[Samba] CTDB + Samba + Winbind + ActiveDirectory

Michael Adam obnox at samba.org
Thu Jan 8 11:18:41 GMT 2009

Hi Tim,

sorry, I somehow lost track of our earlier mail thread(s)...

tim clusters wrote:
> Hi All,
> Are there any special CTDB/SMB configuration settings/dependencies to manage
> Winbind across CTDB managed servers authenticating via Active
> Directory(AD)? An example would be Samba's IDMAP backend for Winbind: RID
> vs. AD or tag Winbind to a primary CTDB node and point other nodes to
> authenticate from AD via proxy primary CTDB node?

You need to have compiled samba with the configure option
"--with-cluster-support". Without this, none of the things below
will work!

All nodes should be able to authenticate and provide idmappings themselves.

The nodes keep a local cache of the id mappings, but for instance
the idmap_tdb2 database is distributed via ctdb to all nodes
(idmap backend = tdb2), so there is no need to proxy anything
over one node. There is no such thing as a primary ctdb node.
Only one node at a time is data master (has the authoritative
copy of the tdb data) but this changes as nodes try to write to a
tdb file.

To have samba+winbind working correctly you need to put winbind
into your /etc/nsswitch.conf file (this has nothing to do with ctdb
and applies to non-clustered setups as well), e.g.:
    passdb: files winbind
    group: files winbind

Now let's look at your configs and possible ways do diagnose your

> /etc/sysconfig/ctdb on all nodes is as follows:
> CTDB_RECOVERY_LOCK=/mnt/gpfs/CTDB/recovery.lck
> CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
> CTDB_NODES=/etc/ctdb/nodes

looks good.

> I had asked this before, but I have a strange scenario where Windows node is
> able to mount only from one of the CTDB-managed SMB servers. The NetBIOS
> name is same on all the nodes and "net ads join" is issued only from one of
> the CTDB nodes. Any guidance to resolve this would be greatly appreciated.

* What version of samba did you use?

  The 3.3.0 prerelease-tarball or (a checkout of the v3-3-test
  branch) should be ok for cluster use, as should be the v3-2-ctdb
  branch. Plain 3.2.0 lacks some features.

* CTDB should be up and running on all nodes when you do the join!

  (Or else you might have created the join data only in local
   non-clustered fallback copies of the tdbs, depending on the
   precise samba version...)

  Verify that ctdb is running ok by issueing "ctdb status".

* Please verify that all nodes are correctly joined to AD by
  running (e.g.) "onnode all net ads testjoin" and (after winbind
  has been started on all nodes) "onnode all wbinfo -t".

* Restart winbind and smb services after the join.

* Your samba config looks basically ok.

  The only strange thing is the idmap ranges:
  the global range and the TESTDOMAIN range overlap in a strange way.
  You might want to try with only the global (default) idmap
  config first.

  You might want to add "interfaces = eth2 lo" and
  "bind interfaces only = yes" to prevent samba from listening
  on the internal network (as configured in the /etc/ctdb/nodes file).

* After you verified that all nodes are joined with "wbinfo -t",
  you should verify that winbindd is working correctly with
  some wbinfo commands (on all nodes)

  - authentication:  wbinfo -a TESTDOMAIN+user%password"

  raw id/name mapping:

  - name-to-sid:     wbinfo -n TESTDOMAIN+user
                     wbinfo -n TESTDOMAIN+group
  - sid-to-name:     wbinfo -s SID
  - sid-to-uid:      wbinfo -S USERSID
  - uid-to-sid:      wbinfo -U UID
  - sid-to-gid:      wbinfo -Y GROUPSID
  - gid-to-sid:      wbinfo -G GID


  - users:  wbinfo -u
  - groups: wbinfo -g


  - user info:   wbinfo --user-info=user
                 wbinfo --uid-info=UID
  - group info:  wbinfo --group-info=group

  direct nssinfo tests with unix commands:

  - getent passwd <username>
  - getent passwd <uid>
  - getent passwd
  - getent group <groupname>
  - getent group <gid>
  - getent group
  - id <username>

  These should all work.
  If the nss related things don't work, verify that your
  /etc/nsswitch.conf file contains winbind in passdb and group.

  Also verify that they still work after flushing the idmap cache
  with "net cache flush".

* Next you can try connecting to samba shares.

  You should be able to connect to any of the public ip addresses
  you configured in your public addresses file.
  If you have the same set of public ip addresses configured on
  all nodes, you can check with "ctdb ip" which node has been
  assigned which public ip addresses by ctdbd.

  Note that with your ctdb settings above (CTDB_PUBLIC_ADDRESSES and
  CTDB_PUBLIC_INTERFACE) you have configured ctdb to do ip
  takeover: ctdbd will configure the public interface /addresse
  for you and switch ips to other nodes when one node becomes

  You can test connectivity with smbclient:

  smbclient //some_public_ip/global-share -UTESTDOMAIN+user%password

  This should work for all public addresses.

  If this does not work, please send me a debug level 10 output
  of the smbclient command and a level 10 log of smbd on the
  corresponding machine.

  You can also test the loopback address on each node.
  (onnode <nodenum> smbclient // -U...)

  Then test with windows clients, with the explorer and with
  "net use". At any point where this fails, we would need
  level 10 server logs of the failing connection.

I hope this gives you a new start in sorting out the problem.

Cheers - Michael

> [global]
>         workgroup = TESTDOMAIN
>         realm = TESTDOMAIN.LOCAL
>         netbios name = CTDB-HEAD
>         security = ADS
>         auth methods = winbind, sam
>         password server =
>         passdb backend = tdbsam
>         log level = 10 winbind:10 auth:10 passdb:10
>         log file = /var/log/samba/log.%m
>         max log size = 10000
>         smb ports = 445
>         server signing = auto
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         use mmap = No
>         clustering = Yes
>         dns proxy = No
>         idmap backend = tdb2
>         idmap uid = 10000000-20000000
>         idmap gid = 10000000-20000000
>         template homedir = /home/%D+%U
>         template shell = /bin/bash
>         winbind separator = +
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         nfs4:acedup = merge
>         nfs4:chown = yes
>         nfs4:mode = special
>         gpfs:sharemodes = no
>         fileid:mapping = fsname
>         idmap config TESTDOMAIN:range = 10777216-57554431
>         idmap config TESTDOMAIN:backend = rid
>         force unknown acl user = Yes
>         strict locking = Yes
>         vfs objects = gpfs, fileid
> [global-share]
>         comment = Global SMB NameSpace
>         path = /mnt/gpfs/nfsexport
>         read only = No
>         inherit permissions = Yes
>         inherit acls = Yes
>         guest ok = Yes
> Regards,
> -Tim
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

Michael Adam <ma at sernet.de>  <obnox at samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20090108/c0bc2e35/attachment.bin

More information about the samba mailing list