This post is more than 5 years old
13 Posts
0
10953
Isilon SSH authentication for active directory users
Hi
Anyone have any experience with enabling admin users to connect to Isilon with their AD accounts?
Would it be possible to combine this with RBAC and having root access?
I am currently looking into letting some of the personell have access to the system through SSH so they can do simple tasks as creating/deleting folders/files, but limiting any Isilon configuration command sets.
jimgossett
26 Posts
0
October 10th, 2013 16:00
Dilbert:
This is absolutely possible in OneFS 7.0 and later, although which commands will be available to be delegated to users will vary depending upon the version of OneFS you are using. (The ability to create/modify data on /ifs, like you are looking for, should be available in any OneFS 7 version.)
This would require the creation of a new role (none of the default roles cover this sort of case), something like:
# isi auth role create ifs-only
# isi auth role modify ifs-only --add-priv=ISI_PRIV_LOGIN_SSH --add-priv=ISI_PRIV_NS_IFS_ACCESS --add-group=DOMAIN\\Domain\ Admins
(Disclaimer: This is an attempt to point you in the right direction -- I haven't validated that these are all the privileges you would need to accomplish what you are trying to do.)
Jim
arott
13 Posts
0
October 14th, 2013 00:00
Hi
That worked fine, but i was not able to logon using either Putty or the web gui when adding the ISI_PRIV_LOGIN_PAPI priviliege.
Is there a additional step when dealing with AD accounts and authentication?
jimgossett
26 Posts
1
October 14th, 2013 10:00
ISI_PRIV_LOGIN_PAPI shouldn't be required for PuTTY login -- assuming you are connecting via SSH, that's ISI_PRIV_LOGIN_SSH. (If you are connecting via the serial console, that's ISI_PRIV_LOGIN_CONSOLE.)
There aren't really any additional steps you should be needing with AD accounts, the only real "trick" is that the "\" character and spaces in user/group names both need to be escaped in some situations. (I believe the \ character doesn't need to be escaped during login.)
You can find out what privileges the system believes a given user has by using the
# isi auth mapping token --user=DOMAIN\\username
command... that will list a number of things about a user, including the uid and SID apply to the user, the primary and supplemental groups the user belongs to, and the privileges that are granted to that user.
In your case, the next step would be to look at the token of one of the users in question and make sure it contains the privileges we think it should.
Jim
arott
13 Posts
0
October 15th, 2013 05:00
If im not mistaken it seems i need to implement some way of mapping AD users to Isilon.
I only get "failed to map user 'domain\username': Unknown active directory domain" when trying to run the token command.
antonio_prayor
16 Posts
1
October 15th, 2013 12:00
You need to join the cluster to your domain if you haven't already. It's pretty straightforward from the gui. From the command line you use:
# isi auth ads create [domain] [admin username] then it will prompt you for the password there are a ton of extra parameters that are easier to look at through the gui though.
check to make sure you're connected:
# isi auth ads list
run the commands like Jim said above:
isi auth roles create --name=ifsonly
isi auth roles modify --role=ifsonly --add-priv="ISI_ ... " --add-group=[domain]\\"domain admins"
then you can check on anyone in the group (or just a user if you wanted to go per user bases):
isi auth mapping token --user=[domain]\\[user]
try this command as well to make sure you see your users:
#isi auth users list --domain=[domain]
if that doesn't work then you might have some AD problems.
when i connect via ssh i usually lead with the domain for the username.. I've never tried it without:
[domain]\[user] then the password
this works for me.
hope this helps
arott
13 Posts
0
October 29th, 2013 07:00
Finally found the issue. The option for ignoring trusted domains was enabled on the AD configuration page for some reason.
It worked perfectly after turning this off
yogad
78 Posts
0
November 29th, 2014 15:00
Hi Dilbert, while you are having issues login to the cluster through CLI, is it just that the user can't login to cluster through CLI but can through GUI
I am on OneFS 7103 where AD users can login to cluster using their AD credentials but can't login through SSH trying with below mentioned formats
\\username
\username