Robert, I will back up what Lachlan said. I set up a new HPC facility for the University of Greenwich in the UK, which uses sssd to authenticate against a campus AD. One thing to remember - campus wide you have everyone in the AD. SO do the following:
a) create a new group called 'HPC-users'and restrict the logins to HPC-users only (and maybe HPC-admins also!) b) you can automate the creation of home directories using a PAM plugin on Redhat See https://access.redhat.com/discussions/903523 I recommend against the oddjob version of pam_mkhomedir - ti did nto behave too well, and the 'normal' version worked just fine. Also you might want an /etc/profile.d script which wil create areas on your scratch/parallel storage for users when they first log in Where I work as the moment we use nslcd rather than sssd. I Was told there was an issue with sssd, but I forget what it was exactly. One tip with sssd, I found that when initially working with it I had to do a wipe of the cache and a forced reload. The documentation is there on how to do that. Do not be afraid to do this - the procedure sounds scary but works perfectly well. sssd caches things quite aggressively so you might have to restart it to get the 'ground truth' sometimes. sssd also has a very odd behaviour when you have a very large number of groups (probably as MIT has) It creates a huge sparse file for groups (or something similar). The file looks scarily big - but being sparse of course it is not really. Just a quirk of how it works I gather, sont let my comment put you off. On 28 December 2017 at 08:40, Nick Evans <nick.c.ev...@gmail.com> wrote: > Hi Robert, > > We are currently running our HPC, servers and desktops with storage needs > serviced by an Isilon. We have CIFS and NFS capabilities both of which use > the AD for authentication. > > Currently our cluster is Centos 6.8 NFS and SSH authenticating off of the > AD using SSSD. We also have a number of Centos 7.4 machines that are > mapping NFS with AD auth from SSSD. > > The only thing to watch is the Isilon has the Lookup UID setting by > default set to off so you can quite quickly run into the NFS 16 group limit > but other than that ours has be rock solid. > > Nick > > On 28 December 2017 at 11:54, Lachlan Musicman <data...@gmail.com> wrote: > >> On 28 December 2017 at 13:41, Robert Taylor <r...@wi.mit.edu> wrote: >> >>> Hi cluster gurus. I want to pick the your collective brains. >>> Right now, where I work, we have and isilon, and netapp, which we use >>> for our small 250core compute cluster. >>> >>> We have NIS for authentication and automount maps on the cluster side, >>> and AD for authentication on the windows side, and LDAP for yet for other >>> things to authenticate against. >>> The storage is connected to both nis and AD, and does it's best to match >>> the two sides up. >>> We have had some odd issues with authentication as of late with sources >>> getting out of sync, which has brought up the discussion for consolidating >>> down to a single source of truth, which would be AD. RFC2307 talks about >>> stuffing NIS data into LDAP/AD, and there are commercial products such as >>> centrify that can do it. >>> >>> Does anyone run an entirely AD authentication environment with their >>> compute cluster >>> authenticating against it and using it for automount maps and such? >>> Can you tell me what were your reasons for going that way, and any snags >>> that you hit on the way? >>> >> >> >> Robert, >> >> We were asked/tasked with this a couple of years ago. >> >> It took almost two years of shaking out the issues, but FreeIPA/SSSD in a >> one-way trust with AD has worked excellently for 18 months. Our SLURM >> cluster is on CentOS 7.4, and we needed to use the COPR version of SSSD >> (1.16.x) rather than the version in the repos (1.15.x) but otherwise is >> fine. Would absolutely recommend. >> >> Note that a lot of the issues we saw were directly related to our AD, >> rather than any problems with FreeIPA and SSSD. For example for a long time >> our AD login names had spaces in them (! would not recommend), and the age >> and size of the AD instance also lead to a few issues. Nothing that >> couldn't be worked around. The devs and community are excellent at >> responding to requests for help. It's a RedHat product. so if you have a >> subscription it would be even easier. >> >> >> Cheers >> L. >> >> ------ >> "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic >> civics is the insistence that we cannot ignore the truth, nor should we >> panic about it. It is a shared consciousness that our institutions have >> failed and our ecosystem is collapsing, yet we are still here — and we are >> creative agents who can shape our destinies. Apocalyptic civics is the >> conviction that the only way out is through, and the only way through is >> together. " >> >> *Greg Bloom* @greggish https://twitter.com/greggish/s >> tatus/873177525903609857 >> >> >> _______________________________________________ >> Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing >> To change your subscription (digest mode or unsubscribe) visit >> http://www.beowulf.org/mailman/listinfo/beowulf >> >> > > _______________________________________________ > Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing > To change your subscription (digest mode or unsubscribe) visit > http://www.beowulf.org/mailman/listinfo/beowulf > >
_______________________________________________ Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
