[Samba] AD authentication in active/passive cluster
steffen at weiszgerber.de
Sat Feb 13 17:11:11 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
I configured a Samba cluster resource (grouped primitives of rbd disk,
xfs filesystem, clusterIP, samba) on a pacemaker cluster (2 nodes at the
On both nodes only winbind is configured locally with option
interfaces = 127.0.0.1
set because I want to run multiple samba cluster resources with AD
integrated authentication. AD-Integration runs fine based on keytabs
with working 'getent' commands after doing the 'net ads join'.
The smbd is configured separately with smb.conf and logs stored in the
filesystem of the cluster resource
To get the keytab based authentication work for the cluster share I did
the 'net ads join' with the smb.conf of the resource on the node were I
activated the resource first:
net ads join -U administrator -I 220.127.116.11 -s
/mnt/cluster/verw/etc/samba/smb.conf -n alc_verw_w
where 18.104.22.168 is the cluster ip and alc_verw_w share name. Then I
extracted the kerberos principals for ad registered cluster share with
ktutil, made a copy on the second node and imported these principals to
the keytab on that node.
The resource runs fine within the cluster but client access to the cifs
share served alternative by both nodes is only possible when adressing
the cluster IP.
When adressing the share via share name the authentication works only
on the node were I did the 'net ads join' for the cluster resource.
I also tried the same thing with a dedicated keytab but with the same
Has somebody an idea on what this could depend?
Thanks in advance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the samba