[Samba] Samba HA issue

Wed Aug 5 17:41:42 MDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Markey wrote:
> Yup unfortunately rights granted using net sam/rpc and usrmgr are saved
> locally in a TDB file(account_policy), this should probably be in LDAP, i
> suppose it sould be possible to rsync the tdb file.
> 
> 
> On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen
> <David.Christensen at viveli.com> wrote:
> John Du wrote:
>>>> David Christensen wrote:
>>>>
>>>> Liutauras Adomaitis wrote:
>>>>
>>>>
>>>> On Tue, Aug 4, 2009 at 7:39 PM, David
>>>>
>> Christensen<David.Christensen at viveli.com><mailto:David.Christensen at viveli.com>
>>>> wrote:
>>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> With samba configured for high availability using heartbeat, I am not
>>>> able to join new computers to the domain after a fail over.  If I fail
>>>> back to the "main" samba instance I can join the computer to the domain.
>>>>
>>>> However With samba in a fail over state and running on the backup PDC
>>>> users can still authenticate and gain access to their shares.
>>>>
>>>> I have the two instances of samba configured nearly identical except for
>>>> having them pointed to the instance of ldap that is running on the
>>>> server itself (which is being replicated).  Is there something else,
>>>> some tdb file etc,  that needs to be shared between the two instances of
>>>> samba so a fail over appears identical to the ldap backend?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> If you are running PDC+BDC configuration with LDAP backend with
>>>> replication, then you must have master to master replication. In case
>>>> of master - slave replication you canot write ot slave while your
>>>> muster is not accessible. Usual slave has a redirection to master for
>>>> write operations. Slave is readonly and thats why you can authenticate
>>>> to BDC, but cannot join new machines to the domain.
>>>> This may be your case
>>>>
>>>> Liutauras
>>>>
>>>>
>>>>
>>>> Liutauras,
>>>>
>>>> I have ldap using master-master replication so writing to either ldap
>>>> instance is no problem.  In addition I have both instances of samba
>>>> configured as PDC's (the smb.conf file is identical on both PDC's except
>>>> for two things, the ldap each talks to and the host name of the PDC
>>>> itself; not using the netbios parameter), however only one of them is
>>>> running at a time.  The issue occurs when the 2nd PDC comes online.
>>>> Based on the ldap logs the query I am seeing from the 2nd PDC in a
>>>> failed over state is not the same query that the "primary" PDC does when
>>>> I add a new computer successfuly.  I never see the lookup for the admin
>>>> user who has the right to add a computer, along with other missing
>>>> search strings.
>>>>
>>>> Is there some SID or some other serial number etc. that the 2nd PDC is
>>>> lacking that is causing this symptom?  Why would a query from a near
>>>> identical instance of samba to the same ldap DB be so different?
>>>>
>>>>
>>>> I had the same problem with samba 3.0.28 on rhel 4.  I fixed my problem
>>>> by issuing "net rpc grant .." commands on the backup PDC.  I never
>>>> understood why it behaved that way but those commands worked for me.  I
>>>> thought those rights were in the LDAP database but it seemed that those
>>>> rights are stored on the individual servers somehow.
>>>>
>>>>
>>>>
> John,
> 
> Not familiar with net rpc grant, where is the invoked or added?
David,

I did a diff between the two account_policy files on either instance of
samba and they are identical.  Is this the only file where server rights
are stored?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkp6GLYACgkQ5B+8XEnAvqtsWACbBtwRsTEalBLedSuyx2TcZUNm
wWYAnjZr8kE0iLZWeUtJa3rrNntLiV5b
=qYik
-----END PGP SIGNATURE-----