Jeremy,
Install AD Service "Identity Management for Unix", add users/groups
into it,
and assign unique UID/GID if you want consistent mapping across CTDB
servers. Use Winbind service to interface the CTDB servers with the AD in
order to pull the right UID/GID for consistent mapping.
Then you can join the CTDB servers to the AD using "net ads join" and
query
the AD users using "wbinfo".
[root@ ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+testusera
TESTDOMAIN+testuserc
[root@ ~]# wbinfo -g
TESTDOMAIN+win_users
[root@ ~]# id TESTDOMAIN+testusera
uid=11001(TESTDOMAIN+testusera) gid=20001(TESTDOMAIN+win_users)
groups=20001(TESTDOMAIN+win_users),20002(TESTDOMAIN+domain users)
Please find attached, sample smb.conf.
HTH,
-Kums
On Tue, Aug 17, 2010 at 9:26 AM, Jeremy Farrar <jeremy.farrar at
gmail.com>wrote:
> I have been working on a CTDB cluster on and off for a while now. I had it
> working great for a while. THen I decide dthat I wanted to change the
> configuration of my replicated volumes. I changed my DRBD configuration to
> match my desired configuration. Now I can get the CTDB to work quite right.
> I am able to join the cluster to the domain without issues. I can also list
> my ad users and groups using wbinfo so I believe that my nsswitch.conf is
> set up properly. I am having problems with the UIDs and GIDs not matching
> between the two servers. For instance here is the output for getent on each
> server:
>
> Server A:
> jfarrar:*:20066:20001:Jeremy Farrar:/home/DOMAIN/jfarrar:/bin/bash
>
> Server B:
> jfarrar:*:20002:20001:Jeremy Farrar:/home/DOMAIN/jfarrar:/bin/bash
>
> The output looks good but the UID doesn't match. This will lead to some
> weird permissions issues in the future. THe strange thing is that it worked
> before. What did I mess up when I reconfigured my volume? Thanks for your
> help.
>
> smb.conf:
>
> [global]
> server string = %h
> workgroup = DOMAIN
> netbios name = server
> password server = dc1.domain.local
> realm = DOMAIN.LOCAL
> security = ads
> idmap backend = tdb2
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> template homedir = /home/DOMAIN/%U
> winbind uid = 20001-200000
> winbind gid = 20001-200000
> winbind trusted domains only = no
> winbind use default domain = true
> winbind offline logon = false
> winbind enum users = yes
> winbind enum groups = yes
> obey pam restrictions = yes
> printcap name = /etc/printcap
> socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY SO_BROADCAST
> clustering = yes
> # logs split per machine
> log file = %S.log
> log level = 2
> # max 50KB per log file, then rotate
> max log size = 50
>
> passdb backend = tdbsam
>
> #============================ Share Definitions
> =============================>
> [DOMAIN]
> comment = Home Directories
> path = /DOMAIN
> browseable = no
> writable = yes
> # acl compatibility = auto
> acl check permissions = True
> nt acl support = yes
> ea support = yes
> acl map full control = True
> map acl inherit = yes
> inherit acls = yes
>
> nsswitch.conf:
>
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
> hosts: files dns
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: files
>
> publickey: nisplus
>
> automount: files
> aliases: files nisplus
>
> ctdb.conf:
>
> CTDB_RECOVERY_LOCK="/EDAPT/ctdb/CTDB_lock"
> CTDB_PUBLIC_INTERFACE=eth0
> CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
> CTDB_MANAGES_SAMBA=no
> CTDB_SAMBA_CHECK_PORTS="445"
> CTDB_MANAGES_WINBIND=no
> CTDB_INIT_STYLE=redhat
> CTDB_SERVICE_SMB=smb
> CTDB_SERVICE_WINBIND=winbind
> ulimit -n 10000
> CTDB_NODES=/etc/ctdb/nodes
> CTDB_DBDIR=/var/ctdb
> CTDB_DBDIR_PERSISTENT=/EDAPT/ctdb/persistent
> CTDB_EVENT_SCRIPT_DIR=/etc/ctdb/events.d
> CTDB_SOCKET=/tmp/ctdb.socket
> CTDB_TRANSPORT="tcp"
> CTDB_LOGFILE=/var/log/log.ctdb
> CTDB_DEBUGLEVEL=2
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
o /etc/samba/smb.conf
[global]
workgroup = TESTDOMAIN
netbios name = CTDB-NAS
realm = TESTDOMAIN.LOCAL
server string = Clustered CIFS
security = ads
idmap backend = ad
ldap idmap suffix = dc=testdomain,dc=local
ldap admin dn = cn=ldap,cn=Users,dc=testdomain,dc=local
ldap suffix = dc=testdomain,dc=local
idmap uid = 5000-100000000
idmap gid = 5000-100000000
log level = 3 winbind:5 auth:10 passdb:5
syslog = 0
log file = /var/log/samba/log.%m
winbind use default domain = no
winbind nested groups = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
machine password timeout = 999999999
#Modify the following according to the AD IP address
password server = 172.16.X.Y
passdb backend = tdbsam
clustering = yes
private dir=/mnt/gpfs/CTDB_AD
fileid:mapping = fsname
use mmap = no
vfs objects = syncops gpfs fileid
gpfs:sharemodes = yes
force unknown acl user = yes
nfs4: mode = special
nfs4: chown = yes
nfs4: acedup = merge
template shell = /bin/bash
template homedir = /home/%D+%U
max log size = 10000
oplocks = no
kernel oplocks = yes
auth methods = winbind sam
posix locking = yes
preferred master = no
encrypt passwords = yes
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
dns proxy = no
client use spnego = yes
disable spoolss = yes
gpfs:leases=yes
idmap:cache=no
notify:inotify=no
wide links = no
large readwrite = no
strict allocate = yes
strict locking = yes
strict sync = yes
sync always = yes
blocking locks = no
deadtime = 15
local master = no
mangled names = no
use sendfile = yes
#=========Share Definitions ========
[global-share]
comment = GS File Share
path = /mnt/gpfs/nfsexport
browsable = yes
writable = yes
readonly = no
inherit acls = yes
inherit permissions = yes
oplocks = no