samba - Mar 2021 - Two SMB Domain member gateways to CEPHFS

On 29/03/2021 19:36, Oskari Koivisto via samba wrote:
> Hi,
>
> I have 2 ceph clusters served via SMB-gateways to a single domain.
> The cluster reside away from each other few thousand kilometers so having 2
separate SMB-servers is a must.
> The Samba works kind of, I can access the shares and am able to set
permissions to share-tab and security-tab if certain features are enabled. Or I
could, now it seems I?m not able to do that anymore.
>
> My hypothesis is that since having 2 samba-gateways both joined to domain
and having RID as a backend confuses the actual AD-part.
>
>  From both gateways I can query the domain users and groups from getent
passwd. But the gateways return different ID-numbers.
>
> This is my current smb.conf:
> [global]
>         workgroup = DOMAIN
>         netbios name = HOSTNAME
>         clustering = no
>         load printers = no
>         usershare allow guests = No
>         smbd: backgroundqueue = no
>         realm = DOMAIN
>         security = ADS
>         template homedir = /home/%D/%U
>         domain logons = No
>         domain master = No
>         wins support = no
>         password server = *
>         winbind refresh tickets = yes
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config MICT : backend = rid
>         idmap config MICT : range = 10000-20000
>         template shell = /bin/bash
>         username map = /etc/samba/user.map
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes

Are your domain (workgroup) and realm the same (seemingly MICT) ?

Other than that, your smb.conf looks okay, using the 'rid' backend 
should not be a problem.

What are the AD DC's ?

Rowland

Hi,

yes workgroup and domain are the same.

the DC?s are Server 2012 R2.

Regards,
-Oskari
> On 29. Mar 2021, at 22.22, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 29/03/2021 19:36, Oskari Koivisto via samba wrote:
>> Hi,
>> 
>> I have 2 ceph clusters served via SMB-gateways to a single domain.
>> The cluster reside away from each other few thousand kilometers so
having 2 separate SMB-servers is a must.
>> The Samba works kind of, I can access the shares and am able to set
permissions to share-tab and security-tab if certain features are enabled. Or I
could, now it seems I?m not able to do that anymore.
>> 
>> My hypothesis is that since having 2 samba-gateways both joined to
domain and having RID as a backend confuses the actual AD-part.
>> 
>> From both gateways I can query the domain users and groups from getent
passwd. But the gateways return different ID-numbers.
>> 
>> This is my current smb.conf:
>> [global]
>>        workgroup = DOMAIN
>>        netbios name = HOSTNAME
>>        clustering = no
>>        load printers = no
>>        usershare allow guests = No
>>        smbd: backgroundqueue = no
>>        realm = DOMAIN
>>        security = ADS
>>        template homedir = /home/%D/%U
>>        domain logons = No
>>        domain master = No
>>        wins support = no
>>        password server = *
>>        winbind refresh tickets = yes
>>        idmap config * : backend = tdb
>>        idmap config * : range = 3000-7999
>>        idmap config MICT : backend = rid
>>        idmap config MICT : range = 10000-20000
>>        template shell = /bin/bash
>>        username map = /etc/samba/user.map
>>        vfs objects = acl_xattr
>>        map acl inherit = yes
>>        store dos attributes = yes
> 
> 
> Are your domain (workgroup) and realm the same (seemingly MICT) ?
> 
> Other than that, your smb.conf looks okay, using the 'rid' backend
should not be a problem.
> 
> What are the AD DC's ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba