Hi Folks, We're in the process of setting up a Samba cluster (Samba+CTDB+etcd), and we (presently) using Winbind. We use AD. We're finding that the domain join (or kerberos ticket renewal) is unreliable. Every day we find Samba/Winbind is no longer joined to the domain. Now, we're in a bit of a learning curve here, and automating everything with Terraform + Ansible. We have yet to produce a stable environment with respect to domain join, though the file systems themselves seem fine. One challenge is the vast array of (frequently inconsistent or inaccurate) documentation on the topic of Samba, different ways to do the same things, etc. So part of our challenge is sifting through useful, or not so useful, information. We really need an accurate recipe for installing Samba, all its dependencies, including Winbind (or alternative), having this domain joined, and supporting Windows File History. Can anyone of the core Samba team members point our way through the "wilderness"? ;-) To either a very up to date, very accurate, bash script that has every step detailed, or a document that has been tested recently that works flawlessly? This would be very helpful. We're excited to see the prospect of a distributed Samba cluster working across several AWS regions, and initial testing has produced great results in terms of performance and recoverability. But it's this last mile of getting AD join stable and kerberos tickets automatically renewed, and not dropping domain join, working, that is causing us issue. And any detailed information (script ideally) on how to configure Windows File History, would also be helpful. Thank you so much in advance, we really appreciate this. Kindly, -- BOB BUCK SENIOR PLATFORM SOFTWARE ENGINEER SKIDMORE, OWINGS & MERRILL 7 WORLD TRADE CENTER 250 GREENWICH STREET NEW YORK, NY 10007 T (212) 298-9624 ROBERT.BUCK at SOM.COM
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Buck via samba > Verzonden: woensdag 15 juli 2020 15:12 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba + Winbind : Kerberos Tickets > > Hi Folks, > > We're in the process of setting up a Samba cluster > (Samba+CTDB+etcd), and > we (presently) using Winbind. We use AD. We're finding that > the domain join > (or kerberos ticket renewal) is unreliable.You most probely missing in smb.conf dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes> Every day we find > Samba/Winbind > is no longer joined to the domain. Now, we're in a bit of a > learning curve > here, and automating everything with Terraform + Ansible. We > have yet to > produce a stable environment with respect to domain join, > though the file > systems themselves seem fine.Ow and you know this : https://www.kania-online.de/wp-content/uploads/2020/05/cluster-mit-ctdb.pdf Its a good read for what you want, at least, i think it is.> > One challenge is the vast array of (frequently inconsistent > or inaccurate) > documentation on the topic of Samba, different ways to do the > same things, > etc. So part of our challenge is sifting through useful, or > not so useful, > information. > > We really need an accurate recipe for installing Samba, all its > dependencies, including Winbind (or alternative), having this domain > joined, and supporting Windows File History.Well, im still working on that. https://github.com/thctlo/samba4/tree/master/howtos The current "debian stretch" is old, but mostly it still correct. The "Debian Buster" version is in the making at the moment (a member setup first. )> > Can anyone of the core Samba team members point our way through the > "wilderness"? ;-) To either a very up to date, very accurate, > bash script > that has every step detailed, or a document that has been > tested recently that works flawlessly?Almost there, the member setup should be done this or next week. ;-)> > This would be very helpful. > > We're excited to see the prospect of a distributed Samba > cluster working > across several AWS regions, and initial testing has produced > great results > in terms of performance and recoverability. But it's this last mile of > getting AD join stable and kerberos tickets automatically > renewed, and not dropping domain join, working, that is causing us issue.See above, that will fix it.> > And any detailed information (script ideally) on how to > configure Windows File History, would also be helpful.Thats one point im also working on at the moment, and as far i know you need LVM for it. But i leave this part to my college Rowland or other members of the Team.> > Thank you so much in advance, we really appreciate this. > > Kindly, > > -- > > BOB BUCKGreetz, Louis
On 15/07/2020 14:12, Robert Buck via samba wrote:> Hi Folks, > > We're in the process of setting up a Samba cluster (Samba+CTDB+etcd), and > we (presently) using Winbind. We use AD. We're finding that the domain join > (or kerberos ticket renewal) is unreliable. Every day we find Samba/Winbind > is no longer joined to the domain. Now, we're in a bit of a learning curve > here, and automating everything with Terraform + Ansible. We have yet to > produce a stable environment with respect to domain join, though the file > systems themselves seem fine. > > One challenge is the vast array of (frequently inconsistent or inaccurate) > documentation on the topic of Samba, different ways to do the same things, > etc. So part of our challenge is sifting through useful, or not so useful, > information. > > We really need an accurate recipe for installing Samba, all its > dependencies, including Winbind (or alternative), having this domain > joined, and supporting Windows File History. > > Can anyone of the core Samba team members point our way through the > "wilderness"? ;-) To either a very up to date, very accurate, bash script > that has every step detailed, or a document that has been tested recently > that works flawlessly? > > This would be very helpful. > > We're excited to see the prospect of a distributed Samba cluster working > across several AWS regions, and initial testing has produced great results > in terms of performance and recoverability. But it's this last mile of > getting AD join stable and kerberos tickets automatically renewed, and not > dropping domain join, working, that is causing us issue. > > And any detailed information (script ideally) on how to configure Windows > File History, would also be helpful. > > Thank you so much in advance, we really appreciate this. > > Kindly, >Can we see the smb.conf file you are using at present, because you definitely shouldn't have to re-join every day: rowland at devstation:~/tests$ uptime ?14:19:11 up 16 days,? 3:20,? 1 user,? load average: 0.60, 0.92, 0.93 That was only because of an electrical problem, I cannot actually remember when the computer was joined to the domain ;-) Rowland
Additional information, to repair the situation we have to run netpan apply every 18 hours or so. So we're evaluating dropping use of netplan and giong to other options to see if they actually work. Any recommendations? Thank you. - Bob On Wed, Jul 15, 2020 at 9:12 AM Robert Buck <robert.buck at som.com> wrote:> Hi Folks, > > We're in the process of setting up a Samba cluster (Samba+CTDB+etcd), and > we (presently) using Winbind. We use AD. We're finding that the domain join > (or kerberos ticket renewal) is unreliable. Every day we find Samba/Winbind > is no longer joined to the domain. Now, we're in a bit of a learning curve > here, and automating everything with Terraform + Ansible. We have yet to > produce a stable environment with respect to domain join, though the file > systems themselves seem fine. > > One challenge is the vast array of (frequently inconsistent or inaccurate) > documentation on the topic of Samba, different ways to do the same things, > etc. So part of our challenge is sifting through useful, or not so useful, > information. > > We really need an accurate recipe for installing Samba, all its > dependencies, including Winbind (or alternative), having this domain > joined, and supporting Windows File History. > > Can anyone of the core Samba team members point our way through the > "wilderness"? ;-) To either a very up to date, very accurate, bash script > that has every step detailed, or a document that has been tested recently > that works flawlessly? > > This would be very helpful. > > We're excited to see the prospect of a distributed Samba cluster working > across several AWS regions, and initial testing has produced great results > in terms of performance and recoverability. But it's this last mile of > getting AD join stable and kerberos tickets automatically renewed, and not > dropping domain join, working, that is causing us issue. > > And any detailed information (script ideally) on how to configure Windows > File History, would also be helpful. > > Thank you so much in advance, we really appreciate this. > > Kindly, > > -- > > BOB BUCK > SENIOR PLATFORM SOFTWARE ENGINEER > > SKIDMORE, OWINGS & MERRILL > 7 WORLD TRADE CENTER > 250 GREENWICH STREET > NEW YORK, NY 10007 > T (212) 298-9624 > ROBERT.BUCK at SOM.COM >-- BOB BUCK SENIOR PLATFORM SOFTWARE ENGINEER SKIDMORE, OWINGS & MERRILL 7 WORLD TRADE CENTER 250 GREENWICH STREET NEW YORK, NY 10007 T (212) 298-9624 ROBERT.BUCK at SOM.COM