samba - Jun 2020 - Virtual IP/netbios name for AD-authenticated shares in failover cluster

Hi Gurus,

I have a simple failover cluster on two SLES 12 SP3 nodes with Samba/winbind for
authenticating AD-user access to the shares. The shares are reached through a
virtual hostname/IP which differs from the SLES-server itself.

The servers uses SSSD for normal SSH-authentication, also against the same
Active Domain.

Here is the problem - if I get Samba/winbind to work with the virtual
hostname/IP and authenticating against AD, the SSSD for normal SSH-access to the
servers stops to work. When SSSD for SSH-access works, Samba/winbind can't
connect to the domain.

Both the normal server names and the virtual IP/hostname are available in AD as
computer-accounts and DNS.

If SSSD/AD works, and I "net join" the virtual hostname/IP, I can get
the shares to authenticate, but not the SSSD-logins.
When I then, to repair SSSD/AD-integration, "net joins" with the
hostname, then SSSD-logins works again, but then Samba-integration to the AD
stops working.

Of cause, if I move the cluster package to the other node, the same issues
persists.

All tdb-files, log-files, conf-files etc. are on a shared disk which moves with
the cluster package.

Any idea what I miss here?

The smb.conf:
[global]
   client signing = yes
   client use spnego = yes
   netbios name = my_virtual_hostname
   kerberos method = secrets and keytab
   security = ADS
   bind interfaces only = yes
   interfaces = my.virtual.IP.xxx
   winbind gid = 100000-300000
   winbind refresh tickets = yes
   winbind separator = +
   create krb5 conf = no
   workgroup = DOMAIN
   realm = DOMAIN.ORG
   encrypt passwords = yes
   log file = /export/SHARED_DISK/system/logs/log.%m
   lock directory = /export/ SHARED_DISK/system/locks
   pid directory = /export/ SHARED_DISK/system/locks
  debug level = 2
   max log size = 1000
   preserve case = yes
   short preserve case = yes
   dos filetime resolution = yes
   read only = no
   socket options = TCP_NODELAY
   domain master = auto
   local master = yes
   preferred master = auto
   domain logons = no
   wins support = no
   ntlm auth = yes
   lanman auth = no
   client lanman auth = no
   map to guest = Bad User


[test1]
        path = /export/SHARED_DISK /test1
        comment = "SMB test"
        valid users = @"DOMAIN+MyAdGroupForThisShare"
        browsable = yes
        writable = yes
        available = yes

Greetings from
Danny Petterson


________________________________

This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise confidential information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the e-mail by you is prohibited. Where allowed by local law, electronic
communications with Accenture and its affiliates, including e-mail and instant
messaging (including content), may be scanned by our systems for the purposes of
information security and assessment of internal compliance with Accenture
policy. Your privacy is important to us. Accenture uses your personal data only
in compliance with data protection laws. For further information on how
Accenture processes your personal data, please see our privacy statement at
https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

On 09/06/2020 21:31, Petterson, Danny via samba wrote:
> Hi Gurus,
>
> I have a simple failover cluster on two SLES 12 SP3 nodes with
Samba/winbind for authenticating AD-user access to the shares. The shares are
reached through a virtual hostname/IP which differs from the SLES-server itself.
>
> The servers uses SSSD for normal SSH-authentication, also against the same
Active Domain.
>
> Here is the problem - if I get Samba/winbind to work with the virtual
hostname/IP and authenticating against AD, the SSSD for normal SSH-access to the
servers stops to work. When SSSD for SSH-access works, Samba/winbind can't
connect to the domain.
>
> Both the normal server names and the virtual IP/hostname are available in
AD as computer-accounts and DNS.
>
> If SSSD/AD works, and I "net join" the virtual hostname/IP, I can
get the shares to authenticate, but not the SSSD-logins.
> When I then, to repair SSSD/AD-integration, "net joins" with the
hostname, then SSSD-logins works again, but then Samba-integration to the AD
stops working.
>
> Of cause, if I move the cluster package to the other node, the same issues
persists.
>
> All tdb-files, log-files, conf-files etc. are on a shared disk which moves
with the cluster package.
>
> Any idea what I miss here?
Not a SLES user, but I believe that it uses Samba 4.10.x, which means 
that you have missed this: From Samba 4.8.0 and using 'security = ADS', 
you cannot use sssd with shares. you can use idmap_sss, but only for 
authentication. When set up correctly, a Unix domain member running 
winbind will do virtually all that sssd does, including ssh.

Rowland