I was wondering if anyone out there has successfully implemented a Samba cluster, where the individual nodes in the cluster are IPA clients, and then the cluster is joined to an IPA domain as a unit?
RedHat has some great documentation on exactly this solution, available here:
Unfortunately, this example that RedHat uses uses local authentication of users by way of a TDB file and Samba’s smbpasswd utility.
RedHat’s KB article about this gives instructions on how to join a cluster to an Active Directory domain:
I can not, for the life of me, find any documentation available on how to join a Samba cluster to an IPA domain.
This FreeIPA documentation is a great guide for manually adding an individual server to an IPA domain:
Once you cluster Samba, it no longer uses /var/lib/samba/private/secrets.tdb to store the machine account password ( and other information ). Rather, it uses /var/lib/ctdb/persistent/secrets.tdb.0. It would appear that once you create a Samba cluster, you are required to join the cluster to a domain with “net ads join”. Unfortunately, this does not work with an IPA domain; only Active Directory. Or, at least, I couldn’t figure it out!
Here is what I learned:
1. After the cluster is created, the “net setdomainsid” command works as expected.
2. The steps in the FreeIPA “Samba Domain Member” documentation require that tdbtool is used to set two keys with value = ‘2\00’ in secrets.tdb.
3. Any attempts to modify the clustered version of secrets.tdb.N manually, using tdbtool or otherwise, result in a failed cluster.
4. The "net changesecretpw -f" command will fail unless the secrets.tdb file is modified by setting the appropriate keys with value = ‘2\00’ as described in the documentation.
5. The clustered secrets.tdb.N file is not identical to the standard secrets.tdb file.