[Samba] Virtual IP/netbios name for AD-authenticated shares in failover cluster

Rowland penny rpenny at samba.org
Tue Jun 9 21:03:44 UTC 2020

On 09/06/2020 21:31, Petterson, Danny via samba wrote:
> Hi Gurus,
> I have a simple failover cluster on two SLES 12 SP3 nodes with Samba/winbind for authenticating AD-user access to the shares. The shares are reached through a virtual hostname/IP which differs from the SLES-server itself.
> The servers uses SSSD for normal SSH-authentication, also against the same Active Domain.
> Here is the problem - if I get Samba/winbind to work with the virtual hostname/IP and authenticating against AD, the SSSD for normal SSH-access to the servers stops to work. When SSSD for SSH-access works, Samba/winbind can't connect to the domain.
> Both the normal server names and the virtual IP/hostname are available in AD as computer-accounts and DNS.
> If SSSD/AD works, and I "net join" the virtual hostname/IP, I can get the shares to authenticate, but not the SSSD-logins.
> When I then, to repair SSSD/AD-integration, "net joins" with the hostname, then SSSD-logins works again, but then Samba-integration to the AD stops working.
> Of cause, if I move the cluster package to the other node, the same issues persists.
> All tdb-files, log-files, conf-files etc. are on a shared disk which moves with the cluster package.
> Any idea what I miss here?

Not a SLES user, but I believe that it uses Samba 4.10.x, which means 
that you have missed this: From Samba 4.8.0 and using 'security = ADS', 
you cannot use sssd with shares. you can use idmap_sss, but only for 
authentication. When set up correctly, a Unix domain member running 
winbind will do virtually all that sssd does, including ssh.


More information about the samba mailing list