[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] What is the best method to assign file/folder rights for SAMBA cluster authenticating to AD?



In reply to: 
>>sorry for the late reply...

>>if u still facing problem.. i think i can help u
>>i am also having the same environment...

>>6 GPFS cluster nodes joined to 2003 ADS and
>>serving files for 800 machines in floor..

>>please reply
>>if u need help
>>regards
>>jerrynikky.

I have not taken the opportunity to modify my current config, yet. I wanted to read a little more about it. From what I can see, I just need to add the idmap backend = idmap_rid:AD=16777216-33554431 parameter, and it should have a consistent mapping of each AD user/group, across all of my servers. I have listed my smb.conf and smb.conf.share1 below. If you can look them over and let me know if they look ok, or post what works for you, I would really appreciate it. 

smb.conf:

# Global parameters
[global]
	workgroup = AD
	realm = ad.example.com
	netbios name = VirtualServer1
	netbios aliases = EServerT1
	interfaces = 192.168.100.103
	bind interfaces only = Yes
	security = ADS
	password server = 192.168.1.11
	username map = /etc/samba/smbusers
	use kerberos keytab = Yes
	log file = /var/log/samba/%m.log
	dns proxy = No
	lock directory = /var/cache/samba/tier1
	pid directory = /var/run/samba/tier1
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/bash
	winbind use default domain = Yes
	winbind nested groups = Yes
	include = /etc/samba/smb.conf.share1


smb.conf.share1:

[global]
      workgroup = AD
      pid directory = /var/run/samba/share1
      lock directory = /var/cache/samba/share1
	log file = /var/log/samba/%m.log
	encrypt passwords = yes
	bind interfaces only = yes
#	netbios name = Server1
	netbios name = VirtualServer1
	printable = no
	security = ADS
	username map = /etc/samba/smbusers
	dns proxy = no
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/bash
	winbind use default domain = yes
	winbind nested groups = yes
	password server = 192.168.1.11
	realm = AD.EXAMPLE.COM
	use kerberos keytab = yes
      guest ok = no

	#
	# Interfaces are based on ip resources at the top level of
	# "carpacs_share1_svc"; IPv6 addresses may or may not
	# work correctly.
	#
	interfaces = 192.168.100.103


[EServerT1]
#[VirtualServer1]
       workgroup = AD
        browseable = yes
        writeable = yes
        public = no
        path = /data/share1
	guest ok = no 
	printable = no
	winbind nested groups = yes

If you have some information or config files you can share, but prefer not to do it in the list, feel free to email me directly. 

Thanks
Danny


>>> linux-cluster-request redhat com 07/10/06 12:00 PM >>>
Send Linux-cluster mailing list submissions to
	linux-cluster redhat com 

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/linux-cluster 
or, via email, send a message with subject or body 'help' to
	linux-cluster-request redhat com 

You can reach the person managing the list at
	linux-cluster-owner redhat com 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-cluster digest..."


Today's Topics:

   1. Re: What is the best method to assign file/folder	rights for
      SAMBA cluster authenticating to AD? (updatemyself .)
   2. RE: will upgrade of kernel with up2date mess up myinstall
      from source? (Jie Gao)
   3. Re: will upgrade of kernel with up2date mess up	myinstall
      from source? (Cosimo Streppone)
   4. Re: newbie questions (Riaan van Niekerk)
   5. Re: two node cluster not coming up (Riaan van Niekerk)
   6. RE: replication (David Siroky)
   7. Re: newbie questions (Troels Arvin)
   8. Re: Re: newbie questions (Barry Brimer)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Jul 2006 03:50:42 +0530
From: "updatemyself ." <updatemyself gmail com>
Subject: Re: [Linux-cluster] What is the best method to assign
	file/folder	rights for SAMBA cluster authenticating to AD?
To: "linux clustering" <linux-cluster redhat com>
Message-ID:
	<ab5b05b20607091520i7addf364ka82238d26f682546 mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

sorry for the late reply...

if u still facing problem.. i think i can help u
i am also having the same environment...

6 GPFS cluster nodes joined to 2003 ADS and
serving files for 800 machines in floor..

please reply
if u need help
regards
jerrynikky.

On 7/6/06, Danny Wall <Danny Wall health-first org> wrote:
>
> We had a Red Hat Rapid Service engagement to build a SAMBA cluster (2
> weeks ago). The clustering and GFS appear to be working fine. My problem is
> with the rights for the shared files and folders. I am currently using
> Kerberos (MIT), and my SAMBA servers are in the AD domain, although I am not
> 100% sure if I need to have the virtual cluster node imported in to AD. My
> experience with this is, on failover, the virtual node would have to be
> re-imported, probably due to AD trust issues.
>
> 1) My users are on Win2003 Server, Win200x and WinXP workstations, and
> they need to seemlessly access a UNC for the SAMBA server clusters. They are
> all authenticated to my Active Directory domain, which is currently Win2003
> Native mode. My SAMBA servers receive group and user info from AD, when I
> use wbinfo or getent, but I am unable to consistently assign the proper
> rights. I have tried using the MMC, NT Server Manager, and right clicking
> the folder from Windows. I have also tried changing the rights from the
> Linux console. The last method appears to work better, but is inconsistent.
> I think the inconsistency is related to problem #2, below.
>
> 2) When the server fails over, rights appear to change on the shared
> filesystem. I suspect this has to do with the GIDs being different on each
> server. I am new to clustering on Linux, and I am looking for the best
> method to accomplish this. I suspect I need to use idmap with winbind.
>
> Is there any documentation dealing with SAMBA clusters, in this scenario?
> I have a couple of SAMBA books (Official SAMBA 2 HOWTO and Reference) which
> I am reading through, and have been helpful, but I have not found anything
> specifically addressing this need. In the Red Hat documentation, I have only
> found minimal info on SAMBA in a cluster, not using AD authentication and
> rights, or establishing the rights on a shared filesystem.  Thanks in
> advance.
>
> Danny
>
> ##############################################################
> This message is for the named person's use only.  It may
> contain confidential, proprietary, or legally privileged
> information.  No confidentiality or privilege is waived or
> lost by any mistransmission.  If you receive this message
> in error, please immediately delete it and all copies of it
> from your system, destroy any hard copies of it, and notify
> the sender.  You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message
> if you are not the intended recipient.  Health First reserves
> the right to monitor all e-mail communications through its
> networks.  Any views or opinions expressed in this message
> are solely those of the individual sender, except (1) where
> the message states such views or opinions are on behalf of
> a particular entity;  and (2) the sender is authorized by
> the entity to give such views or opinions.
> ##############################################################
>
> --
> Linux-cluster mailing list
> Linux-cluster redhat com 
> https://www.redhat.com/mailman/listinfo/linux-cluster 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/linux-cluster/attachments/20060710/c375f39a/attachment.html 

------------------------------

Message: 2
Date: Mon, 10 Jul 2006 11:08:44 +1000 (EST)
From: Jie Gao <J Gao isu usyd edu au>
Subject: RE: [Linux-cluster] will upgrade of kernel with up2date mess
	up myinstall from source?
To: linux clustering <linux-cluster redhat com>
Message-ID: <Pine GSO 4 58 0607101105200 16234 banquo ucc usyd edu au>
Content-Type: TEXT/PLAIN; charset=US-ASCII




On Fri, 7 Jul 2006, Kovacs, Corey J. wrote:

> Date: Fri, 7 Jul 2006 07:29:31 -0400
> From: "Kovacs, Corey J." <cjk techma com>
> Reply-To: linux clustering <linux-cluster redhat com>
> To: linux clustering <linux-cluster redhat com>
> Subject: RE: [Linux-cluster] will upgrade of kernel with up2date mess up
>     myinstall from source?
>
> First I've heard of this, can you elaborate? What do you mean
> it's "broken as far as clustering is concerned" ?  Is it just
> that the stock GFS/CS RPM's are out of sync or is there something
> bad happening?

The cluster rpms are installed under kernel-specific trees. The new
kernel does not look into those locations to find the clustering modules.

Just noticed there is another kernel update available a moment ago...

Regards,



Jie

>
> Corey
>
> -----Original Message-----
> From: linux-cluster-bounces redhat com 
> [mailto:linux-cluster-bounces redhat com] On Behalf Of Jie Gao
> Sent: Thursday, July 06, 2006 9:01 PM
> To: linux clustering
> Subject: Re: [Linux-cluster] will upgrade of kernel with up2date mess up
> myinstall from source?
>
>
>
>
> On Thu, 6 Jul 2006, Jason wrote:
>
> > Date: Thu, 6 Jul 2006 20:55:17 -0400
> > From: Jason <jason monsterjam org>
> > Reply-To: linux clustering <linux-cluster redhat com>
> > To: Linux-cluster redhat com 
> > Subject: [Linux-cluster] will upgrade of kernel with up2date mess up my
> >     install from source?
> >
> > so I notice that up2date wants to update the kernel and friends to
> > 2.6.9-34.0.1
> >
> > If I do that, will I have to recompile all my rpms? like GFS,
> > cman-kernel, dlm-kernel, etc?? Im guessing yes, but just want to make sure.
>
> Yes. 2.6.9-34.0.1 is broken as far as clustering is concerned.
>
> There is a workaround, but you wouldn't want to do it that way.
>
> Regards,
>
>
>
> Jie
>
>
> --
> Linux-cluster mailing list
> Linux-cluster redhat com 
> https://www.redhat.com/mailman/listinfo/linux-cluster 
>
> --
> Linux-cluster mailing list
> Linux-cluster redhat com 
> https://www.redhat.com/mailman/listinfo/linux-cluster 
>



------------------------------

Message: 3
Date: Mon, 10 Jul 2006 08:49:26 +0200
From: Cosimo Streppone <cosimo streppone it>
Subject: Re: [Linux-cluster] will upgrade of kernel with up2date mess
	up	myinstall from source?
To: linux clustering <linux-cluster redhat com>
Message-ID: <44B1F876 1050207 streppone it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Kovacs, Corey J. wrote:

 >> [...]
>> Yes. 2.6.9-34.0.1 is broken as far as clustering is concerned.
>> There is a workaround, but you wouldn't want to do it that way.
>> Regards,
 >
> First I've heard of this, can you elaborate? What do you mean
> it's "broken as far as clustering is concerned" ?  Is it just 
> that the stock GFS/CS RPM's are out of sync or is there something
> bad happening?

For my case, I upgraded a RHEL4U3 + CS4 machine with the
latest kernel (and all other packages, as suggested by the
RH tech support) and it failed at the next reboot with
upgraded kernel (2.6.9-34.0.1.ELsmp).

I opened a service request and we are still trying to
understand why that happened...

-- 
Cosimo



------------------------------

Message: 4
Date: Mon, 10 Jul 2006 10:42:59 +0200
From: Riaan van Niekerk <riaan obsidian co za>
Subject: Re: [Linux-cluster] newbie questions
To: linux clustering <linux-cluster redhat com>
Message-ID: <44B21313 3010108 obsidian co za>
Content-Type: text/plain; charset="iso-8859-1"

> 
> That brings me to an important point - the apache init script doesn't 
> follow whatever standard RedHat init script are supposed to follow 
> (there's a thread about this that I was involved in 6-9 months back), 
> with respect to the status command.  At least, it didn't at the time, 
> maybe they've fixed it (I hope, by now).  The stop action return(s/ed) 
> non-zero (failure) if apache wasn't running.  If the cluster manager 
> thinks that service was failed, it will first try to stop it before 
> starting it.  If the apache script returns failure on the attempt to 
> stop it because it was stopped already, then the cluster manager will 
> think something's wrong and never try to start it.  The upshot of which 
> is, you have to hack the init script to make it return 0 in this 
> situation.  I took the copout approach of just forcing it to always 
> return 0:

Is this a problem with the Apache init script or with the rgmanager 
logic? The same thing happens no matter which service you run: vsftpd, 
sendmail (I just checked these additional two).

I haven't checked LSB (or whatever is the standard which init scripts 
need to conform to) but as far as I understand it, you will get non-zero 
exit code if you try to stop an already stopped service, which confuses 
the heck out of rgmanager and requires that you (a) start the service 
(e.g. apache) manually. (b) disable it via clusvcadm or GUI (c) enable 
it via clusvcadm or GUI.

This recovery sequence makes no sense to me (nor does rgmanager / 
clusvcadm's logic)

Riaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: riaan.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : https://www.redhat.com/archives/linux-cluster/attachments/20060710/181d8bf1/riaan.vcf 

------------------------------

Message: 5
Date: Mon, 10 Jul 2006 10:49:52 +0200
From: Riaan van Niekerk <riaan obsidian co za>
Subject: Re: [Linux-cluster] two node cluster not coming up
To: linux clustering <linux-cluster redhat com>
Message-ID: <44B214B0 7070403 obsidian co za>
Content-Type: text/plain; charset="iso-8859-1"

Kovacs, Corey J. wrote:
> Just a thought, this sounds like what happens when the /etc/hosts file is 
> not setup correctly.  If the hostname of the machines is in the loopback 
> line, then take it out and put a proper entry in. I still fail to understand
> why the installer doesn't add a proper entry when first installed if a
> network
> interface is indeed configured. That's a nother issue tho. 
> 

I think the installer does this if DNS for the new host is not setup 
properly.
e.g. if it cannot forward lookup the entry for newhost.example.com it 
adds an entry for newhost to the localhost entry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: riaan.vcf
Type: text/x-vcard
Size: 310 bytes
Desc: not available
Url : https://www.redhat.com/archives/linux-cluster/attachments/20060710/5ef8419f/riaan.vcf 

------------------------------

Message: 6
Date: Mon, 10 Jul 2006 11:48:15 +0200
From: David Siroky <ml dasir net>
Subject: RE: [Linux-cluster] replication
To: linux clustering <linux-cluster redhat com>
Message-ID: <1152524895 7166 2 camel localhost>
Content-Type: text/plain; charset=UTF-8

Olivier Cr**te p****e v P** 07. 07. 2006 v 13:06 -0400:
> On Fri, 2006-07-07 at 17:19 +0200, David Siroky wrote:
> > I didn't describe my plan very well.
> > 
> > Lets look at this scenario:
> > Now I have 1 server which is placed in a serverhousing company. Till now
> > every problem with service interruption was a connection problem in the
> > serverhousing company so the server (and its services) was sometimes
> > unreachable even if the server was in a good shape and running. So now I
> > would like to solve this by placing 3 servers in 3 serverhousing
> > companies geographicaly spreaded. In this way I can't use SAN.
> 
> Can't you just have a cron job that uses rsync to update the data in the
> 2 other servers from the master? 
> 
> 

This is asynchronous replication and it can cause data
inconsistency/corruption when connection between servers is broken.



------------------------------

Message: 7
Date: Mon, 10 Jul 2006 14:56:10 +0200
From: Troels Arvin <troels arvin dk>
Subject: [Linux-cluster] Re: newbie questions
To: linux-cluster redhat com 
Message-ID: <pan 2006 07 10 12 56 10 266000 arvin dk>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, 10 Jul 2006 10:42:59 +0200, Riaan van Niekerk wrote:
> Is this a problem with the Apache init script or with the rgmanager 
> logic? The same thing happens no matter which service you run: vsftpd, 
> sendmail (I just checked these additional two).

It's a problem with all init scripts that I've tried using as scripts in
the cluster management system. I've had to adjust all of them... :-(

-- 
Greetings from Troels Arvin




------------------------------

Message: 8
Date: Mon, 10 Jul 2006 08:19:58 -0500 (CDT)
From: Barry Brimer <lists brimer org>
Subject: Re: [Linux-cluster] Re: newbie questions
To: linux clustering <linux-cluster redhat com>
Message-ID: <Pine LNX 4 61 0607100818120 25744 localhost localdomain>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

> On Mon, 10 Jul 2006 10:42:59 +0200, Riaan van Niekerk wrote:
>> Is this a problem with the Apache init script or with the rgmanager
>> logic? The same thing happens no matter which service you run: vsftpd,
>> sendmail (I just checked these additional two).
>
> It's a problem with all init scripts that I've tried using as scripts in
> the cluster management system. I've had to adjust all of them... :-(

Another possibility is to modify the /etc/rc.d/init.d/functions so it 
produces the desired output.



------------------------------

--
Linux-cluster mailing list
Linux-cluster redhat com 
https://www.redhat.com/mailman/listinfo/linux-cluster 

End of Linux-cluster Digest, Vol 27, Issue 8
********************************************
##############################################################
This message is for the named person's use only.  It may 
contain confidential, proprietary, or legally privileged 
information.  No confidentiality or privilege is waived or 
lost by any mistransmission.  If you receive this message 
in error, please immediately delete it and all copies of it 
from your system, destroy any hard copies of it, and notify 
the sender.  You must not, directly or indirectly, use, 
disclose, distribute, print, or copy any part of this message
if you are not the intended recipient.  Health First reserves
the right to monitor all e-mail communications through its
networks.  Any views or opinions expressed in this message
are solely those of the individual sender, except (1) where
the message states such views or opinions are on behalf of 
a particular entity;  and (2) the sender is authorized by 
the entity to give such views or opinions.
##############################################################


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]