[Samba] AD authentication in active/passive cluster

Steffen WeiƟgerber steffen at weiszgerber.de
Sat Feb 13 17:11:11 UTC 2016

Hash: SHA1


I configured a Samba cluster resource (grouped primitives of rbd disk,
xfs filesystem, clusterIP, samba) on a pacemaker cluster (2 nodes at the

On both nodes only winbind is configured locally with option

interfaces =

set because I want to run multiple samba cluster resources with AD
integrated authentication. AD-Integration runs fine based on keytabs
with working 'getent' commands after doing the 'net ads join'.

The smbd is configured separately with smb.conf and logs stored in the
filesystem of the cluster resource

To get the keytab based authentication work for the cluster share I did
the 'net ads join' with the smb.conf of the resource on the node were I
activated the resource first:

net ads join -U administrator -I -s
/mnt/cluster/verw/etc/samba/smb.conf -n alc_verw_w

where is the cluster ip and alc_verw_w share name. Then I
extracted the kerberos principals for ad registered cluster share with
ktutil, made a copy on the second node and imported these principals to
the keytab on that node.

The resource runs fine within the cluster but client access to the cifs
share served alternative by both nodes is only possible when adressing
the cluster IP.

When adressing the share via share name the authentication works only
on the node were I did the 'net ads join' for the cluster resource.

I also tried the same thing with a dedicated keytab but with the same

Has somebody an idea on what this could depend?

Thanks in advance.

Version: GnuPG v2


More information about the samba mailing list