Fedora directory users - Jul 2009 - [389-users] Samba integration with FDS and Heartbeat for HA Samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I successfully setup heartbeat and glusterfs (instead of DRBD) to
provide an HA Samba configuration.  I tested that fail over worked fine
all the existing computers were able to get to their shares and re
authenticate users.

However I discovered that I was not able to join computers to the domain
after the configuration was setup.  The netbios name was changed to
accommodate the new heartbeat VIP and the new VIP is the only address I
have samba bound to.

When I go to add the computer to the domain, type to the domain in and
hit enter, I am presented with a login dialog box.  When I enter the
admin and password and hit enter, after a few seconds I get the warning
that a controller for the domain could not be foumd.

I suspect that there is some caching going on and (maybe) winbind is
using the old info for the PDC and not the new?

Are there any caches I could clear that may fix this?  Am I on the right
track or is there somethign else I should be looking at?

When I compare the ldap access logs with and without heartbeat, there is
a difference in the query.  As I previously mentioned, without
heartbeat, adding is successful, with heartbeat it is not.  I found that
the search base is different:

With heartbeat - SRCH base="cn=groups,cn=accounts,dc=example,dc=com"
scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))"
attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass"

W/heartbeat - SRCH
base="sambaDomainName=exampleHQ,sambaDomainName=exampleHQ,dc=example,dc=com"
scope=2
filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=exampleHQ))"
attrs=ALL

When I compared the logs when executing pdbedit -Lv with both setups,
the queries are the same.

Why would samba do a different query to the same instance of ldap when
configured with heartbeat and without heartbeat?

The address that samba is binding to/from for access to ldap is not the
VIP provided by heartbeat.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpzTW4ACgkQ5B+8XEnAvqub1ACdGFBhVRaePH0fuTD0mORGIMgB
V48AnR0znBY9KD3nhYYdPtR2dQXUWxBO
=jrTm
-----END PGP SIGNATURE-----

On Fri, Jul 31, 2009 at 10:00 PM, David Christensen <
David.Christensen@viveli.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I successfully setup heartbeat and glusterfs (instead of DRBD) to
> provide an HA Samba configuration.  I tested that fail over worked fine
> all the existing computers were able to get to their shares and re
> authenticate users.
>
> However I discovered that I was not able to join computers to the domain
> after the configuration was setup.  The netbios name was changed to
> accommodate the new heartbeat VIP and the new VIP is the only address I
> have samba bound to.
>
> When I go to add the computer to the domain, type to the domain in and
> hit enter, I am presented with a login dialog box.  When I enter the
> admin and password and hit enter, after a few seconds I get the warning
> that a controller for the domain could not be foumd.
>
So samba is the PDC, if not clear to me from the mail. If this is the case
the netbios name
of the samba - or windows prewindows 2000  - domain PDC is

domainname#1B

The samba - or windows prewindos 200 - domain DC - so also the BC - is

domain#1C

(e.g. the domain master browser in windows term )

Now, how your samba PDC/BDC registrar  their name ? If you use wins in
smb.conf - let me call the wins server with the ip address x.y.z.w - try to
lookup the domain name

nmblookup  -R -U x.y.z.w domainame#1C (e similar for #1B)

If  not - your PDC is into the same broadcast address (e.g subnet) of your
client -

nmblookup domainname#1B  (#1C also)

In reality the client was finding domainname#1C for update the machine
account onto the PDC. If the one of the preceding command fail well it is
only a wins or other namespace registration problem : not a local samba
problem. Or, perhaps you have not tell in more depth the different
configuration on samba you have done, so it is possible i am wrong.

Regard





> I suspect that there is some caching going on and (maybe) winbind is
> using the old info for the PDC and not the new?
>
> Are there any caches I could clear that may fix this?  Am I on the right
> track or is there somethign else I should be looking at?
>
> When I compare the ldap access logs with and without heartbeat, there is
> a difference in the query.  As I previously mentioned, without
> heartbeat, adding is successful, with heartbeat it is not.  I found that
> the search base is different:
>
> With heartbeat - SRCH
base="cn=groups,cn=accounts,dc=example,dc=com"
> scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))"
> attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass"
>
> W/heartbeat - SRCH
>
>
base="sambaDomainName=exampleHQ,sambaDomainName=exampleHQ,dc=example,dc=com"
> scope=2
>
>
filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=exampleHQ))"
> attrs=ALL
>
> When I compared the logs when executing pdbedit -Lv with both setups,
> the queries are the same.
>
> Why would samba do a different query to the same instance of ldap when
> configured with heartbeat and without heartbeat?
>
> The address that samba is binding to/from for access to ldap is not the
> VIP provided by heartbeat.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpzTW4ACgkQ5B+8XEnAvqub1ACdGFBhVRaePH0fuTD0mORGIMgB
> V48AnR0znBY9KD3nhYYdPtR2dQXUWxBO
> =jrTm
> -----END PGP SIGNATURE-----
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>