[Samba] RHEL Cluster Samba and AD
Arwin L Tugade
arwin.tugade at csun.edu
Wed Oct 28 10:22:35 MDT 2009
I have/am doing this. Not to a 2008 DC though. Basically RHEL 2 node cluster with qdisk, just for GFS. Let me note that I have these boxes pam'd against our OpenLDAP directory. On top of that I've got Samba 3.3.9 and CTDB so both nodes can be active, I don't use rgmanager to manage my fileservices since CTDB does a great job already. This is where I think my setup gets unique because I've asked before and nobody seemed to be running a similar setup. The goal was to preserve all the existing permissions on the Unix filesystem to serve NFS and have SMB shares that support NT acls.
Remember this is just what I did to suit my needs, take it with a grain of salt. So what I did was set my idmap config backend for the domain that I am joined to, to nss. Set it to "readonly". And I had to set a range, even though I set readonly because the idmap tdb file wasn't being created like in previous versions (3.0.2x) and it only populated with Builtin groups which I wanted because I don't want the automatic AD user mapping to the next available uid/gid. Why did I do this, because there is a piece of middleware that syncs uids and posix groups from ldap to users in ad and security groups. So, a user connects to some share and since the uid and cn of groups (along with membership) line up, when they had out permissions from a Win workstation, it's written down to the filesystem with the uidNumber/gidNumber from ldap so if/when they're in a shell they still have the same exact access. Remember this is unique my site, maybe it help spark up an idea for you.
Also, part of my testing involved using the idmapping of uid/gid. Others on this list will know more about it but the way I understand this is you set a numeric range that Samba can map a user or security group from AD to some uidNumber or gidnumber. So from what I saw (because I turned off enumeration since the user/group base is extremely large), is as users accessed shares, their AD sid would map to a number in the range specified so that number could be written to the filesystem as the uidnumber and gidnumber respectively. The reason why I didn't go with this is because in my testing, it required me to set winbind in nsswitch and I still wanted to authenticate to LDAP.
Here are some docs that may be of help:
And this one below is what I based my setup on:
Hope this helps.
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Tim Alexander
Sent: Tuesday, October 27, 2009 12:33 PM
To: samba at lists.samba.org
Subject: [Samba] RHEL Cluster Samba and AD
My head is spinning and I fear I am trying to start this from far too
far behind to keep ploughing on. Essentially we are having difficulty
with our samba shares at work. We have moved to server 2k8 DCs and
this seeems to have reeked havoc on our setup. Our difficulty seems
to stem from authentication issues. We have bodged a work around
though it is neither very secure nor indeed particularly easy to
maintain. Our difficulty seemed to stem from winbindd not being able
to read uid/gid from our AD. From what I understand this was down to
AD only having a ticket for the resource and not for the cluster. Red
Hat support have stated that winbind is legacy and therefore not
really supported, nice. This led to me pondering about using LDAP to
passthrough authentication to AD but so far I am starting from so far
behind the drag curve my ears are starting to bleed. I can find a few
tutorials on the web about clustered samba and ldap but alot of them
assume having openLdap as the primary authentication point or
directory, this is not an option for us as we are very much tied in to
our new 2008 servers and esx setup.
I suppose my query in a nutshell is has anyone managed to configure
running win based machines that authenticate to a 2008 DC and have
need to connect to some user/group controlled samba shared directories
that are run under a RHEL cluster? essentailly some user only need to
see the data while others need to be able to write data to the shares.
This would ideally be controlled from AD groups etc. If this could
avoid running openLDAP in mirrored (and slightly modified) tandem to
AD that would be ideal though i am fearing the worst on this point.
I apologise if this is a simple query but I have got myself bogged
down in kerberos/samba/likewise/openldap tutorials and guides and feel
like i am slowly drowning. any pointers would be greatly
Thanks in advance
To unsubscribe from this list go to the following URL and read the
More information about the samba