[Samba] Samba HA issue
David Christensen
David.Christensen at viveli.com
Wed Aug 5 17:41:42 MDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Markey wrote:
> Yup unfortunately rights granted using net sam/rpc and usrmgr are saved
> locally in a TDB file(account_policy), this should probably be in LDAP, i
> suppose it sould be possible to rsync the tdb file.
>
>
> On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen
> <David.Christensen at viveli.com> wrote:
> John Du wrote:
>>>> David Christensen wrote:
>>>>
>>>> Liutauras Adomaitis wrote:
>>>>
>>>>
>>>> On Tue, Aug 4, 2009 at 7:39 PM, David
>>>>
>> Christensen<David.Christensen at viveli.com><mailto:David.Christensen at viveli.com>
>>>> wrote:
>>>>
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> With samba configured for high availability using heartbeat, I am not
>>>> able to join new computers to the domain after a fail over. If I fail
>>>> back to the "main" samba instance I can join the computer to the domain.
>>>>
>>>> However With samba in a fail over state and running on the backup PDC
>>>> users can still authenticate and gain access to their shares.
>>>>
>>>> I have the two instances of samba configured nearly identical except for
>>>> having them pointed to the instance of ldap that is running on the
>>>> server itself (which is being replicated). Is there something else,
>>>> some tdb file etc, that needs to be shared between the two instances of
>>>> samba so a fail over appears identical to the ldap backend?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>> If you are running PDC+BDC configuration with LDAP backend with
>>>> replication, then you must have master to master replication. In case
>>>> of master - slave replication you canot write ot slave while your
>>>> muster is not accessible. Usual slave has a redirection to master for
>>>> write operations. Slave is readonly and thats why you can authenticate
>>>> to BDC, but cannot join new machines to the domain.
>>>> This may be your case
>>>>
>>>> Liutauras
>>>>
>>>>
>>>>
>>>> Liutauras,
>>>>
>>>> I have ldap using master-master replication so writing to either ldap
>>>> instance is no problem. In addition I have both instances of samba
>>>> configured as PDC's (the smb.conf file is identical on both PDC's except
>>>> for two things, the ldap each talks to and the host name of the PDC
>>>> itself; not using the netbios parameter), however only one of them is
>>>> running at a time. The issue occurs when the 2nd PDC comes online.
>>>> Based on the ldap logs the query I am seeing from the 2nd PDC in a
>>>> failed over state is not the same query that the "primary" PDC does when
>>>> I add a new computer successfuly. I never see the lookup for the admin
>>>> user who has the right to add a computer, along with other missing
>>>> search strings.
>>>>
>>>> Is there some SID or some other serial number etc. that the 2nd PDC is
>>>> lacking that is causing this symptom? Why would a query from a near
>>>> identical instance of samba to the same ldap DB be so different?
>>>>
>>>>
>>>> I had the same problem with samba 3.0.28 on rhel 4. I fixed my problem
>>>> by issuing "net rpc grant .." commands on the backup PDC. I never
>>>> understood why it behaved that way but those commands worked for me. I
>>>> thought those rights were in the LDAP database but it seemed that those
>>>> rights are stored on the individual servers somehow.
>>>>
>>>>
>>>>
> John,
>
> Not familiar with net rpc grant, where is the invoked or added?
David,
I did a diff between the two account_policy files on either instance of
samba and they are identical. Is this the only file where server rights
are stored?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkp6GLYACgkQ5B+8XEnAvqtsWACbBtwRsTEalBLedSuyx2TcZUNm
wWYAnjZr8kE0iLZWeUtJa3rrNntLiV5b
=qYik
-----END PGP SIGNATURE-----
More information about the samba
mailing list