[Samba] Samba HA issue

Wed Aug 5 16:41:50 MDT 2009

David Markey wrote:
> Yup unfortunately rights granted using net sam/rpc and usrmgr are saved
> locally in a TDB file(account_policy), this should probably be in LDAP, i
> suppose it sould be possible to rsync the tdb file.
>
>
> On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen
> <David.Christensen at viveli.com> wrote:
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> John Du wrote:
>>     
>>> David Christensen wrote:
>>>
>>> Liutauras Adomaitis wrote:
>>>
>>>
>>> On Tue, Aug 4, 2009 at 7:39 PM, David
>>>
>>>       
> Christensen<David.Christensen at viveli.com><mailto:David.Christensen at viveli.com>
>   
>>> wrote:
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> With samba configured for high availability using heartbeat, I am not
>>> able to join new computers to the domain after a fail over.  If I fail
>>> back to the "main" samba instance I can join the computer to the domain.
>>>
>>> However With samba in a fail over state and running on the backup PDC
>>> users can still authenticate and gain access to their shares.
>>>
>>> I have the two instances of samba configured nearly identical except for
>>> having them pointed to the instance of ldap that is running on the
>>> server itself (which is being replicated).  Is there something else,
>>> some tdb file etc,  that needs to be shared between the two instances of
>>> samba so a fail over appears identical to the ldap backend?
>>>
>>> Thanks.
>>>
>>>
>>> If you are running PDC+BDC configuration with LDAP backend with
>>> replication, then you must have master to master replication. In case
>>> of master - slave replication you canot write ot slave while your
>>> muster is not accessible. Usual slave has a redirection to master for
>>> write operations. Slave is readonly and thats why you can authenticate
>>> to BDC, but cannot join new machines to the domain.
>>> This may be your case
>>>
>>> Liutauras
>>>
>>>
>>>
>>> Liutauras,
>>>
>>> I have ldap using master-master replication so writing to either ldap
>>> instance is no problem.  In addition I have both instances of samba
>>> configured as PDC's (the smb.conf file is identical on both PDC's except
>>> for two things, the ldap each talks to and the host name of the PDC
>>> itself; not using the netbios parameter), however only one of them is
>>> running at a time.  The issue occurs when the 2nd PDC comes online.
>>> Based on the ldap logs the query I am seeing from the 2nd PDC in a
>>> failed over state is not the same query that the "primary" PDC does when
>>> I add a new computer successfuly.  I never see the lookup for the admin
>>> user who has the right to add a computer, along with other missing
>>> search strings.
>>>
>>> Is there some SID or some other serial number etc. that the 2nd PDC is
>>> lacking that is causing this symptom?  Why would a query from a near
>>> identical instance of samba to the same ldap DB be so different?
>>>
>>>
>>> I had the same problem with samba 3.0.28 on rhel 4.  I fixed my problem
>>> by issuing "net rpc grant .." commands on the backup PDC.  I never
>>> understood why it behaved that way but those commands worked for me.  I
>>> thought those rights were in the LDAP database but it seemed that those
>>> rights are stored on the individual servers somehow.
>>>
>>>
>>>
>>>       
>> John,
>>
>> Not familiar with net rpc grant, where is the invoked or added?
>>     
These commands are documented at 
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html.


>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkp6A20ACgkQ5B+8XEnAvquDfACfZoxcbLHuoVAbqrUQauCbPD8R
>> VDYAn3Tz+0TfwD+Ip2HIKtVj5bG5reMc
>> =25vc
>> -----END PGP SIGNATURE-----
>>     
>
>