[Linux-cluster] What is the best method to assign file/folder rights for SAMBA cluster authenticating to AD?

Thu Jul 6 17:31:14 UTC 2006

We had a Red Hat Rapid Service engagement to build a SAMBA cluster (2 weeks ago). The clustering and GFS appear to be working fine. My problem is with the rights for the shared files and folders. I am currently using Kerberos (MIT), and my SAMBA servers are in the AD domain, although I am not 100% sure if I need to have the virtual cluster node imported in to AD. My experience with this is, on failover, the virtual node would have to be re-imported, probably due to AD trust issues.

1) My users are on Win2003 Server, Win200x and WinXP workstations, and they need to seemlessly access a UNC for the SAMBA server clusters. They are all authenticated to my Active Directory domain, which is currently Win2003 Native mode. My SAMBA servers receive group and user info from AD, when I use wbinfo or getent, but I am unable to consistently assign the proper rights. I have tried using the MMC, NT Server Manager, and right clicking the folder from Windows. I have also tried changing the rights from the Linux console. The last method appears to work better, but is inconsistent. I think the inconsistency is related to problem #2, below.

2) When the server fails over, rights appear to change on the shared filesystem. I suspect this has to do with the GIDs being different on each server. I am new to clustering on Linux, and I am looking for the best method to accomplish this. I suspect I need to use idmap with winbind.

Is there any documentation dealing with SAMBA clusters, in this scenario? I have a couple of SAMBA books (Official SAMBA 2 HOWTO and Reference) which I am reading through, and have been helpful, but I have not found anything specifically addressing this need. In the Red Hat documentation, I have only found minimal info on SAMBA in a cluster, not using AD authentication and rights, or establishing the rights on a shared filesystem.  Thanks in advance.

Danny

##############################################################
This message is for the named person's use only.  It may 
contain confidential, proprietary, or legally privileged 
information.  No confidentiality or privilege is waived or 
lost by any mistransmission.  If you receive this message 
in error, please immediately delete it and all copies of it 
from your system, destroy any hard copies of it, and notify 
the sender.  You must not, directly or indirectly, use, 
disclose, distribute, print, or copy any part of this message
if you are not the intended recipient.  Health First reserves
the right to monitor all e-mail communications through its
networks.  Any views or opinions expressed in this message
are solely those of the individual sender, except (1) where
the message states such views or opinions are on behalf of 
a particular entity;  and (2) the sender is authorized by 
the entity to give such views or opinions.
##############################################################