[Samba] UID syncing issues with CTDB

Kums kumaran.rajaram at gmail.com
Tue Aug 17 10:11:53 MDT 2010


Jeremy,

Install AD Service "Identity Management for Unix", add users/groups into it,
and assign unique UID/GID if you want consistent mapping across CTDB
servers. Use Winbind service to interface the CTDB servers with the AD in
order  to pull the right UID/GID for consistent mapping.

Then you can join the CTDB servers to the AD using "net ads join" and query
the AD users using "wbinfo".

[root@ ~]# wbinfo -u list

TESTDOMAIN+administrator

TESTDOMAIN+guest

 TESTDOMAIN+testusera

TESTDOMAIN+testuserc

[root@ ~]# wbinfo -g

TESTDOMAIN+win_users

[root@ ~]# id TESTDOMAIN+testusera

uid=11001(TESTDOMAIN+testusera) gid=20001(TESTDOMAIN+win_users)
groups=20001(TESTDOMAIN+win_users),20002(TESTDOMAIN+domain users)


Please find attached, sample smb.conf.

HTH,
-Kums

On Tue, Aug 17, 2010 at 9:26 AM, Jeremy Farrar <jeremy.farrar at gmail.com>wrote:

> I have been working on a CTDB cluster on and off for a while now. I had it
> working great for a while. THen I decide dthat I wanted to change the
> configuration of my replicated volumes. I changed my DRBD configuration to
> match my desired configuration. Now I can get the CTDB to work quite right.
> I am able to join the cluster to the domain without issues. I can also list
> my ad users and groups using wbinfo so I believe that my nsswitch.conf is
> set up properly. I am having problems with the UIDs and GIDs not matching
> between the two servers. For instance here is the output for getent on each
> server:
>
> Server A:
> jfarrar:*:20066:20001:Jeremy Farrar:/home/DOMAIN/jfarrar:/bin/bash
>
> Server B:
> jfarrar:*:20002:20001:Jeremy Farrar:/home/DOMAIN/jfarrar:/bin/bash
>
> The output looks good but the UID doesn't match. This will lead to some
> weird permissions issues in the future. THe strange thing is that it worked
> before. What did I mess up when I reconfigured my volume? Thanks for your
> help.
>
> smb.conf:
>
> [global]
>   server string = %h
>   workgroup = DOMAIN
>   netbios name = server
>   password server = dc1.domain.local
>   realm = DOMAIN.LOCAL
>   security = ads
>   idmap backend = tdb2
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   template shell = /bin/bash
>    template homedir = /home/DOMAIN/%U
>   winbind uid = 20001-200000
>   winbind gid = 20001-200000
>   winbind trusted domains only = no
>   winbind use default domain = true
>   winbind offline logon = false
>   winbind enum users = yes
>   winbind enum groups = yes
>   obey pam restrictions = yes
>   printcap name = /etc/printcap
>   socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY SO_BROADCAST
>   clustering = yes
>   # logs split per machine
>   log file = %S.log
>   log level = 2
>   # max 50KB per log file, then rotate
>   max log size = 50
>
>    passdb backend = tdbsam
>
> #============================ Share Definitions
> ==============================
>
> [DOMAIN]
>    comment = Home Directories
>    path = /DOMAIN
>    browseable = no
>    writable = yes
> #    acl compatibility = auto
>    acl check permissions = True
>    nt acl support = yes
>    ea support = yes
>    acl map full control = True
>    map acl inherit = yes
>    inherit acls = yes
>
> nsswitch.conf:
>
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> hosts:      files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   files
>
> publickey:  nisplus
>
> automount:  files
> aliases:    files nisplus
>
> ctdb.conf:
>
> CTDB_RECOVERY_LOCK="/EDAPT/ctdb/CTDB_lock"
>  CTDB_PUBLIC_INTERFACE=eth0
>  CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
>  CTDB_MANAGES_SAMBA=no
>  CTDB_SAMBA_CHECK_PORTS="445"
>  CTDB_MANAGES_WINBIND=no
>  CTDB_INIT_STYLE=redhat
>  CTDB_SERVICE_SMB=smb
>  CTDB_SERVICE_WINBIND=winbind
>  ulimit -n 10000
>  CTDB_NODES=/etc/ctdb/nodes
>  CTDB_DBDIR=/var/ctdb
>  CTDB_DBDIR_PERSISTENT=/EDAPT/ctdb/persistent
>  CTDB_EVENT_SCRIPT_DIR=/etc/ctdb/events.d
>  CTDB_SOCKET=/tmp/ctdb.socket
>  CTDB_TRANSPORT="tcp"
> CTDB_LOGFILE=/var/log/log.ctdb
> CTDB_DEBUGLEVEL=2
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
o	/etc/samba/smb.conf
[global]
        workgroup = TESTDOMAIN
        netbios name = CTDB-NAS
        realm = TESTDOMAIN.LOCAL
        server string = Clustered CIFS
        security = ads
        idmap backend = ad
        ldap idmap suffix = dc=testdomain,dc=local
        ldap admin dn = cn=ldap,cn=Users,dc=testdomain,dc=local
        ldap suffix = dc=testdomain,dc=local
        idmap uid = 5000-100000000
        idmap gid = 5000-100000000
        log level = 3 winbind:5 auth:10 passdb:5
        syslog = 0
        log file = /var/log/samba/log.%m
        winbind use default domain = no
        winbind nested groups = yes
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        machine password timeout = 999999999
       #Modify the following according to the AD IP address
        password server = 172.16.X.Y
        passdb backend = tdbsam

        clustering = yes
        private dir=/mnt/gpfs/CTDB_AD
        fileid:mapping = fsname
 	use mmap = no
        vfs objects = syncops gpfs fileid
        gpfs:sharemodes = yes
        force unknown acl user = yes
        nfs4: mode = special
        nfs4: chown = yes
        nfs4: acedup = merge

        template shell = /bin/bash
        template homedir = /home/%D+%U
        max log size = 10000
        oplocks = no
        kernel oplocks = yes
        auth methods = winbind sam
        posix locking = yes
        preferred master = no
        encrypt passwords = yes
        socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
        encrypt passwords = yes
        dns proxy = no
        client use spnego = yes
        disable spoolss = yes
        gpfs:leases=yes
        idmap:cache=no
        notify:inotify=no
        wide links = no
        large readwrite = no

        strict allocate = yes
        strict locking = yes
        strict sync = yes
        sync always = yes

        blocking locks = no
        deadtime = 15
        local master = no
        mangled names = no
        use sendfile = yes

#=========Share Definitions =========

[global-share]
        comment = GS File Share
        path = /mnt/gpfs/nfsexport

        browsable = yes
        writable = yes
        readonly = no
        inherit acls = yes
        inherit permissions = yes
        oplocks = no



More information about the samba mailing list