If you intend to verify configuration on AD server or run basic checks against AD server from IBM Spectrum Scale node, then mmadquery is handy utility.
mmadquery is also helpful when IBM Spectrum Scale is configured with AD RFC2307 file authentication and you want to ensure your AD users are populated with the required attributes (uidNumber, primaryGroupID, gidNumber) properly. If these attributes have out of range values, then you hit user resolution issue leading to access failures from file protocol services e.g. NFS, SMB. With mmadquery output you’ll come to know about such out of range users – then you can take corrective action of updating valid values for attributes to resolve protocol access issues.
Following is the quick summary of what mmadquery utility helps achieve :
- find out domain controllers served by a domain
- find out trust relationships.
- list the users and groups defined on AD server, their uids and gids
- get the group memberships for a user
- find out total number of users per group
- list the id range configured on local node
- report warning about the users falling outside locally defined range
- and so on…
Lets run through few examples to demonstrate the capability of mmadquery utility.
I’ve picked up following AD server IPs and domains to put across the point:
- AD server ip – 192.168.122.193, domain – ADDOMAIN.COM
- AD server ip – 192.168.122.151, domain – GANESHA.DEV.NET
- AD server ip – 192.168.122.152, domain – RAMA.HUMAN.NET
- Please note that we need an AD user having enough permissions to query user / group information from Active directory (e.g. examples below use AD user aduser1). Not necessarily an administrator user required here.
- AD server ip is passed to –servers option, domain to –domain option and AD query user (e.g. aduser1) to –user option of mmadquery.
1. find out domain controllers served by a domain.
$ mmadquery list dc --server 192.168.122.193 --domain ADDOMAIN.COM --user aduser1 -L
Password:
DC from server 192.168.122.193 (domain ADDOMAIN.COM)
DC Hostname Operating System
————————————————————————————————-WIN8-12UP WIN8-12Up.addomain.com Windows Server 2012 R2 Standard
WIN2K16 win2k16.addomain.com Windows Server 2016 Datacenter
$ mmadquery list dc --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -L
DC from server 192.168.122.151 (domain GANESHA.DEV.NET)
DC Hostname Operating System
WIN16SERVERVM1 win16servervm1.GANESHA.DEV.NET Windows Server 2016 Standard
2. Find out the trusts set up on AD server.
$ mmadquery list trusts --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile
TRUSTS from server 192.168.122.151 (domain GANESHA.DEV.NET)
Domain Trust Type
RAMA.HUMAN.NET Forest Transitive bi-directional
3. Find out what is the id range configured on local node against an AD server.
$ mmadquery list idrange --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile
IDRANGE from server 192.168.122.151 (domain GANESHA.DEV.NET)
Domain IDRange
GANESHA.DEV.NET 9000-30000
4. Find out the id range configured on local node for trusted domains. Also print the output in parsable format with the help of mmadquery -Y option. (Here assumption is that user aduser1 is present on all trusted domains.)
$ mmadquery list idrange --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile --traverse-domains -Y
mmadquery:idrange:HEADER:version:reserved:reserved:domain:domain:idRange:
mmadquery:idrange:0:1:::Default:GANESHA.DEV.NET:9000-30000:
mmadquery:idrange:0:1:::Default:RAMA.HUMAN.NET:40000-50000:
5. Find out the groups defined on AD server
$ mmadquery list groups --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -Y
mmadquery:groups:HEADER:version:reserved:reserved:group:
mmadquery:groups:0:1:::Domain Computers:
mmadquery:groups:0:1:::Domain Controllers:
...
mmadquery:groups:0:1:::ganeshaGr1:
mmadquery:groups:0:1:::group20k:
mmadquery:groups:0:1:::ganeshagr2:
6. Find out the groups with their GIDNumber.
$ mmadquery list gids --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -Y
mmadquery:gids:HEADER:version:reserved:reserved:group:sid:gidNumber:
mmadquery:gids:0:1:::Domain Computers:S-1-5-21-3530651294-1835310728-4022169620-515::
mmadquery:gids:0:1:::Domain Controllers:S-1-5-21-3530651294-1835310728-4022169620-516::
...
mmadquery:gids:0:1:::ganeshaGr1:S-1-5-21-3530651294-1835310728-4022169620-1103:10001:
mmadquery:gids:0:1:::group20k:S-1-5-21-3530651294-1835310728-4022169620-1109:20000:
mmadquery:gids:0:1:::ganeshagr2:S-1-5-21-3530651294-1835310728-4022169620-1120:10002:
7. Find out the users defined on AD server.
$ mmadquery list user --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -Y
mmadquery:user:HEADER:version:reserved:reserved:user:
mmadquery:user:0:1:::Administrator:
mmadquery:user:0:1:::Guest:
mmadquery:user:0:1:::DefaultAccount:
mmadquery:user:0:1:::krbtgt:
mmadquery:user:0:1:::ganeshaUsr1:
mmadquery:user:0:1:::RAMA$:
mmadquery:user:0:1:::user20k:
mmadquery:user:0:1:::testuser1:
mmadquery:user:0:1:::ganeshausr2:
mmadquery:user:0:1:::testuser2:
mmadquery:user:0:1:::aduser1:
mmadquery:user:0:1:::aduser2:
8. Find out the users with their UIDNumber.
$ mmadquery list uids --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -Y
mmadquery:uids:HEADER:version:reserved:reserved:user:sid:uid:uidNumber:
mmadquery:uids:0:1:::Administrator:S-1-5-21-3530651294-1835310728-4022169620-500:::
mmadquery:uids:0:1:::Guest:S-1-5-21-3530651294-1835310728-4022169620-501:::
mmadquery:uids:0:1:::DefaultAccount:S-1-5-21-3530651294-1835310728-4022169620-503:::
mmadquery:uids:0:1:::krbtgt:S-1-5-21-3530651294-1835310728-4022169620-502:::
mmadquery:uids:0:1:::ganeshaUsr1:S-1-5-21-3530651294-1835310728-4022169620-1104::11001:
mmadquery:uids:0:1:::RAMA$:S-1-5-21-3530651294-1835310728-4022169620-1108:::
mmadquery:uids:0:1:::user20k:S-1-5-21-3530651294-1835310728-4022169620-1110::20000:
mmadquery:uids:0:1:::testuser1:S-1-5-21-3530651294-1835310728-4022169620-1115::13001:
mmadquery:uids:0:1:::ganeshausr2:S-1-5-21-3530651294-1835310728-4022169620-1116::11002:
mmadquery:uids:0:1:::testuser2:S-1-5-21-3530651294-1835310728-4022169620-1117::13002:
mmadquery:uids:0:1:::aduser1:S-1-5-21-3530651294-1835310728-4022169620-1118::15001:
mmadquery:uids:0:1:::aduser2:S-1-5-21-3530651294-1835310728-4022169620-1119::15002:
9. Find out group list of each user (i.e. user and groups to which that user belongs to).
$ mmadquery list user --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -L -Y
mmadquery:user_long:HEADER:version:reserved:reserved:user:groups:
mmadquery:user_long:0:1:::Administrator:Group Policy Creator Owners,Domain Admins,Enterprise Admins,Schema Admins,Administrators:
mmadquery:user_long:0:1:::Guest:Guests:
mmadquery:user_long:0:1:::DefaultAccount:System Managed Accounts Group:
mmadquery:user_long:0:1:::krbtgt:Denied RODC Password Replication Group:
mmadquery:user_long:0:1:::ganeshaUsr1:ganeshagr2,group20k,Domain Users:
mmadquery:user_long:0:1:::RAMA$::
mmadquery:user_long:0:1:::user20k:Domain Users:
mmadquery:user_long:0:1:::testuser1:Domain Users:
mmadquery:user_long:0:1:::ganeshausr2:Domain Users:
mmadquery:user_long:0:1:::testuser2::
mmadquery:user_long:0:1:::aduser1:group20k,Domain Users:
mmadquery:user_long:0:1:::aduser2:Domain Users:
10. Find out the users with their uid and gid details.
If values for UIDNumber, GIDNumber and Primary Group GID are out of range, then you face access issues via NFS/SMB. This topic needs an explanation and is covered under another blog.
$ mmadquery list uids --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -L -Y
mmadquery:uids_long:HEADER:version:reserved:reserved:user:sid:uid:uidNumber:gidNumber:primaryGroupId:primaryGroupGid:
mmadquery:uids_long:0:1:::Administrator:S-1-5-21-3530651294-1835310728-4022169620-500::::513::
mmadquery:uids_long:0:1:::Guest:S-1-5-21-3530651294-1835310728-4022169620-501::::514::
mmadquery:uids_long:0:1:::DefaultAccount:S-1-5-21-3530651294-1835310728-4022169620-503::::513::
mmadquery:uids_long:0:1:::krbtgt:S-1-5-21-3530651294-1835310728-4022169620-502::::513::
mmadquery:uids_long:0:1:::ganeshaUsr1:S-1-5-21-3530651294-1835310728-4022169620-1104::11001:10001:1103:10001:
mmadquery:uids_long:0:1:::RAMA$:S-1-5-21-3530651294-1835310728-4022169620-1108::::513::
mmadquery:uids_long:0:1:::user20k:S-1-5-21-3530651294-1835310728-4022169620-1110::20000:20000:1109:20000:
mmadquery:uids_long:0:1:::testuser1:S-1-5-21-3530651294-1835310728-4022169620-1115::13001::1103:10001:
mmadquery:uids_long:0:1:::ganeshausr2:S-1-5-21-3530651294-1835310728-4022169620-1116::11002:20000:1103:10001:
mmadquery:uids_long:0:1:::testuser2:S-1-5-21-3530651294-1835310728-4022169620-1117::13002:20000:513::
mmadquery:uids_long:0:1:::aduser1:S-1-5-21-3530651294-1835310728-4022169620-1118::15001::1103:10001:
mmadquery:uids_long:0:1:::aduser2:S-1-5-21-3530651294-1835310728-4022169620-1119::15002::1103:10001:
11. Find out the total number of users per group
$ mmadquery stats user --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile -Y
mmadquery:user_stats:HEADER:version:reserved:reserved:group:count:
mmadquery:user_stats:0:1:::TOTAL:12:
mmadquery:user_stats:0:1:::Group Policy Creator Owners:1:
mmadquery:user_stats:0:1:::Domain Admins:1:
mmadquery:user_stats:0:1:::Enterprise Admins:1:
mmadquery:user_stats:0:1:::Schema Admins:1:
mmadquery:user_stats:0:1:::Administrators:1:
mmadquery:user_stats:0:1:::Guests:1:
mmadquery:user_stats:0:1:::System Managed Accounts Group:1:
mmadquery:user_stats:0:1:::Denied RODC Password Replication Group:1:
mmadquery:user_stats:0:1:::ganeshagr2:1:
mmadquery:user_stats:0:1:::group20k:2:
mmadquery:user_stats:0:1:::Domain Users:6:
12. Find out the total number of mapped/un-mapped/total users on local node.
$ mmadquery stats uids --server 192.168.122.151 --domain GANESHA.DEV.NET --user aduser1 --pwd-file /tmp/pwdfile --traverse-domains -Y
mmadquery:uids_stats:HEADER:version:reserved:reserved:domain:group:count:
mmadquery:uids_stats:0:1:::GANESHA.DEV.NET:TOTAL:12:
mmadquery:uids_stats:0:1:::GANESHA.DEV.NET:MAPPED:7:
mmadquery:uids_stats:0:1:::GANESHA.DEV.NET:UN-MAPPED:5:
mmadquery:uids_stats:0:1:::RAMA.HUMAN.NET:TOTAL:6:
mmadquery:uids_stats:0:1:::RAMA.HUMAN.NET:MAPPED:2:
mmadquery:uids_stats:0:1:::RAMA.HUMAN.NET:UN-MAPPED:4:
13. Find out uid of AD user falls within locally defined id mapping range or not.
If user’s uid is outside locally defined id range, then mmadquery reports WARNING message e.g. “WARNING: UID of user ‘ganeshaUsr1’ outside id mapping range 10000000-299999999 for domain ‘GANESHA.DEV.NET’.”
If user’s uid is within locally defined id range, then mmadquery reports “OK, no problems found.”.
$ mmadquery check uids --server 192.168.122.152 --domain RAMA.HUMAN.NET --user Administrator --pwd-file /tmp/pwdfile -Y
mmadquery:uids:HEADER:version:reserved:reserved:user:sid:uid:uidNumber:
mmadquery:uids:0:1:::Administrator:S-1-5-21-2161741167-2001596563-2425738677-500:::
mmadquery:uids:0:1:::Guest:S-1-5-21-2161741167-2001596563-2425738677-501:::
mmadquery:uids:0:1:::krbtgt:S-1-5-21-2161741167-2001596563-2425738677-502:::
mmadquery:uids:0:1:::ramaUsr1:S-1-5-21-2161741167-2001596563-2425738677-1106::21001:
mmadquery:uids:0:1:::GANESHA$:S-1-5-21-2161741167-2001596563-2425738677-1107:::
mmadquery:uids:0:1:::user20k:S-1-5-21-2161741167-2001596563-2425738677-1109::20000:
mmadquery:check_results:HEADER:version:reserved:reserved:message_enc:
mmadquery:check_results:0:1:::OK, no problems found.:
An example of user’s uid/gid falls outside range, such users reported with warning as below:
$ mmadquery check uids --server 192.168.122.151 --domain GANESHA.DEV.NET --user Administrator --pwd-file /tmp/pwdfile
UIDS from server 192.168.122.151 (domain GANESHA.DEV.NET)
User SID UID UIDNumber
-------------------------------------------------------------------------
Administrator S-1-5-21-3530651294-1835310728-4022169620-500 - -
Guest S-1-5-21-3530651294-1835310728-4022169620-501 - -
DefaultAccount S-1-5-21-3530651294-1835310728-4022169620-503 - -
krbtgt S-1-5-21-3530651294-1835310728-4022169620-502 - -
ganeshaUsr1 S-1-5-21-3530651294-1835310728-4022169620-1104 - 11001
RAMA$ S-1-5-21-3530651294-1835310728-4022169620-1108 - -
user20k S-1-5-21-3530651294-1835310728-4022169620-1110 - 20000
testuser1 S-1-5-21-3530651294-1835310728-4022169620-1115 - 13001
ganeshausr2 S-1-5-21-3530651294-1835310728-4022169620-1116 - 11002
testuser2 S-1-5-21-3530651294-1835310728-4022169620-1117 - 13002
aduser1 S-1-5-21-3530651294-1835310728-4022169620-1118 - 15001
aduser2 S-1-5-21-3530651294-1835310728-4022169620-1119 - 15002
WARNING: UID of user 'ganeshaUsr1' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'user20k' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'testuser1' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'ganeshausr2' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'testuser2' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'aduser1' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
WARNING: UID of user 'aduser2' outside id mapping range 10000000-299999999 for domain 'GANESHA.DEV.NET'.
crk10.wordpress.com 