[Samba] Samba HA issue

David Christensen David.Christensen at viveli.com
Thu Aug 6 11:53:58 MDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Christensen wrote:
> David Markey wrote:
>> Yup unfortunately rights granted using net sam/rpc and usrmgr are saved
>> locally in a TDB file(account_policy), this should probably be in LDAP, i
>> suppose it sould be possible to rsync the tdb file.
> 
> 
>> On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen
>> <David.Christensen at viveli.com> wrote:
>> John Du wrote:
>>>>> David Christensen wrote:
>>>>>
>>>>> Liutauras Adomaitis wrote:
>>>>>
>>>>>
>>>>> On Tue, Aug 4, 2009 at 7:39 PM, David
>>>>>
>>> Christensen<David.Christensen at viveli.com><mailto:David.Christensen at viveli.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> With samba configured for high availability using heartbeat, I am not
>>>>> able to join new computers to the domain after a fail over.  If I fail
>>>>> back to the "main" samba instance I can join the computer to the domain.
>>>>>
>>>>> However With samba in a fail over state and running on the backup PDC
>>>>> users can still authenticate and gain access to their shares.
>>>>>
>>>>> I have the two instances of samba configured nearly identical except for
>>>>> having them pointed to the instance of ldap that is running on the
>>>>> server itself (which is being replicated).  Is there something else,
>>>>> some tdb file etc,  that needs to be shared between the two instances of
>>>>> samba so a fail over appears identical to the ldap backend?
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>> If you are running PDC+BDC configuration with LDAP backend with
>>>>> replication, then you must have master to master replication. In case
>>>>> of master - slave replication you canot write ot slave while your
>>>>> muster is not accessible. Usual slave has a redirection to master for
>>>>> write operations. Slave is readonly and thats why you can authenticate
>>>>> to BDC, but cannot join new machines to the domain.
>>>>> This may be your case
>>>>>
>>>>> Liutauras
>>>>>
>>>>>
>>>>>
>>>>> Liutauras,
>>>>>
>>>>> I have ldap using master-master replication so writing to either ldap
>>>>> instance is no problem.  In addition I have both instances of samba
>>>>> configured as PDC's (the smb.conf file is identical on both PDC's except
>>>>> for two things, the ldap each talks to and the host name of the PDC
>>>>> itself; not using the netbios parameter), however only one of them is
>>>>> running at a time.  The issue occurs when the 2nd PDC comes online.
>>>>> Based on the ldap logs the query I am seeing from the 2nd PDC in a
>>>>> failed over state is not the same query that the "primary" PDC does when
>>>>> I add a new computer successfuly.  I never see the lookup for the admin
>>>>> user who has the right to add a computer, along with other missing
>>>>> search strings.
>>>>>
>>>>> Is there some SID or some other serial number etc. that the 2nd PDC is
>>>>> lacking that is causing this symptom?  Why would a query from a near
>>>>> identical instance of samba to the same ldap DB be so different?
>>>>>
>>>>>
>>>>> I had the same problem with samba 3.0.28 on rhel 4.  I fixed my problem
>>>>> by issuing "net rpc grant .." commands on the backup PDC.  I never
>>>>> understood why it behaved that way but those commands worked for me.  I
>>>>> thought those rights were in the LDAP database but it seemed that those
>>>>> rights are stored on the individual servers somehow.
>>>>>
>>>>>
>>>>>
>> John,
> 
>> Not familiar with net rpc grant, where is the invoked or added?
> David,
> 
> I did a diff between the two account_policy files on either instance of
> samba and they are identical.  Is this the only file where server rights
> are stored?
I ran the net rpc grant rights on the offending server however the issue
 remains.

I am using samba 3.2.11, is there any documentation on how to setup a
second PDC for disaster recovery purposes and grant it the same rights
to add computers as the primary?  Based on the ldap queries the issue
does look to be privilege related but I am at a loss, being a samba
newbie.  How and where does the hostname affect queries for the same
domain?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkp7GLYACgkQ5B+8XEnAvqudFwCfeaVnTv1Nui08s19nKrG3DOBT
JggAn2LdTldCNaHPpmajPQ9Mk5/s07uL
=Gee2
-----END PGP SIGNATURE-----


More information about the samba mailing list