Hi all,
While not strictly by-the-book, we have ran SSSD alongside gpfs-winbind
for ~7 years now. Might be a case of running the protocol nodes on RHEL
exclusively, but we have never had any issues. Might help that our LDAP
and AD are kept in sync as best as possible so any conflicts will still
resolve to the same values.
Even further, thanks to some old legacy documentation I recently moved
from regular gpfs-winbind (that was basically connected using net ads
join) to actual mmuserauth and AD. In my mind, having even SSSD
installed would already cause the library conflicts. Obviously, there
are more than 2 ways to skin this particular cat and for a really dirty
fix you could map the admin users locally with the same UIDS etc..
Best,
Ott Oopkaup
University of Tartu, High Performance Computing Centre
Systems Administrator
On 7/23/24 2:29 PM, Jonathan Buzzard wrote:
On Tue, 2024-07-23 at 10:11 +0000, Paul Ward wrote:
Hi Ivano,
I am curious about this line of your message:
“For us that's quite annoying, since we can't login with our
personal/central accounts and then sudo.”
We only allow administrator access to the GPFS cluster via the EMS
nodes. We will be restricting them to MFA based access.
We then navigate to all other nodes from one of them.
My guess would be that administrators log onto the cluster using their
personal/central accounts and then use sudo to issue administrative
commands. This creates a log of who issued what commands at what time.
Useful when you have more than one administrator and provides a level
of tracking.
Though personally I think using your "personal" everyday account for
this is suboptimal. Best practice would suggest have a separate
personal administrator account. So for example in a previous life my
normal everyday account was njab14 no different than anyone else's
account, but my I had a separate account administrator account was
sjab14. That could do things like sudo had rights in the AD etc. etc.
You can also do things like create groups of users that can log onto
things that normal users cant.
JAB.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
