I was wondering if anyone out there has successfully implemented a Samba cluster, where
the individual nodes in the cluster are IPA clients, and then the cluster is joined to an
IPA domain as a unit?
RedHat has some great documentation on exactly this solution, available here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Unfortunately, this example that RedHat uses uses local authentication of users by way of
a TDB file and Samba’s smbpasswd utility.
RedHat’s KB article about this gives instructions on how to join a cluster to an Active
Directory domain:
https://access.redhat.com/articles/3304481
I can not, for the life of me, find any documentation available on how to join a Samba
cluster to an IPA domain.
This FreeIPA documentation is a great guide for manually adding an individual server to an
IPA domain:
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-mem...
Once you cluster Samba, it no longer uses /var/lib/samba/private/secrets.tdb to store the
machine account password ( and other information ). Rather, it uses
/var/lib/ctdb/persistent/secrets.tdb.0. It would appear that once you create a Samba
cluster, you are required to join the cluster to a domain with “net ads join”.
Unfortunately, this does not work with an IPA domain; only Active Directory. Or, at least,
I couldn’t figure it out!
Here is what I learned:
1. After the cluster is created, the “net setdomainsid” command works as expected.
2. The steps in the FreeIPA “Samba Domain Member” documentation require that tdbtool is
used to set two keys with value = ‘2\00’ in secrets.tdb.
3. Any attempts to modify the clustered version of secrets.tdb.N manually, using tdbtool
or otherwise, result in a failed cluster.
4. The "net changesecretpw -f" command will fail unless the secrets.tdb file is
modified by setting the appropriate keys with value = ‘2\00’ as described in the
documentation.
5. The clustered secrets.tdb.N file is not identical to the standard secrets.tdb file.