[Samba] Virtual IP/netbios name for AD-authenticated shares in failover cluster
danny.petterson at accenture.com
Tue Jun 9 20:31:59 UTC 2020
I have a simple failover cluster on two SLES 12 SP3 nodes with Samba/winbind for authenticating AD-user access to the shares. The shares are reached through a virtual hostname/IP which differs from the SLES-server itself.
The servers uses SSSD for normal SSH-authentication, also against the same Active Domain.
Here is the problem - if I get Samba/winbind to work with the virtual hostname/IP and authenticating against AD, the SSSD for normal SSH-access to the servers stops to work. When SSSD for SSH-access works, Samba/winbind can't connect to the domain.
Both the normal server names and the virtual IP/hostname are available in AD as computer-accounts and DNS.
If SSSD/AD works, and I "net join" the virtual hostname/IP, I can get the shares to authenticate, but not the SSSD-logins.
When I then, to repair SSSD/AD-integration, "net joins" with the hostname, then SSSD-logins works again, but then Samba-integration to the AD stops working.
Of cause, if I move the cluster package to the other node, the same issues persists.
All tdb-files, log-files, conf-files etc. are on a shared disk which moves with the cluster package.
Any idea what I miss here?
client signing = yes
client use spnego = yes
netbios name = my_virtual_hostname
kerberos method = secrets and keytab
security = ADS
bind interfaces only = yes
interfaces = my.virtual.IP.xxx
winbind gid = 100000-300000
winbind refresh tickets = yes
winbind separator = +
create krb5 conf = no
workgroup = DOMAIN
realm = DOMAIN.ORG
encrypt passwords = yes
log file = /export/SHARED_DISK/system/logs/log.%m
lock directory = /export/ SHARED_DISK/system/locks
pid directory = /export/ SHARED_DISK/system/locks
debug level = 2
max log size = 1000
preserve case = yes
short preserve case = yes
dos filetime resolution = yes
read only = no
socket options = TCP_NODELAY
domain master = auto
local master = yes
preferred master = auto
domain logons = no
wins support = no
ntlm auth = yes
lanman auth = no
client lanman auth = no
map to guest = Bad User
path = /export/SHARED_DISK /test1
comment = "SMB test"
valid users = @"DOMAIN+MyAdGroupForThisShare"
browsable = yes
writable = yes
available = yes
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
More information about the samba