) for the related NetBIOS logon name of the user. For the complete
list of the special characters that are replaced in the NetBIOS logon name, see Microsoft Active Directory documentation. Follow these steps to locate
the NetBIOS logon name for an Active Directory domain user:
- From the Windows Start menu, select .
- Right-click the Active Directory Domain user for which you require the NetBIOS logon name.
- Select User logon name field (pre-Windows 2000). tab and check the value of the
- Authentication configuration commands restart the IBM Storage Scale protocol services such as SMB and NFS. The protocol services resume a few seconds after an authentication configuration command completes.
- For file data access, switching or migrating from one authentication method to another is not supported because it might lead to loss of access to the data on the system.
- The IBM Storage Scale system does not support authentication servers (AD, LDAP, and NIS) that are running on virtual machines that are stored on an SMB or NFS export. The IBM Storage Scale system requires the authentication server to be running while you are configuring authentication and while the server is handling connection requests over protocols. The virtualizer cannot boot the authentication server unless the protocols are configured for authentication and data is ready to be served over the exports.
- The length of a username or a group name of the users and group of users who need to access the data cannot be more than 32 characters.
- The NFSV4 clients must be configured with the same authentication and ID-mapping server as the IBM Storage Scale system. The IBM Storage Scale system does not support an NFSV4 client that is configured with different authentication and ID-mapping servers.
- AIX® clients follow a different methodology to integrate with AD. Therefore, NFSV4-based access from AIX clients to IBM Storage Scale is not supported when CES services are configured for AD and variations of AD-based authentication schemes.
- Based on the hardware platform that the protocol nodes are configured on, consider the group ID resolution in relation to the limitation that is described in the IBM Storage Scale FAQ. For more information, see IBM Storage Scale FAQs.
- Regarding to the AD-based authentication scheme, the following considerations
apply to configuring an NFS server to look up group membership information for an accessing NFS user:
- The server-side group lookup function, which is enabled by setting the
MANAGE_GIDS
flag in the NFS configuration, works only after the user makes a valid authentication connection over CIFS. - You must make a valid authentication connection to the protocol node that serves the public IP from which the NFS export is to be mounted.
- If the group membership of the user on an AD server changes, you must make a new valid CIFS connection to the protocol node. The protocol node serves the public IP from which the NFS export is to be mounted. This new connection reflects the changes on the protocol node of the CES cluster.
- It is a good practice to make a valid authentication connection over CIFS to all the protocol nodes that participate in group membership evaluations. This practice results in uniform membership evaluations on all the protocol nodes of the CES cluster.
- The server-side group lookup function, which is enabled by setting the
- To use NFSV4 ID mapping, you must set the NFS ID map domain on the IBM Storage Scale protocol nodes and you must configure the same NFS ID
map domain on every NFS client. The following example demonstrates how to configure NFSV4 ID mapping.
- Issue the mmnfs config list command.
The system displays the following output, which shows that the ID map domain is not set:
Idmapd Configuration ==================== ====================
- Enter the following command to set the NFS ID map
domain:
# mmnfs config change IDMAPD_DOMAIN=MY_IDMAP_DOMAIN
- Issue the mmnfs config list command to verify that the ID map domain is
set.
The system displays this output:
Idmapd Configuration ======================= DOMAIN: MY_IDMAP_DOMAIN =======================
- Issue the mmnfs config list command.