Pacemaker cluster running Samba as a member of a Windows Domain (Direct Integration)
Table of Contents
General Notes
This section is dedicated to briefly describe the major topics/resources that will be used as to achieve a Pacemaker cluster, running Samba, to become a member of a Windows Domain (Direct Integration)
As seen here those are the instructions for Active Directory Integration:
- set netbios name in smb.conf to the name you want your Samba resource to have (make sure it's the same on all nodes).
- On whichever node is currently running the Samba resource, join the AD domain (net ads join, etc. refer to the Samba documentation for specifics).
- That Samba instance should now be a member of the AD domain, and also be in the DNS (assuming your AD server is your DNS server).
- Edit the DNS on the AD server and remove the node's physical IP address (only the virtual IP should be associated with the name).
- This gives your resource a "virtual name" (to use the MSCS term).
As seen with man idmap_tdb2
Samba's idmap_tdb2 Backend for Winbind
The idmap_tdb2 plugin is a substitute for the default idmap_tdb backend used by winbindd for storing SID/uid/gid mapping tables in clustered environments with Samba and CTDB.
And those are the related resources:
[root@host1 ~]# pcs resource describe ocf:heartbeat:CTDB
ctdb_manages_samba: Should CTDB manage starting/stopping the Samba service for you? This will be deprecated in future, in favor of configuring a separate Samba resource.
ctdb_manages_winbind: Should CTDB manage starting/stopping the Winbind service for you? This will be deprecated in future, in favor of configuring a separate Winbind resource.
[root@host2 ~]# pcs resource describe systemd:smb
systemd:smb - systemd unit file for smb
Cluster Controlled smb
[root@host2 ~]# pcs resource describe systemd:winbind
systemd:winbind - systemd unit file for winbind
Cluster Controlled winbind
[root@host2 ~]# pcs resource describe systemd:nmb
systemd:nmb - systemd unit file for nmb
Samba NMB Daemon
Test Environment
Below is a list with the used VMs in addition with the configured IP addresses :
Host | CIDR | Description |
---|---|---|
storage.hacluster.mylab.local | 192.168.100.100/24 | One RHEL7.4 system providing storage |
192.168.122.100/24 | (secondary IP for multipath) | |
host1.hacluster.mylab.local | 192.168.100.101/24 | node 1 of the HA Pacemaker Cluster with iscsi/mpath/gfs2 on place |
192.168.122.101/24 | (secondary IP for multipath) | |
host2.hacluster.mylab.local | 192.168.100.102/24 | node 2 of the HA Pacemaker Cluster with iscsi/mpath/gfs2 on place |
192.168.122.102/24 | (secondary IP for multipath) | |
win2k12r2.hacluster.mylab.local | 192.168.100.120/24 | a Windows 2012 DC |
Prerequisites
The following section will just mention
a. the prerequisites as someone to achieve having a high available File System, that samba will use, and
b. a brief overview of the expected results.
(Intentionally the following steps are not covering the HA cluster installation and the storage configuration as this is out of the scope of this article).
As to be more specific,
- iSCSI and multipath technologies have been used
- clustered LVM and
- on top of it, a GFS2 clustered partition has been created, mounted under /mnt/gfs2share
[ALL ~]# iscsiadm -m session -P 3 | grep -A 4 'Attached SCSI'
Attached SCSI devices:
************************
Host Number: 2 State: running
scsi2 Channel 00 Id 0 Lun: 0
Attached scsi disk sda State: running
--
Attached SCSI devices:
************************
Host Number: 3 State: running
scsi3 Channel 00 Id 0 Lun: 0
Attached scsi disk sdb State: running
[ALL ~]# multipath -ll
mpatha (360014057e06a97069f24891b988fbd20) dm-2 LIO-ORG ,block1
size=20G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 2:0:0:0 sda 8:0 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
`- 3:0:0:0 sdb 8:16 active ready running
[ALL ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
└─mpatha 253:2 0 20G 0 mpath
└─cluster_vg-cluster_lv 253:3 0 5G 0 lvm /mnt/gfs2share
sdb 8:16 0 20G 0 disk
└─mpatha 253:2 0 20G 0 mpath
└─cluster_vg-cluster_lv 253:3 0 5G 0 lvm /mnt/gfs2share
[ALL ~]# mount | grep gfs2share
/dev/mapper/cluster_vg-cluster_lv on /mnt/gfs2share type gfs2 (rw,noatime)
Basic configuration
RPMs & Units
[ALL ~]# yum install samba ctdb cifs-utils samba-client samba-winbind samba-winbind-clients krb5-workstation
[ALL ~]# systemctl stop ctdb; systemctl stop smb; systemctl stop nmb; systemctl stop winbind
[ALL ~]# systemctl disable ctdb; systemctl disable smb; systemctl disable nmb; systemctl disable winbind
config files
[ALL ~]# cat << END > /etc/samba/smb.conf
[global]
netbios name = idmcluster
workgroup = hacluster
; server string = idmcluster - %$HOSTNAME
realm = HACLUSTER.MYLAB.LOCAL
security = ADS
## winbind options ##
idmap config * : backend = tdb2
idmap config * : range = 1000000-19999999
idmap config * : rangesize = 1000000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
; winbind use default domain = Yes
winbind separator = +
## kerberos ##
dedicated keytab file = FILE:/mnt/gfs2share/krb5.keytab
;kerberos method = dedicated keytab
kerberos method = secrets and keytab
## user related options ##
template homedir = /home/%D/%U
template shell = /bin/bash
## cluster-related ##
clustering = yes
ctdbd socket = /var/run/ctdb/ctdbd.socket
## logs-related ##
log level = 1
debug pid = true
max log size = 0
END
[ALL ~]# cat << END > /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_keytab_name = /mnt/gfs2share/krb5.keytab
# dns_lookup_realm = true
# dns_lookup_kdc = true
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = HACLUSTER.MYLAB.LOCAL
[realms]
# Define only if DNS lookups are not working
HACLUSTER.MYLAB.LOCAL = {
kdc = win2k12r2.hacluster.mylab.local
admin_server = win2k12r2.hacluster.mylab.local
default_domain = hacluster.mylab.local
}
[domain_realm]
# Define only if DNS lookups are not working
.hacluster.mylab.local = HACLUSTER.MYLAB.LOCAL
hacluster.mylab.local = HACLUSTER.MYLAB.LOCAL
END
[ALL ~]# cat << END > /etc/ctdb/nodes
192.168.100.101
192.168.100.102
END
[ALL ~]# cat << END > /etc/ctdb/public_addresses
192.168.100.251/24 ens9
192.168.100.252/24 ens9
END
Defining the resources
[root@host1 ~]# mkdir -p /mnt/gfs2share/ctdb
[root@host1 ~]# pcs resource create ctdb ocf:heartbeat:CTDB \
ctdb_socket="/var/run/ctdb/ctdbd.socket" \
ctdb_recovery_lock="/mnt/gfs2share/ctdb/ctdb.lock" \
ctdb_dbdir="/var/lib/ctdb" \
ctdb_logfile="/var/log/log.ctdb" \
ctdb_debuglevel=1 \
ctdb_manages_samba="no" \
ctdb_manages_winbind="no" \
op monitor interval=10 timeout=30 \
op start timeout=90 op stop timeout=100 \
clone
[root@host1 ~]# pcs resource create samba systemd:smb --group hasmbshare
[root@host1 ~]# pcs resource create winbind systemd:winbind --group hasmbshare
[root@host1 ~]# pcs resource create nmb systemd:nmb --group hasmbshare
[root@host1 ~]# pcs resource clone hasmbshare
[root@host1 ~]# pcs constraint order clusterfs-clone then ctdb-clone
[root@host1 ~]# pcs constraint colocation add ctdb-clone with clusterfs-clone
[root@host1 ~]# pcs constraint order ctdb-clone then hasmbshare-clone
[root@host1 ~]# pcs constraint colocation add hasmbshare-clone with ctdb-clone
Direct Integration
Joining to the Domain
[root@host1 ~]# net ads join -w HACLUSTER -S win2k12r2.hacluster.mylab.local -U administrator
_or_
[root@host1 ~]# kinit administrator
Password for administrator@HACLUSTER.MYLAB.LOCAL:
[root@host1 ~]#
[root@host1 ~]# net ads join -w HACLUSTER -S win2k12r2.hacluster.mylab.local -k
Using short domain name -- HACLUSTER
Joined 'IDMCLUSTER' to dns domain 'hacluster.mylab.local'
Not doing automatic DNS update in a clustered setup.
[root@host1 ~]# net ads keytab add cifs -U administrator
_or_
[root@host1 ~]# kinit administrator
Password for administrator@HACLUSTER.MYLAB.LOCAL:
[root@host1 ~]#
[root@host1 ~]# net ads keytab add cifs -k
Processing principals to add...
[root@host1 ~]#
Defining the users & the collab folder
[ALL ~]# authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --disablesssd --disablesssdauth --update
[root@host1 ~]# mkdir -p /mnt/gfs2share/domain_share
[root@host1 ~]# chown root:"HACLUSTER+domain users" /mnt/gfs2share/domain_share/
[root@host1 ~]# chmod 770 /mnt/gfs2share/domain_share/
[root@host1 ~]# ls -ld /mnt/gfs2share/domain_share/
drwxrwx--- 2 root HACLUSTER+domain users 3864 Dec 20 15:10 /mnt/gfs2share/domain_share
[root@host1 ~]#
[ALL ~]# cat << END >> /etc/samba/smb.conf
[domain_share]
path = /mnt/gfs2share/domain_share
; guest ok = yes
valid users = "@HACLUSTER+domain users"
read only = no
END
[root@host1 ~]# pcs resource restart hasmbshare-clone
Expected results
Cluster status
[root@host2 ~]# pcs status
Cluster name: idmcluster
Stack: corosync
Current DC: host2.hacluster.mylab.local (version 1.1.16-12.el7_4.7-94ff4df) - partition with quorum
Last updated: Sat Mar 3 11:58:27 2018
Last change: Sat Mar 3 11:30:13 2018 by hacluster via crmd on host2.hacluster.mylab.local
2 nodes configured
15 resources configured
Online: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
Full list of resources:
fence_host1 (stonith:fence_xvm): Started host2.hacluster.mylab.local
fence_host2 (stonith:fence_xvm): Started host1.hacluster.mylab.local
Clone Set: dlm-clone [dlm]
Started: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
Clone Set: clvmd-clone [clvmd]
Started: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
fence_all_scsi (stonith:fence_scsi): Started host2.hacluster.mylab.local
Clone Set: clusterfs-clone [clusterfs]
Started: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
Clone Set: ctdb-clone [ctdb]
Started: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
Clone Set: hasmbshare-clone [hasmbshare]
Started: [ host1.hacluster.mylab.local host2.hacluster.mylab.local ]
Daemon Status:
corosync: active/enabled
pacemaker: active/enabled
pcsd: active/enabled
[root@host2 ~]#
Samba status
[root@host1 ~]# ctdb nodestatus
Number of nodes:2
pnn:0 192.168.100.101 OK (THIS NODE)
pnn:1 192.168.100.102 OK
[root@host1 ~]# ctdb ip
Public IPs on node 0
192.168.100.251 1
192.168.100.252 0
[root@host1 ~]# ip add | grep 25[1-2]
inet 192.168.100.252/24 brd 192.168.100.255 scope global secondary ens9
[root@host2 ~]# ip add | grep 25[1-2]
inet 192.168.100.251/24 brd 192.168.100.255 scope global secondary ens9
[root@host1 ~]# nslookup idmcluster.hacluster.mylab.local
Server: 192.168.100.120
Address: 192.168.100.120#53
Name: idmcluster.hacluster.mylab.local
Address: 192.168.100.251
Name: idmcluster.hacluster.mylab.local
Address: 192.168.100.252
[root@host1 ~]#
[root@host1 ~]# klist -k
Keytab name: FILE:/mnt/gfs2share/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/idmcluster.hacluster.mylab.local@HACLUSTER.MYLAB.LOCAL (des-cbc-crc)
...
3 cifs/idmcluster.hacluster.mylab.local@HACLUSTER.MYLAB.LOCAL (des-cbc-crc)
...
[root@host1 ~]#
[root@host1 ~]# net ads info
LDAP server: 192.168.100.120
LDAP server name: win2k12r2.hacluster.mylab.local
Realm: HACLUSTER.MYLAB.LOCAL
Bind Path: dc=HACLUSTER,dc=MYLAB,dc=LOCAL
LDAP port: 389
Server time: Wed, 28 Feb 2018 20:06:34 CET
KDC server: 192.168.100.120
Server time offset: -1
Last machine account password change: Sat, 23 Dec 2017 11:55:15 CET
[root@host1 ~]#
[root@host1 ~]# wbinfo -u; echo "---"; wbinfo -g
HACLUSTER+administrator
HACLUSTER+guest
HACLUSTER+krbtgt
HACLUSTER+aduser
---
HACLUSTER+winrmremotewmiusers__
HACLUSTER+domain computers
HACLUSTER+domain controllers
HACLUSTER+schema admins
HACLUSTER+enterprise admins
HACLUSTER+cert publishers
HACLUSTER+domain admins
HACLUSTER+domain users
...
[root@host1 ~]#
Use case
[root@host1 ~]# date; ssh -l HACLUSTER+aduser localhost
Thu 1 Mar 12:02:03 CET 2018
HACLUSTER+aduser@localhost's password:
Creating directory '/home/HACLUSTER/aduser'.
[HACLUSTER+aduser@host1 ~]$ smbclient -m SMB3 //idmcluster.hacluster.mylab.local/domain_share -k
smb: \> exit
[HACLUSTER+aduser@host1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000003
Default principal: aduser@HACLUSTER.MYLAB.LOCAL
Valid starting Expires Service principal
01/03/18 12:02:06 01/03/18 22:02:06 krbtgt/HACLUSTER.MYLAB.LOCAL@HACLUSTER.MYLAB.LOCAL
renew until 08/03/18 12:02:06
01/03/18 12:02:06 01/03/18 22:02:06 IDMCLUSTER$@HACLUSTER.MYLAB.LOCAL
renew until 08/03/18 12:02:06
01/03/18 12:02:31 01/03/18 22:02:06 cifs/idmcluster.hacluster.mylab.local@HACLUSTER.MYLAB.LOCAL
renew until 08/03/18 12:02:06
[HACLUSTER+aduser@host1 ~]$
Comments