[Samba] [Linux-HA] Samba failover causes different UID's

Tim Serong tserong at novell.com
Mon Feb 28 05:02:09 MST 2011

 >>> On 2/28/2011 at 10:39 PM, "Tim Serong" <tserong at novell.com> wrote: 
> On 2/28/2011 at 09:21 PM, Caspar Smit <c.smit at truebit.nl> wrote:  
> > Hi,  
> >   
> > I have two machines in a cluster and want to create a high available samba  
> > share that connects to active directory for user information. The storage  
> is  
> > DRBD and the filesystem is XFS.  
> >   
> > I'm using pacemaker as cluster software and using the lsb:samba init  
> script.  
> >   
> > I connected both machines to my Windows AD server and tested this using  
> > winbind.  
> >   
> > winbind -u gives me all AD users which seems fine. This works on both  
> > machines so everything looks ok.  
> >   
> > When I connect from a windows client to the samba share I don't need to  
> > enter credentials so that looks fine too. When I start to put some files on  
> > the share the correct credentials are used when I check with "ls -al" on the  
> > mountpoint in linux. So far so good.  
> >   
> > BUT when I do a failover to the other node the share is up but suddenly I  
> > cannot connect from the windows client anymore without entering credentials  
> > and when I check with "ls -al" on the mountpoint on the other machine it  
> > maps the existing files (which I put there when the share was running on  
> the  
> > other node) suddenly with whole different UID's.  
> >   
> > Where is the mapping of UID's taking place and how can I fix this? Both  
> > systems lookup their user information from the same AD server, how can they  
> > still lookup different UID's when looking at the same server and files?  
> Because by default Samba hands out UIDs on a first come first served basis. 
> You need to configure a different UID mapping scheme.  Have a look at "idmap 
> config" and "idmap backend" in the smb.conf manpage.  RID might be the 
> easiest thing to set up (where Samba generates UIDs based on Windows SIDs). 
> Configuring UNIX UIDs in some LDAP backend, or directly in AD via (RFC2307 
> or Services For UNIX or whatever it's called these days) might be "better" 
> (you get to decide what the UIDs actually are, and this'll apparently work 
> with multiple AD domains/trusted domains). 

Oh, you probably also want to look at:


In particular the note about setting "lock directory" and "private dir" to
some directory on your shared filesystem.

Guess I'd better add the UID mapping stuff to that wiki page too...



Tim Serong <tserong at novell.com>
Senior Clustering Engineer, OPS Engineering, Novell Inc.

More information about the samba mailing list