Samuel Taylor Liston
2020-May-20 18:59 UTC
[Samba] Multiple samba instances on same machine in v4.8 and beyond
This is a long shot as it look as though this may not be supported anymore.
Since moving to CentOS 7 we have been using the instantiation feature of systemd
to run multiple winbind and smb instances on a single server as part of an HA
setup (pacemaker/corosync). In testing samba version 4.8 and beyond we have
found that this doesn?t work anymore, or rather the client tools are unable to
authenticate. What it looks to stem from is client tools appear to be looking
for the winbind socket file in the default location only (/run/samba/winbindd).
In order to have multiple smb instances we have been starting a winbind per smb
and have been redirecting the winbind socket dir to a specific location per
instance, and though the man page says otherwise this was work up until v4.8.
Right now we are version locked at 4.7, but can?t stay there forever.
We have been searching and experimenting (unsuccessfully) to find a way around
this. Has anyone else encountered this and found a working solution? And ideas
of insights would be much appreciated.
Here are my global and one individual instance config file to give a flavor of
what we are doing:
[root at xxxxxxxxxxxx ~]# cat /etc/samba/global.smb.conf
[global]
workgroup = AD
server string = xxxxxxxxxxxxx (%L) Server
security = ADS
passdb backend = tdbsam
allow trusted domains = no
encrypt passwords = yes
realm = XX.XXXXX.EDU
local master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = no
load printers = no
printcap name = /dev/null
disable spoolss = yes
lanman auth = yes
client plaintext auth = yes
client lanman auth = yes
restrict anonymous = 2
[root at xxxxxxxxxxxxxx ~]# cat /etc/samba/smb.conf.xxxxxxxxxxxxx-vg3-0-lv1
[global]
log file = /var/log/samba/%m-xxxxxxxxxxxxx-vg3-0-lv1.log
encrypt passwords = yes
include = /etc/samba/global.smb.conf
pid directory = /var/run/samba/xxvg3-0-lv1-smb
interfaces = 155.101.11.101
bind interfaces only = yes
netbios name = xxvg3-0-lv1-smb
lock directory = /var/lib/samba/xx301/lock
cache directory = /var/lib/samba/xx301/cache
state directory = /var/lib/samba/xx301/state
private dir = /var/lib/samba/xx301/priv
winbindd socket directory = /var/lib/samba/xx301/sock
[hpc-home]
comment = hpc-home xxxxxxxxxxxxx-vg3-0-lv1 share
# Hide the secret cluster files
veto files = /.clumanager/.rgmanager/
browsable = yes
writable = yes
path = /uufs/xxxxxxxxxxxxx/common/xxxxxxxxxxxxx-vg3-0-lv1/hpc
create mask = 0644
directory mask = 0755
guest ok = no
nt acl support = yes
valid users = @hpc
=========================================Center for High Performance Computing -
Univ. of Utah
155 S. 1452 E. Rm 405
Salt Lake City, Utah 84112 (801)232-6932
==========================================
Rowland penny
2020-May-20 19:39 UTC
[Samba] Multiple samba instances on same machine in v4.8 and beyond
On 20/05/2020 19:59, Samuel Taylor Liston via samba wrote:> This is a long shot as it look as though this may not be supported anymore. Since moving to CentOS 7 we have been using the instantiation feature of systemd to run multiple winbind and smb instances on a single server as part of an HA setup (pacemaker/corosync). In testing samba version 4.8 and beyond we have found that this doesn?t work anymore, or rather the client tools are unable to authenticate. What it looks to stem from is client tools appear to be looking for the winbind socket file in the default location only (/run/samba/winbindd). In order to have multiple smb instances we have been starting a winbind per smb and have been redirecting the winbind socket dir to a specific location per instance, and though the man page says otherwise this was work up until v4.8. Right now we are version locked at 4.7, but can?t stay there forever. > We have been searching and experimenting (unsuccessfully) to find a way around this. Has anyone else encountered this and found a working solution? And ideas of insights would be much appreciated. > > Here are my global and one individual instance config file to give a flavor of what we are doing: > > [root at xxxxxxxxxxxx ~]# cat /etc/samba/global.smb.conf > [global] > workgroup = AD > server string = xxxxxxxxxxxxx (%L) Server > security = ADS > passdb backend = tdbsam > allow trusted domains = no > encrypt passwords = yes > realm = XX.XXXXX.EDU > local master = no > preferred master = no > wins support = no > wins proxy = no > dns proxy = no > load printers = no > printcap name = /dev/null > disable spoolss = yes > lanman auth = yes > client plaintext auth = yes > client lanman auth = yes > restrict anonymous = 2 > > > [root at xxxxxxxxxxxxxx ~]# cat /etc/samba/smb.conf.xxxxxxxxxxxxx-vg3-0-lv1 > [global] > log file = /var/log/samba/%m-xxxxxxxxxxxxx-vg3-0-lv1.log > encrypt passwords = yes > include = /etc/samba/global.smb.conf > pid directory = /var/run/samba/xxvg3-0-lv1-smb > interfaces = 155.101.11.101 > bind interfaces only = yes > netbios name = xxvg3-0-lv1-smb > lock directory = /var/lib/samba/xx301/lock > cache directory = /var/lib/samba/xx301/cache > state directory = /var/lib/samba/xx301/state > private dir = /var/lib/samba/xx301/priv > winbindd socket directory = /var/lib/samba/xx301/sock > > [hpc-home] > comment = hpc-home xxxxxxxxxxxxx-vg3-0-lv1 share > # Hide the secret cluster files > veto files = /.clumanager/.rgmanager/ > browsable = yes > writable = yes > path = /uufs/xxxxxxxxxxxxx/common/xxxxxxxxxxxxx-vg3-0-lv1/hpc > create mask = 0644 > directory mask = 0755 > guest ok = no > nt acl support = yes > valid users = @hpc > >The first fix: yum remove sssd Install winbind etc and configure smb.conf correctly You cannot use sssd with Samba >= 4.8.0 I 'think' that what you are trying do will probably work with CTDB, but you will need more than one client (you cannot really have a cluster with only one client), but this is outside my comfort zone, but I know of a couple of guys that do know about it and one of them is going to give a talk on the up coming online SambaXP: https://sambaxp.org/ Rowland