[Samba] AD authentication in active/passive cluster

[Steffen Weißgerber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I configured a Samba cluster resource (grouped primitives of rbd disk,
xfs filesystem, clusterIP, samba) on a pacemaker cluster (2 nodes at the
moment).

On both nodes only winbind is configured locally with option

interfaces = 127.0.0.1

set because I want to run multiple samba cluster resources with AD
integrated authentication. AD-Integration runs fine based on keytabs
with working 'getent' commands after doing the 'net ads join'.

The smbd is configured separately with smb.conf and logs stored in the
filesystem of the cluster resource

To get the keytab based authentication work for the cluster share I did
the 'net ads join' with the smb.conf of the resource on the node were I
activated the resource first:

net ads join -U administrator -I 2.1.1.190 -s
/mnt/cluster/verw/etc/samba/smb.conf -n alc_verw_w

where 2.1.1.190 is the cluster ip and alc_verw_w share name. Then I
extracted the kerberos principals for ad registered cluster share with
ktutil, made a copy on the second node and imported these principals to
the keytab on that node.

The resource runs fine within the cluster but client access to the cifs
share served alternative by both nodes is only possible when adressing
the cluster IP.

When adressing the share via share name the authentication works only
on the node were I did the 'net ads join' for the cluster resource.

I also tried the same thing with a dedicated keytab but with the same
behavior.

Has somebody an idea on what this could depend?

Thanks in advance.

Steffen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAla/Y68ACgkQCrEAdFsLhMfw6ACbBsdy5ElXDlP9xAwrVLqN0rvG
8QYAoKLilc3ui50W1vo+tCGSZyYufSkV
=pZJv
-----END PGP SIGNATURE-----