Bug 10565 - Samba not using private dir
Samba not using private dir
Status: RESOLVED WONTFIX
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Clustering
4.1.7
x64 Linux
: P5 regression
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-25 13:35 UTC by Jonn Taylor
Modified: 2014-04-28 03:24 UTC (History)
1 user (show)

See Also:


Attachments
/etc/sysconfig/ctdb config file (11.81 KB, application/octet-stream)
2014-04-25 13:35 UTC, Jonn Taylor
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jonn Taylor 2014-04-25 13:35:01 UTC
Created attachment 9871 [details]
/etc/sysconfig/ctdb config file

Using sernet 4.1 packages. I am unable to get smbd/winbind to use private dir. Set option in smb.conf and on command line does not work. Using latest CTDB build. Samba continues to use /var/lib/samba as private dir.

sernet-samba-libsmbclient0-4.1.7-7.el6.x86_64
sernet-samba-libs-4.1.7-7.el6.x86_64
sernet-samba-client-4.1.7-7.el6.x86_64
sernet-samba-4.1.7-7.el6.x86_64
sernet-samba-common-4.1.7-7.el6.x86_64
sernet-samba-winbind-4.1.7-7.el6.x86_64

[global]
        workgroup = TAYLORTELEPHONE
        realm = TAYLORTELEPHONE.COM
        netbios name = SHR01
        server string = Cluster Share
        interfaces = eth0, lo
        security = ADS
        private dir = /clusterdata/private
        log file = /var/log/samba/log.samba
        server min protocol = NT1
        client signing = if_required
        server signing = if_required
        clustering = Yes
        printcap name = /etc/printcap
        wins server = 192.168.173.13, 192.168.173.14
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config * : schema_mode = rfc2307
        idmap config TAYLORTELEPHONE:backend = rid
        idmap config TAYLORTELEPHONE:range = 500-4000000
        idmap config * : range = 1000-4000000
        idmap config * : backend = tdb2
        admin users = "@TAYLORTELEPHONE\Domain Admins"
        inherit acls = Yes
        map acl inherit = Yes

# SAMBA_START_MODE defines how Samba should be started. Valid options are one of
#   "none"    to not enable it at all,
#   "classic" to use the classic smbd/nmbd/winbind daemons
#   "ad"      to use the Active Directory server (which starts the smbd on its own)
# (Be aware that you also need to enable the services/init scripts that
# automatically start up the desired daemons.)
SAMBA_START_MODE="classic"

# SAMBA_RESTART_ON_UPDATE defines if the the services should be restarted when
# the RPMs are updated. Setting this to "yes" effectively enables the
# functionality of the try-restart parameter of the init scripts.
SAMBA_RESTART_ON_UPDATE="yes"

# NMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the nmbd daemon
NMBD_EXTRA_OPTS=""

# WINBINDD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the winbindd daemon
WINBINDD_EXTRA_OPTS=""

# SMBD_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the smbd daemon
SMBD_EXTRA_OPTS="private-dir=/clusterdata/private"

# SAMBA_EXTRA_OPTS may contain extra options that are passed as additional
# arguments to the samba daemon
SAMBA_EXTRA_OPTS=""

# SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should be started
# when 'nsupdate -g' is not available. Setting this to "yes" would mean that
# samba will be started even without 'nsupdate -g'. This will lead to severe
# problems without a proper workaround!
SAMBA_IGNORE_NSUPDATE_G="no"
Comment 1 Björn Baumbach 2014-04-25 14:12:50 UTC
In the clustering case the private dir is insignificant. The significant directories can be set in the sysconfig/ctdb file. For example via CTDB_DBDIR, this shouldn't be your cluster filesystem, in contrast to the reclock file.
Comment 2 Jonn Taylor 2014-04-25 14:16:35 UTC
The problem is winbind is not sharing the same files between the clusters and then I get one that will not auth users.
Comment 3 Volker Lendecke 2014-04-25 14:21:18 UTC
With

ctdb:secrets.tdb = false

you can have individual secrets.tdb files per node. For these winbind should respect the private dir again.
Comment 4 Jonn Taylor 2014-04-25 14:35:19 UTC
I am just looking to get the 3.6 behaviour back. I had this same setup and it worked very well for many years.
Comment 5 Jonn Taylor 2014-04-25 14:39:09 UTC
(In reply to comment #3)
> With
> 
> ctdb:secrets.tdb = false
> 
> you can have individual secrets.tdb files per node. For these winbind should
> respect the private dir again.

That option is not in any of the man pages.
Comment 6 Volker Lendecke 2014-04-25 14:42:52 UTC
3.6 with clustering did obey "private dir"?
Comment 7 Volker Lendecke 2014-04-25 14:44:11 UTC
(In reply to comment #5)
> That option is not in any of the man pages.

Can you try it nevertheless, or do you want us to document it properly first before you give it a try?
Comment 8 Jonn Taylor 2014-04-25 15:03:02 UTC
This what my private dir looks like now.

[root@node2 ~]# ls -al /clusterdata/private/
total 432
drwxr-xr-x  2 root root   3864 Apr 25 09:59 .
drwxr-xr-x 20 root root   3864 Apr 23 16:09 ..
-rw-------  1 root root 430080 Apr 25 09:57 secrets.tdb
[root@node2 ~]# 

Is it normal to have to join each node to the domain before winbind will work correctly?

This is what I had before we upgraded to 4.1.
total 2212
drwxr-xr-x  5 root root   4096 Apr  2 12:49 .
drwxr-xr-x 18 root root   4096 Apr  8 13:15 ..
-rw-------  1 root root  16384 Mar 26 09:33 account_policy.tdb
-rw-r--r--  1 root root  40200 Apr  2 12:49 brlock.tdb
-rw-r--r--  1 root root 114688 Apr  2 12:44 connections.tdb
-rw-------  1 root root  16384 Apr  2 12:52 dbwrap_watchers.tdb
-rw-r--r--  1 root root 425984 Apr  2 16:57 gencache_notrans.tdb
-rw-r--r--  1 root root  57344 Apr  2 16:57 gencache.tdb
-rw-------  1 root root    696 Mar 26 09:30 group_mapping.tdb
-rw-r--r--  1 root root 950272 Apr  2 15:22 locking.tdb
-rw-------  1 root root  16384 Apr  2 16:57 messages.tdb
-rw-------  1 root root    696 Apr  2 16:57 mutex.tdb
-rw-------  1 root root  61440 Apr  2 15:21 netsamlogon_cache.tdb
-rw-r--r--  1 root root    696 Apr  2 12:49 notify_index.tdb
-rw-r--r--  1 root root    696 Mar 26 20:39 notify_onelevel.tdb
-rw-r--r--  1 root root    696 Apr  2 16:51 notify.tdb
-rw-r--r--  1 root root  12288 Apr  2 15:13 printer_list.tdb
drwxr-xr-x  2 root root   4096 Mar 26 09:34 printing
-rw-------  1 root root  49152 Mar 26 09:34 registry.tdb
-rw-r--r--  1 root root    696 Apr  2 16:51 serverid.tdb
-rw-r--r--  1 root root 204800 Apr  2 12:44 sessionid.tdb
-rw-------  1 root root  16384 Mar 26 09:33 share_info.tdb
drwxr-xr-x  2 root root   4096 Apr  2 12:49 smb_krb5
-rw-------  1 root root  28672 Apr  2 15:22 smbXsrv_open_global.tdb
-rw-------  1 root root  32768 Apr  2 15:22 smbXsrv_session_global.tdb
-rw-------  1 root root  16384 Apr  2 15:22 smbXsrv_tcon_global.tdb
-rw-------  1 root root  16384 Apr  2 12:49 smbXsrv_version_global.tdb
-rw-------  1 root root  45056 Apr  2 12:44 winbindd_cache.tdb
-rw-------  1 root root  36864 Mar 26 20:39 winbindd_cache.tdb.bak
-rw-------  1 root root  36864 Mar 26 20:36 winbindd_cache.tdb.bak.old
drwxr-x---  2 root root   4096 Mar 26 20:39 winbindd_privileged
Comment 9 Volker Lendecke 2014-04-25 15:06:41 UTC
My guess would be that you did not have clustering compiled into 3.6
Comment 10 Volker Lendecke 2014-04-25 15:07:48 UTC
(In reply to comment #8)

> Is it normal to have to join each node to the domain before winbind will work
> correctly?

No, it is not. That's the whole point of sharing the secrets.tdb.

Volker
Comment 11 Jonn Taylor 2014-04-25 15:08:53 UTC
(In reply to comment #9)
> My guess would be that you did not have clustering compiled into 3.6

Yes, I was using the sernet packages for samba 3.6 and ctdb.
Comment 12 Volker Lendecke 2014-04-25 15:13:11 UTC
(In reply to comment #11)
> (In reply to comment #9)
> > My guess would be that you did not have clustering compiled into 3.6
> 
> Yes, I was using the sernet packages for samba 3.6 and ctdb.

Ok, this is really weird. "clustering = yes" gave you per-node tdb files? Something must have been severely broken in those packages. I don't get it.

Let's get back to the start: What do you want to achieve? Do you want to share the tdb files for a common SMB export space, or do you not want to share tdb files, having separate instances?
Comment 13 Jonn Taylor 2014-04-25 15:19:45 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > (In reply to comment #9)
> > > My guess would be that you did not have clustering compiled into 3.6
> > 
> > Yes, I was using the sernet packages for samba 3.6 and ctdb.
> 
> Ok, this is really weird. "clustering = yes" gave you per-node tdb files?
> Something must have been severely broken in those packages. I don't get it.
> 
> Let's get back to the start: What do you want to achieve? Do you want to share
> the tdb files for a common SMB export space, or do you not want to share tdb
> files, having separate instances?

I need a properly working 2 node ctdb cluster with samba 4.1. The file system is DRBD, GFS2, Pacemaker and corosync. Authentication is AD 2008R2. The cluster is for sharing files, home dir and profiles.
Comment 14 Jonn Taylor 2014-04-25 15:22:20 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > (In reply to comment #11)
> > > (In reply to comment #9)
> > > > My guess would be that you did not have clustering compiled into 3.6
> > > 
> > > Yes, I was using the sernet packages for samba 3.6 and ctdb.
> > 
> > Ok, this is really weird. "clustering = yes" gave you per-node tdb files?
> > Something must have been severely broken in those packages. I don't get it.
> > 
> > Let's get back to the start: What do you want to achieve? Do you want to share
> > the tdb files for a common SMB export space, or do you not want to share tdb
> > files, having separate instances?
> 
> I need a properly working 2 node ctdb cluster with samba 4.1. The file system
> is DRBD, GFS2, Pacemaker and corosync. Authentication is AD 2008R2. The cluster
> is for sharing files, home dir and profiles.

This was the original setup that worked very well.

http://www.howtoforge.com/setting-up-an-active-active-samba-ctdb-cluster-using-gfs-and-drbd-centos-5.5

We moved to CentOS 6 and DRBD 8.4. This cluster also holds the shared storage for our xenserver pools via nfs.
Comment 15 Volker Lendecke 2014-04-25 15:27:40 UTC
I think this is going beyond what we can do in bugzilla here. Björn is right in that "private dir" is ignored in cluster mode, and this is by design. So it is correct to close this bug as "WORKSFORME". Further support can be found on the mailing lists such as samba@samba.org or if you want a commercial offering, take a look at http://www.samba.org/samba/support/
Comment 16 Jonn Taylor 2014-04-25 15:32:15 UTC
Still think this way be a bug because if I use this setup from http://wiki.samba.org/index.php/Samba_CTDB_GPFS_Cluster_HowTo it does not work either.
Comment 17 Volker Lendecke 2014-04-26 04:55:01 UTC
With clustering, it is by design that "private dir" is ignored.