samba - Dec 2003 - Clustering and winbindd

Hi all!

I'm working on a project that, funnily enough, involves clustering and 
"winbindd". Specifically, we have a 2-node cluster configured in an 
active-active configuration whereby both servers are running Samba, each 
"exporting" different filesystems that are backed on a shared storage 
subsystem such that at any given time, one node can takeover from the other.

The problem: if I run "winbindd" on both systems independently, the 
Windows-domain user accts are mapped to different UNIX uids/gids, which in turn
creates a problem when a particular share is relocated from one node to
the other because of the different file permissions. (Ideally, both nodes would
see the same "winbindd_idmap.tdb".)

Can I effectively configure "winbindd" in a master/backup
configuration such
that only one of the nodes is able to update the database, whilst the other is
only able to read the database? I thought to set the "winbind cache
time"
to a value such as 1 day that would effectively relegate one of the nodes to 
"backup" status. At the same time, the "backup" server would
periodically "rsync" the "winbindd_idmap.tdb" database to
pickup any changes.

Can anyone see any problems with this approach and/or suggest a better way of 
going about it?

I should also mention that I'm running on Red Hat Linux Advanced Server 
release 2.1AS, using the latest "rpm" released by Red Hat which as
best I can
understand is based on Samba release 2.2.7, plus select patches back-ported from
2.2.8.

TIA

Peter


*********************************************************************************
The information contained in this e-mail message and any accompanying files is
or may be confidential.  If you are not the intended recipient, any use,
dissemination, reliance, forwarding, printing or copying of this e-mail or any
attached files is unauthorised. This e-mail is subject to copyright. No part of
it should be reproduced, adapted or communicated without the written consent of
the copyright owner. If you have received this e-mail in error, please advise
the sender immediately by return e-mail, or telephone and delete all copies.
Fairfax does not guarantee the accuracy or completeness of any information
contained in this e-mail or attached files. Internet communications are not
secure, therefore Fairfax does not accept legal responsibility for the contents
of this message or attached files.
*********************************************************************************

On Mon, 29 Dec 2003, Peter Giorgilli wrote:
> Hi all!
>
> I'm working on a project that, funnily enough, involves clustering and
> "winbindd". Specifically, we have a 2-node cluster configured in
an
> active-active configuration whereby both servers are running Samba, each
> "exporting" different filesystems that are backed on a shared
storage
> subsystem such that at any given time, one node can takeover from the
other.
>
> The problem: if I run "winbindd" on both systems independently,
the
> Windows-domain user accts are mapped to different UNIX uids/gids, which in
turn creates a problem when a particular share is relocated from one node to
> the other because of the different file permissions. (Ideally, both nodes
would see the same "winbindd_idmap.tdb".)
>
> Can I effectively configure "winbindd" in a master/backup
configuration such
> that only one of the nodes is able to update the database, whilst the other
is only able to read the database? I thought to set the "winbind cache
time"
> to a value such as 1 day that would effectively relegate one of the nodes
to
> "backup" status. At the same time, the "backup" server
would periodically "rsync" the "winbindd_idmap.tdb" database
to pickup any changes.
>
> Can anyone see any problems with this approach and/or suggest a better way
of
> going about it?
>
> I should also mention that I'm running on Red Hat Linux Advanced Server
> release 2.1AS, using the latest "rpm" released by Red Hat which
as best I can
> understand is based on Samba release 2.2.7, plus select patches back-ported
from 2.2.8.
You should update to samba-3.0.0 or later. USA LDAP backend, and use:

idmap backend = ldap://your-ldap-server

This way both servers will have a common mapping of SIDs to UID/GIDs.

Cheers,
John T.
-- 
John H Terpstra
Email: jht@samba.org