[Samba] Virtual IP/netbios name for AD-authenticated shares in failover cluster

Tue Jun 9 20:31:59 UTC 2020

Hi Gurus,

I have a simple failover cluster on two SLES 12 SP3 nodes with Samba/winbind for authenticating AD-user access to the shares. The shares are reached through a virtual hostname/IP which differs from the SLES-server itself.

The servers uses SSSD for normal SSH-authentication, also against the same Active Domain.

Here is the problem - if I get Samba/winbind to work with the virtual hostname/IP and authenticating against AD, the SSSD for normal SSH-access to the servers stops to work. When SSSD for SSH-access works, Samba/winbind can't connect to the domain.

Both the normal server names and the virtual IP/hostname are available in AD as computer-accounts and DNS.

If SSSD/AD works, and I "net join" the virtual hostname/IP, I can get the shares to authenticate, but not the SSSD-logins.
When I then, to repair SSSD/AD-integration, "net joins" with the hostname, then SSSD-logins works again, but then Samba-integration to the AD stops working.

Of cause, if I move the cluster package to the other node, the same issues persists.

All tdb-files, log-files, conf-files etc. are on a shared disk which moves with the cluster package.

Any idea what I miss here?

The smb.conf:
[global]
   client signing = yes
   client use spnego = yes
   netbios name = my_virtual_hostname
   kerberos method = secrets and keytab
   security = ADS
   bind interfaces only = yes
   interfaces = my.virtual.IP.xxx
   winbind gid = 100000-300000
   winbind refresh tickets = yes
   winbind separator = +
   create krb5 conf = no
   workgroup = DOMAIN
   realm = DOMAIN.ORG
   encrypt passwords = yes
   log file = /export/SHARED_DISK/system/logs/log.%m
   lock directory = /export/ SHARED_DISK/system/locks
   pid directory = /export/ SHARED_DISK/system/locks
  debug level = 2
   max log size = 1000
   preserve case = yes
   short preserve case = yes
   dos filetime resolution = yes
   read only = no
   socket options = TCP_NODELAY
   domain master = auto
   local master = yes
   preferred master = auto
   domain logons = no
   wins support = no
   ntlm auth = yes
   lanman auth = no
   client lanman auth = no
   map to guest = Bad User

[test1]
        path = /export/SHARED_DISK /test1
        comment = "SMB test"
        valid users = @"DOMAIN+MyAdGroupForThisShare"
        browsable = yes
        writable = yes
        available = yes

Greetings from
Danny Petterson

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com