On 04/11/2017 11:58 PM, Christopher Samuel wrote:
On 11/04/17 16:05, Lachlan Musicman wrote:
Our auth actually backs onto an Active Directory domain
You have my sympathies. That caused us no end of headaches when we tried
that on a cluster I help out on and in the end we gave up and fell back
to running our own LDAP to make things reliable again.
+1 for running your own LDAP.
I would seriously look at a cluster toolkit for running nodes,
especially if it supports making a single image that your compute nodes
then netboot. That way you know everything is consistent.
Best of luck,
Chris
+1 for Active Directory bashing. My cluster uses AD for authentication,
storing UID/GID, and all group management. It has been painful to deal
with. Just yesterday updating to CentOS 7.3 somehow caused nearly all
of my compute nodes to "unjoin" that domain. Fun!
Another quick note: Keep in mind what you will do when you have an
appliance (e.g. VM that you have no shell access to or a storage array)
which needs to map UIDs and GIDs. Copying /etc/passwd won't be an
option here. I hit this problem when I needed ACL support over NFS on a
NetApp. That forced me to move to NFSv4 which forced me to connect that
NetApp to the domain (or find some other way to map IDs - e.g. use
NetApp's API/SDK to script adding users and groups locally).
