This page serves as a reference for how to manually configure a system to use PACE's CEDAR storage. This page will only cover systems using SSSD and not nslcd.
Configure SSSD
- Open a new file
/etc/sssd/conf.d/02_pace_cedar_sssd.conf. If not using conf.d snippets, continue in the sssd.conf file. - Insert the following lines:
[sssd] config_file_version = 2 domains = gatech.edu,gted-ldap,gted-files services = nss, pam timeout = 60 [domain/gted-ldap] id_provider = ldap auth_provider = ldap ldap_id_use_start_tls = false ldap_tls_reqcert = never cache_credentials = false ldap_uri = ldaps://r.gted.gatech.edu:636 ldap_default_bind_dn = uid=pace-gted-read1,ou=Local Accounts,dc=gted,dc=gatech,dc=edu ldap_default_authtok = !!!!REPLACE ME!!!! ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu ldap_group_search_base = ou=gtaccounts,ou=Departments,dc=gted,dc=gatech,dc=edu entry_cache_timeout = 900 enumerate = false ldap_referrals = false ldap_user_gecos = displayName debug_level = 1 timeout = 60 [domain/gted-files] id_provider = files auth_provider = ldap ldap_id_use_start_tls = false ldap_tls_reqcert = never cache_credentials = false ldap_uri = ldaps://r.gted.gatech.edu:636 ldap_default_bind_dn = uid=pace-gted-read1,ou=Local Accounts,dc=gted,dc=gatech,dc=edu ldap_default_authtok = !!!!REPLACE ME!!!! ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu ldap_group_search_base = ou=gtaccounts,ou=Departments,dc=gted,dc=gatech,dc=edu entry_cache_timeout = 300 enumerate = false ldap_referrals = false ldap_user_gecos = displayName debug_level = 1 timeout = 60
- Replace the "
!!!!REPLACE ME!!!!" lines with the "PACE GTED read-only account" password available in KeePass under Root/LDAP - Save & quit
- Ensure the configuration file is r/w by root only:
chmod 600 <file> && chown root:root <file> - Verify configuration is valid with
sssctl config-check - Restart sssd with
systemctl restart sssd - You can test if NSS is now checking for PACE groups by running getent group
- E.g.,
getent -s sss group pace-cs-d-coc_tso-0 - If you don't see the groups, delete or comment out any "
ignore_group_members = True" lines in the sssd configuration. Please note that setting this to False will NOT have the intended effect. Remove the line from the configuration entirely.
- E.g.,
Mounting the Share
- Identify where the share will be mounted or create a new directory
- If emulating PACE storage, CEDAR shares are located at:
/storage/cedar/cedar0/<share name> - You must mount the share using sudo or root; however, the root account will not be able to navigate into the share. Please use your standard account for navigating the mounted share
- PACE's instruction for mounting CEDAR can be found in KB0042714
- Note: if copy & pasting from the KB article and you get an odd error message (e.g., "command not found"), it's because those aren't spaces you copy & pasted in. Delete the "spaces" and replace them.
NFS3 (current best method)
sudo mount -tnfs -o vers=3,rsize=32768,wsize=32768,noacl,noatime,tcp,nosuid,soft cedar.nas.gatech.edu:/cedar0/<share name> <mount location>- e.g.,
sudo mount -tnfs -o vers=3,rsize=32768,wsize=32768,noacl,noatime,tcp,nosuid,soft cedar.nas.gatech.edu:/cedar0/cedard-coc_tso-0 /storage/cedar/cedar0/cedard-coc_tso-0
- e.g.,
NFS4
sudo mount -t nfs4 -o vers=4.1,sec=sys,noresvport,rsize=32768,wsize=32768,noatime,tcp,nosuid,soft cedar.nas.gatech.edu:/cedar0/<share name> <mount location>- e.g.,
sudo mount -t nfs4 -o vers=4.1,sec=sys,noresvport,rsize=32768,wsize=32768,noatime,tcp,nosuid,soft cedar.nas.gatech.edu:/cedar0/cedard-coc_tso-0 /storage/cedar/cedar0/cedard-coc_tso-0
- e.g.,
- If using NFS4, you will notice that the files in a share are owned by 'nobody:nobody'. This is because of how NFS4 doesn't do id mapping. When viewed elsewhere (e.g., PACE resources), the files will have the right permissions, and you can read/write files as expected.
Specific categories