Hi, I have two machines in a cluster and want to create a high available samba share that connects to active directory for user information. The storage is DRBD and the filesystem is XFS. I'm using pacemaker as cluster software and using the lsb:samba init script. I connected both machines to my Windows AD server and tested this using winbind. winbind -u gives me all AD users which seems fine. This works on both machines so everything looks ok. When I connect from a windows client to the samba share I don't need to enter credentials so that looks fine too. When I start to put some files on the share the correct credentials are used when I check with "ls -al" on the mountpoint in linux. So far so good. BUT when I do a failover to the other node the share is up but suddenly I cannot connect from the windows client anymore without entering credentials and when I check with "ls -al" on the mountpoint on the other machine it maps the existing files (which I put there when the share was running on the other node) suddenly with whole different UID's. Where is the mapping of UID's taking place and how can I fix this? Both systems lookup their user information from the same AD server, how can they still lookup different UID's when looking at the same server and files? Kind regards, Caspar Smit
On 2/28/2011 at 09:21 PM, Caspar Smit <c.smit at truebit.nl> wrote:> Hi, > > I have two machines in a cluster and want to create a high available samba > share that connects to active directory for user information. The storage is > DRBD and the filesystem is XFS. > > I'm using pacemaker as cluster software and using the lsb:samba init script. > > I connected both machines to my Windows AD server and tested this using > winbind. > > winbind -u gives me all AD users which seems fine. This works on both > machines so everything looks ok. > > When I connect from a windows client to the samba share I don't need to > enter credentials so that looks fine too. When I start to put some files on > the share the correct credentials are used when I check with "ls -al" on the > mountpoint in linux. So far so good. > > BUT when I do a failover to the other node the share is up but suddenly I > cannot connect from the windows client anymore without entering credentials > and when I check with "ls -al" on the mountpoint on the other machine it > maps the existing files (which I put there when the share was running on the > other node) suddenly with whole different UID's. > > Where is the mapping of UID's taking place and how can I fix this? Both > systems lookup their user information from the same AD server, how can they > still lookup different UID's when looking at the same server and files?Because by default Samba hands out UIDs on a first come first served basis. You need to configure a different UID mapping scheme. Have a look at "idmap config" and "idmap backend" in the smb.conf manpage. RID might be the easiest thing to set up (where Samba generates UIDs based on Windows SIDs). Configuring UNIX UIDs in some LDAP backend, or directly in AD via (RFC2307 or Services For UNIX or whatever it's called these days) might be "better" (you get to decide what the UIDs actually are, and this'll apparently work with multiple AD domains/trusted domains). HTH, Tim -- Tim Serong <tserong at novell.com> Senior Clustering Engineer, OPS Engineering, Novell Inc.
Caspar Smit
2011-Feb-28 12:24 UTC
[Samba] [Linux-HA] Samba failover causes different UID's
Tim, Thank you very much for this, I will check out the manpage and wiki page. Kind regards, Caspar Smit 2011/2/28 Tim Serong <tserong at novell.com>> On 2/28/2011 at 09:21 PM, Caspar Smit <c.smit at truebit.nl> wrote: > > Hi, > > > > I have two machines in a cluster and want to create a high available > samba > > share that connects to active directory for user information. The storage > is > > DRBD and the filesystem is XFS. > > > > I'm using pacemaker as cluster software and using the lsb:samba init > script. > > > > I connected both machines to my Windows AD server and tested this using > > winbind. > > > > winbind -u gives me all AD users which seems fine. This works on both > > machines so everything looks ok. > > > > When I connect from a windows client to the samba share I don't need to > > enter credentials so that looks fine too. When I start to put some files > on > > the share the correct credentials are used when I check with "ls -al" on > the > > mountpoint in linux. So far so good. > > > > BUT when I do a failover to the other node the share is up but suddenly I > > cannot connect from the windows client anymore without entering > credentials > > and when I check with "ls -al" on the mountpoint on the other machine it > > maps the existing files (which I put there when the share was running on > the > > other node) suddenly with whole different UID's. > > > > Where is the mapping of UID's taking place and how can I fix this? Both > > systems lookup their user information from the same AD server, how can > they > > still lookup different UID's when looking at the same server and files? > > Because by default Samba hands out UIDs on a first come first served basis. > You need to configure a different UID mapping scheme. Have a look at > "idmap > config" and "idmap backend" in the smb.conf manpage. RID might be the > easiest thing to set up (where Samba generates UIDs based on Windows SIDs). > Configuring UNIX UIDs in some LDAP backend, or directly in AD via (RFC2307 > or Services For UNIX or whatever it's called these days) might be "better" > (you get to decide what the UIDs actually are, and this'll apparently work > with multiple AD domains/trusted domains). > > HTH, > > Tim > > > -- > Tim Serong <tserong at novell.com> > Senior Clustering Engineer, OPS Engineering, Novell Inc. > > > > _______________________________________________ > Linux-HA mailing list > Linux-HA at lists.linux-ha.org > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems >