[Linux-cluster] What is the best method to assign file/folder rights for SAMBA cluster authenticating to AD?
Danny Wall
Danny.Wall at health-first.org
Mon Jul 10 17:51:25 UTC 2006
In reply to:
>>sorry for the late reply...
>>if u still facing problem.. i think i can help u
>>i am also having the same environment...
>>6 GPFS cluster nodes joined to 2003 ADS and
>>serving files for 800 machines in floor..
>>please reply
>>if u need help
>>regards
>>jerrynikky.
I have not taken the opportunity to modify my current config, yet. I wanted to read a little more about it. From what I can see, I just need to add the idmap backend = idmap_rid:AD=16777216-33554431 parameter, and it should have a consistent mapping of each AD user/group, across all of my servers. I have listed my smb.conf and smb.conf.share1 below. If you can look them over and let me know if they look ok, or post what works for you, I would really appreciate it.
smb.conf:
# Global parameters
[global]
workgroup = AD
realm = ad.example.com
netbios name = VirtualServer1
netbios aliases = EServerT1
interfaces = 192.168.100.103
bind interfaces only = Yes
security = ADS
password server = 192.168.1.11
username map = /etc/samba/smbusers
use kerberos keytab = Yes
log file = /var/log/samba/%m.log
dns proxy = No
lock directory = /var/cache/samba/tier1
pid directory = /var/run/samba/tier1
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = Yes
winbind nested groups = Yes
include = /etc/samba/smb.conf.share1
smb.conf.share1:
[global]
workgroup = AD
pid directory = /var/run/samba/share1
lock directory = /var/cache/samba/share1
log file = /var/log/samba/%m.log
encrypt passwords = yes
bind interfaces only = yes
# netbios name = Server1
netbios name = VirtualServer1
printable = no
security = ADS
username map = /etc/samba/smbusers
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = yes
winbind nested groups = yes
password server = 192.168.1.11
realm = AD.EXAMPLE.COM
use kerberos keytab = yes
guest ok = no
#
# Interfaces are based on ip resources at the top level of
# "carpacs_share1_svc"; IPv6 addresses may or may not
# work correctly.
#
interfaces = 192.168.100.103
[EServerT1]
#[VirtualServer1]
workgroup = AD
browseable = yes
writeable = yes
public = no
path = /data/share1
guest ok = no
printable = no
winbind nested groups = yes
If you have some information or config files you can share, but prefer not to do it in the list, feel free to email me directly.
Thanks
Danny
>>> linux-cluster-request at redhat.com 07/10/06 12:00 PM >>>
Send Linux-cluster mailing list submissions to
linux-cluster at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-cluster
or, via email, send a message with subject or body 'help' to
linux-cluster-request at redhat.com
You can reach the person managing the list at
linux-cluster-owner at redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-cluster digest..."
Today's Topics:
1. Re: What is the best method to assign file/folder rights for
SAMBA cluster authenticating to AD? (updatemyself .)
2. RE: will upgrade of kernel with up2date mess up myinstall
from source? (Jie Gao)
3. Re: will upgrade of kernel with up2date mess up myinstall
from source? (Cosimo Streppone)
4. Re: newbie questions (Riaan van Niekerk)
5. Re: two node cluster not coming up (Riaan van Niekerk)
6. RE: replication (David Siroky)
7. Re: newbie questions (Troels Arvin)
8. Re: Re: newbie questions (Barry Brimer)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Jul 2006 03:50:42 +0530
From: "updatemyself ." <updatemyself at gmail.com>
Subject: Re: [Linux-cluster] What is the best method to assign
file/folder rights for SAMBA cluster authenticating to AD?
To: "linux clustering" <linux-cluster at redhat.com>
Message-ID:
<ab5b05b20607091520i7addf364ka82238d26f682546 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
sorry for the late reply...
if u still facing problem.. i think i can help u
i am also having the same environment...
6 GPFS cluster nodes joined to 2003 ADS and
serving files for 800 machines in floor..
please reply
if u need help
regards
jerrynikky.
On 7/6/06, Danny Wall <Danny.Wall at health-first.org> wrote:
>
> We had a Red Hat Rapid Service engagement to build a SAMBA cluster (2
> weeks ago). The clustering and GFS appear to be working fine. My problem is
> with the rights for the shared files and folders. I am currently using
> Kerberos (MIT), and my SAMBA servers are in the AD domain, although I am not
> 100% sure if I need to have the virtual cluster node imported in to AD. My
> experience with this is, on failover, the virtual node would have to be
> re-imported, probably due to AD trust issues.
>
> 1) My users are on Win2003 Server, Win200x and WinXP workstations, and
> they need to seemlessly access a UNC for the SAMBA server clusters. They are
> all authenticated to my Active Directory domain, which is currently Win2003
> Native mode. My SAMBA servers receive group and user info from AD, when I
> use wbinfo or getent, but I am unable to consistently assign the proper
> rights. I have tried using the MMC, NT Server Manager, and right clicking
> the folder from Windows. I have also tried changing the rights from the
> Linux console. The last method appears to work better, but is inconsistent.
> I think the inconsistency is related to problem #2, below.
>
> 2) When the server fails over, rights appear to change on the shared
> filesystem. I suspect this has to do with the GIDs being different on each
> server. I am new to clustering on Linux, and I am looking for the best
> method to accomplish this. I suspect I need to use idmap with winbind.
>
> Is there any documentation dealing with SAMBA clusters, in this scenario?
> I have a couple of SAMBA books (Official SAMBA 2 HOWTO and Reference) which
> I am reading through, and have been helpful, but I have not found anything
> specifically addressing this need. In the Red Hat documentation, I have only
> found minimal info on SAMBA in a cluster, not using AD authentication and
> rights, or establishing the rights on a shared filesystem. Thanks in
> advance.
>
> Danny
>
> ##############################################################
> This message is for the named person's use only. It may
> contain confidential, proprietary, or legally privileged
> information. No confidentiality or privilege is waived or
> lost by any mistransmission. If you receive this message
> in error, please immediately delete it and all copies of it
> from your system, destroy any hard copies of it, and notify
> the sender. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message
> if you are not the intended recipient. Health First reserves
> the right to monitor all e-mail communications through its
> networks. Any views or opinions expressed in this message
> are solely those of the individual sender, except (1) where
> the message states such views or opinions are on behalf of
> a particular entity; and (2) the sender is authorized by
> the entity to give such views or opinions.
> ##############################################################
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/linux-cluster/attachments/20060710/c375f39a/attachment.html
------------------------------
Message: 2
Date: Mon, 10 Jul 2006 11:08:44 +1000 (EST)
From: Jie Gao <J.Gao at isu.usyd.edu.au>
Subject: RE: [Linux-cluster] will upgrade of kernel with up2date mess
up myinstall from source?
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <Pine.GSO.4.58.0607101105200.16234 at banquo.ucc.usyd.edu.au>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 7 Jul 2006, Kovacs, Corey J. wrote:
> Date: Fri, 7 Jul 2006 07:29:31 -0400
> From: "Kovacs, Corey J." <cjk at techma.com>
> Reply-To: linux clustering <linux-cluster at redhat.com>
> To: linux clustering <linux-cluster at redhat.com>
> Subject: RE: [Linux-cluster] will upgrade of kernel with up2date mess up
> myinstall from source?
>
> First I've heard of this, can you elaborate? What do you mean
> it's "broken as far as clustering is concerned" ? Is it just
> that the stock GFS/CS RPM's are out of sync or is there something
> bad happening?
The cluster rpms are installed under kernel-specific trees. The new
kernel does not look into those locations to find the clustering modules.
Just noticed there is another kernel update available a moment ago...
Regards,
Jie
>
> Corey
>
> -----Original Message-----
> From: linux-cluster-bounces at redhat.com
> [mailto:linux-cluster-bounces at redhat.com] On Behalf Of Jie Gao
> Sent: Thursday, July 06, 2006 9:01 PM
> To: linux clustering
> Subject: Re: [Linux-cluster] will upgrade of kernel with up2date mess up
> myinstall from source?
>
>
>
>
> On Thu, 6 Jul 2006, Jason wrote:
>
> > Date: Thu, 6 Jul 2006 20:55:17 -0400
> > From: Jason <jason at monsterjam.org>
> > Reply-To: linux clustering <linux-cluster at redhat.com>
> > To: Linux-cluster at redhat.com
> > Subject: [Linux-cluster] will upgrade of kernel with up2date mess up my
> > install from source?
> >
> > so I notice that up2date wants to update the kernel and friends to
> > 2.6.9-34.0.1
> >
> > If I do that, will I have to recompile all my rpms? like GFS,
> > cman-kernel, dlm-kernel, etc?? Im guessing yes, but just want to make sure.
>
> Yes. 2.6.9-34.0.1 is broken as far as clustering is concerned.
>
> There is a workaround, but you wouldn't want to do it that way.
>
> Regards,
>
>
>
> Jie
>
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
> --
> Linux-cluster mailing list
> Linux-cluster at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-cluster
>
------------------------------
Message: 3
Date: Mon, 10 Jul 2006 08:49:26 +0200
From: Cosimo Streppone <cosimo at streppone.it>
Subject: Re: [Linux-cluster] will upgrade of kernel with up2date mess
up myinstall from source?
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <44B1F876.1050207 at streppone.it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Kovacs, Corey J. wrote:
>> [...]
>> Yes. 2.6.9-34.0.1 is broken as far as clustering is concerned.
>> There is a workaround, but you wouldn't want to do it that way.
>> Regards,
>
> First I've heard of this, can you elaborate? What do you mean
> it's "broken as far as clustering is concerned" ? Is it just
> that the stock GFS/CS RPM's are out of sync or is there something
> bad happening?
For my case, I upgraded a RHEL4U3 + CS4 machine with the
latest kernel (and all other packages, as suggested by the
RH tech support) and it failed at the next reboot with
upgraded kernel (2.6.9-34.0.1.ELsmp).
I opened a service request and we are still trying to
understand why that happened...
--
Cosimo
------------------------------
Message: 4
Date: Mon, 10 Jul 2006 10:42:59 +0200
From: Riaan van Niekerk <riaan at obsidian.co.za>
Subject: Re: [Linux-cluster] newbie questions
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <44B21313.3010108 at obsidian.co.za>
Content-Type: text/plain; charset="iso-8859-1"
>
> That brings me to an important point - the apache init script doesn't
> follow whatever standard RedHat init script are supposed to follow
> (there's a thread about this that I was involved in 6-9 months back),
> with respect to the status command. At least, it didn't at the time,
> maybe they've fixed it (I hope, by now). The stop action return(s/ed)
> non-zero (failure) if apache wasn't running. If the cluster manager
> thinks that service was failed, it will first try to stop it before
> starting it. If the apache script returns failure on the attempt to
> stop it because it was stopped already, then the cluster manager will
> think something's wrong and never try to start it. The upshot of which
> is, you have to hack the init script to make it return 0 in this
> situation. I took the copout approach of just forcing it to always
> return 0:
Is this a problem with the Apache init script or with the rgmanager
logic? The same thing happens no matter which service you run: vsftpd,
sendmail (I just checked these additional two).
I haven't checked LSB (or whatever is the standard which init scripts
need to conform to) but as far as I understand it, you will get non-zero
exit code if you try to stop an already stopped service, which confuses
the heck out of rgmanager and requires that you (a) start the service
(e.g. apache) manually. (b) disable it via clusvcadm or GUI (c) enable
it via clusvcadm or GUI.
This recovery sequence makes no sense to me (nor does rgmanager /
clusvcadm's logic)
Riaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: riaan.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : https://www.redhat.com/archives/linux-cluster/attachments/20060710/181d8bf1/riaan.vcf
------------------------------
Message: 5
Date: Mon, 10 Jul 2006 10:49:52 +0200
From: Riaan van Niekerk <riaan at obsidian.co.za>
Subject: Re: [Linux-cluster] two node cluster not coming up
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <44B214B0.7070403 at obsidian.co.za>
Content-Type: text/plain; charset="iso-8859-1"
Kovacs, Corey J. wrote:
> Just a thought, this sounds like what happens when the /etc/hosts file is
> not setup correctly. If the hostname of the machines is in the loopback
> line, then take it out and put a proper entry in. I still fail to understand
> why the installer doesn't add a proper entry when first installed if a
> network
> interface is indeed configured. That's a nother issue tho.
>
I think the installer does this if DNS for the new host is not setup
properly.
e.g. if it cannot forward lookup the entry for newhost.example.com it
adds an entry for newhost to the localhost entry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: riaan.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : https://www.redhat.com/archives/linux-cluster/attachments/20060710/5ef8419f/riaan.vcf
------------------------------
Message: 6
Date: Mon, 10 Jul 2006 11:48:15 +0200
From: David Siroky <ml at dasir.net>
Subject: RE: [Linux-cluster] replication
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <1152524895.7166.2.camel at localhost>
Content-Type: text/plain; charset=UTF-8
Olivier Cr**te p****e v P** 07. 07. 2006 v 13:06 -0400:
> On Fri, 2006-07-07 at 17:19 +0200, David Siroky wrote:
> > I didn't describe my plan very well.
> >
> > Lets look at this scenario:
> > Now I have 1 server which is placed in a serverhousing company. Till now
> > every problem with service interruption was a connection problem in the
> > serverhousing company so the server (and its services) was sometimes
> > unreachable even if the server was in a good shape and running. So now I
> > would like to solve this by placing 3 servers in 3 serverhousing
> > companies geographicaly spreaded. In this way I can't use SAN.
>
> Can't you just have a cron job that uses rsync to update the data in the
> 2 other servers from the master?
>
>
This is asynchronous replication and it can cause data
inconsistency/corruption when connection between servers is broken.
------------------------------
Message: 7
Date: Mon, 10 Jul 2006 14:56:10 +0200
From: Troels Arvin <troels at arvin.dk>
Subject: [Linux-cluster] Re: newbie questions
To: linux-cluster at redhat.com
Message-ID: <pan.2006.07.10.12.56.10.266000 at arvin.dk>
Content-Type: text/plain; charset=ISO-8859-1
On Mon, 10 Jul 2006 10:42:59 +0200, Riaan van Niekerk wrote:
> Is this a problem with the Apache init script or with the rgmanager
> logic? The same thing happens no matter which service you run: vsftpd,
> sendmail (I just checked these additional two).
It's a problem with all init scripts that I've tried using as scripts in
the cluster management system. I've had to adjust all of them... :-(
--
Greetings from Troels Arvin
------------------------------
Message: 8
Date: Mon, 10 Jul 2006 08:19:58 -0500 (CDT)
From: Barry Brimer <lists at brimer.org>
Subject: Re: [Linux-cluster] Re: newbie questions
To: linux clustering <linux-cluster at redhat.com>
Message-ID: <Pine.LNX.4.61.0607100818120.25744 at localhost.localdomain>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> On Mon, 10 Jul 2006 10:42:59 +0200, Riaan van Niekerk wrote:
>> Is this a problem with the Apache init script or with the rgmanager
>> logic? The same thing happens no matter which service you run: vsftpd,
>> sendmail (I just checked these additional two).
>
> It's a problem with all init scripts that I've tried using as scripts in
> the cluster management system. I've had to adjust all of them... :-(
Another possibility is to modify the /etc/rc.d/init.d/functions so it
produces the desired output.
------------------------------
--
Linux-cluster mailing list
Linux-cluster at redhat.com
https://www.redhat.com/mailman/listinfo/linux-cluster
End of Linux-cluster Digest, Vol 27, Issue 8
********************************************
##############################################################
This message is for the named person's use only. It may
contain confidential, proprietary, or legally privileged
information. No confidentiality or privilege is waived or
lost by any mistransmission. If you receive this message
in error, please immediately delete it and all copies of it
from your system, destroy any hard copies of it, and notify
the sender. You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message
if you are not the intended recipient. Health First reserves
the right to monitor all e-mail communications through its
networks. Any views or opinions expressed in this message
are solely those of the individual sender, except (1) where
the message states such views or opinions are on behalf of
a particular entity; and (2) the sender is authorized by
the entity to give such views or opinions.
##############################################################
More information about the Linux-cluster
mailing list