[Beowulf] Cluster Authentication (LDAP,NIS,AD)

Skylar Thompson skylar.thompson at gmail.com
Fri Dec 29 05:32:02 PST 2017


It's a mechanism for having the automounter process run an executable as
part of the mount process. The executable takes in the map key as its
sole argument (i.e. /net/foo/bar would produce bar as an argument) and
then will print the mount parameters over STDOUT. We use a Python script
with a YAML configuration file (easy to edit and validate) but it can be
any executable type.

I don't know that this is available for amd, but it is for autofs.

Skylar

On 12/28/2017 12:47 PM, John Hearns via Beowulf wrote:
> Skylar, I admit my ignorance. What is a program map?
> Where I work now extensively uses automounter maps for bind mounts.
> I may well learn something useful here.
> 
> On 28 December 2017 at 15:28, Skylar Thompson <skylar.thompson at gmail.com
> <mailto:skylar.thompson at gmail.com>> wrote:
> 
>     We are an AD shop, with users, groups, and automounter maps (for a short
>     while longer at least[1]) in the directory. I think once you get to
>     around schema level 2003R2 you'll be using RFC2307bis (biggest
>     difference from RFC2307 is that it supports nested groups) which is
>     basically what modern Linux distributions will be expecting. I can't
>     think of any serious problems we've had it with it, though I work on the
>     UNIX side so for me it really does just look like a LDAP/Krb5 server.
> 
>     I'm not a fan of Microsoft in general, but AD is one of the few products
>     that they've actually gotten right. In particular, the replication just
>     works --- in the 11 years we've been running AD, I can't think of a
>     single time our domain servers got out of sync.
> 
>     [1] For automounter maps, we're in the process of moving from LDAP to
>     program maps. Due to some internal complexities, we need to support
>     multiple definitions for a single mount point, which is easiest to
>     accomplish with a client-side program map.
> 
>     Skylar
> 
>     On 12/27/2017 08:41 PM, Robert Taylor wrote:
>     > Hi cluster gurus. I want to pick the your collective brains.
>     > Right now, where I work, we have and isilon, and netapp, which we use
>     > for our small 250core compute cluster.
>     >
>     > We have NIS for authentication and automount maps on the cluster side,
>     > and AD for authentication on the windows side, and LDAP for yet for
>     > other things to authenticate against.  
>     > The storage is connected to both nis and AD, and does it's best to
>     match
>     > the two sides up. 
>     > We have had some odd issues with authentication as of late with
>     sources
>     > getting out of sync, which has brought up the discussion for
>     > consolidating down to a single source of truth, which would be AD.
>     > RFC2307 talks about stuffing NIS data into LDAP/AD, and there are
>     > commercial products such as centrify that can do it. 
>     >
>     > Does anyone run an entirely AD authentication environment with their
>     > compute cluster
>     > authenticating against it and using it for automount maps and such?
>     > Can you tell me what were your reasons for going that way, and any
>     snags
>     > that you hit on the way?
>     >
>     > We've just started looking at it, so I'm on the beginning of this
>     road. 
>     >
>     > Any responses is appreciated. 
>     >
>     > Thanks.
>     >
>     > rgt
>     >
>     >
>     > _______________________________________________
>     > Beowulf mailing list, Beowulf at beowulf.org
>     <mailto:Beowulf at beowulf.org> sponsored by Penguin Computing
>     > To change your subscription (digest mode or unsubscribe) visit
>     http://www.beowulf.org/mailman/listinfo/beowulf
>     <http://www.beowulf.org/mailman/listinfo/beowulf>
>     >
> 
>     _______________________________________________
>     Beowulf mailing list, Beowulf at beowulf.org
>     <mailto:Beowulf at beowulf.org> sponsored by Penguin Computing
>     To change your subscription (digest mode or unsubscribe) visit
>     http://www.beowulf.org/mailman/listinfo/beowulf
>     <http://www.beowulf.org/mailman/listinfo/beowulf>
> 
> 
> 
> 
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> 



More information about the Beowulf mailing list