7.2. Integration
Integrating Red Hat Gluster Storage Servers into an Active Directory domain involves the following series of steps:
- Configure Authentication
- Join Active Directory Domain
- Verify/Test Active Directory and Services
7.2.1. Configure Authentication
In order to join a cluster to the Active Directory domain, a couple of files have to be edited manually on all nodes.
Note
- Ensure that CTDB is configured before the active directory join. For more information see, Section 6.3.1 Setting up CTDB for Samba in the Red Hat Gluster Storage Administration Guide.
- It is recommended to take backups of the configuration and of Samba’s databases (local and ctdb) before making any changes.
7.2.1.1. Basic Samba Configuration
As of Red Hat Gluster Storage 3.4 Batch 4 Update, the recommended idmap configuration method for new deployments is
autorid
. Red Hat recommends autorid
because in addition to automatically calculating user and group identifiers like tdb
, it performs fewer database transactions and read operations, and is a prerequisite for supporting secure ID history (SID history).
Warning
Do not change the idmap configuration in existing deployments. Doing so requires a large number of changes, such as modifying the permissions and access control lists of all files in the shared file system, which unless done carefully can create user access problems. If you do need to change the idmap configuration settings for an existing deployment, contact Red Hat support for assistance.
The Samba configuration file
/etc/samba/smb.conf
must be identical on all nodes, and must contain the relevant parameters for AD. Along with that, a few other settings are required in order to activate mapping of user and group IDs.
The following example depicts the minimal Samba configuration for AD integration:
[global] netbios name = RHS-SMB workgroup = ADDOM realm = addom.example.com security = ads clustering = yes idmap config * : backend = autorid idmap config * : range = 1000000-19999999 idmap config * : rangesize = 1000000 # -----------------RHS Options ------------------------- # # The following line includes RHS-specific configuration options. Be careful with this line. include = /etc/samba/rhs-samba.conf #=================Share Definitions =====================
Warning
The example above is the complete
global
section required in the smb.conf
file. Ensure that nothing else appears in this section in order to prevent gluster mechanisms from changing settings when starting or stopping the ctdb lock volume.
The
netbios name
consists of only one name which has to be the same name on all cluster nodes. Windows clients will only access the cluster via that name (either in this short form or as an FQDN). The individual node hostname (rhs-srv1, rhs-srv2, …) must not be used for the netbios name
parameter.
Note
- The idmap
range
defines the lowerst and hightest identifier numbers that can be used. Specify a range large enough to cover the number of objects specified inrangesize
. - The idmap
rangesize
specifies the number of identifiers available for each domain range. In this case there are one million identifiers per domain range, and therange
parameter indicates that there are nearly 19 million identifiers total, meaning that there are a total of 19 possible domain ranges. - If you want to be able to use the individual host names to also access specific nodes, you can add them to the
netbios aliases
parameter ofsmb.conf
. - In an AD environment, it is usually not required to run
nmbd
. However, if you have to runnmbd
, then make sure to set thecluster addresses
smb.conf
option to the list of public IP addresses of the cluster.
7.2.1.2. Alternative Configuration using ad
backend
If you need full control over Active Directory IDs, you can adapt the Samba configuration further by using the
idmap_ad
module in addition to autorid
. The idmap_ad
module reads the unix IDs from the AD's special unix attributes. This has to be configured by the AD domain's administrator before it can be used by Samba and winbind.
In order for Samba to use
idmap_ad
, the AD domain admin has to prepare the AD domain for using the so called unix extensions and assign unix IDs to all users and groups that should be able to access the Samba server.
For example, following is an extended Samba configuration file to use the
idmap_ad
backend for the ADDOM domain. The default autorid
backend catches all objects from domains other than the ADDOM domain.
[global] netbios name = RHS-SMB workgroup = ADDOM realm = addom.example.com security = ads clustering = yes idmap config * : backend = autorid idmap config * : range = 1000000-1999999 idmap config ADDOM : backend = ad idmap config ADDOM : range = 3000000-3999999 idmap config ADDOM : schema mode = rfc2307 winbind nss info = rfc2307 # -------------------RHS Options ------------------------------- # # The following line includes RHS-specific configuration options. Be careful with this line. include = /etc/samba/rhs-samba.conf #===================Share Definitions =========================
Note
- The range for the idmap_ad configuration is prescribed by the AD configuration. This has to be obtained by AD administrator.
- Ranges for different idmap configurations must not overlap.
- The schema mode and the winbind nss info setting should have the same value. If the domain is at level 2003R2 or newer, then rfc2307 is the correct value. For older domains, additional values sfu and sfu20 are available. See the manual pages of idmap_ad and smb.conf for further details.
7.2.1.3. Verifying the Samba Configuration
Test the new configuration file using the testparm command. For example:
# testparm -s Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] workgroup = ADDOM realm = addom.example.com netbios name = RHS-SMB security = ADS clustering = Yes winbind nss info = rfc2307 idmap config addom : schema mode = rfc2307 idmap config addom : range = 3000000-3999999 idmap config addom : backend = ad idmap config * : range = 1000000-1999999 idmap config * : backend = autorid
7.2.1.4. nsswitch Configuration
Once the Samba configuration has been made, Samba has to be enabled to use the mapped users and groups from AD. This is achieved via the local Name Service Switch (NSS) that has to be made aware of the winbind. To use the winbind NSS module, edit the
/etc/nsswitch.conf
file. Make sure the file contains the winbind entries for the passwd
and group
databases. For example:
... passwd: files winbind group: files winbind ...
This will enable the use of winbind and should make users and groups
visible
on the individual cluster node once Samba is joined to AD and winbind is started.
7.2.2. Join Active Directory Domain
Prior to joining AD, CTDB must be started so that the machine account information can be stored in a database file that is available on all cluster nodes via CTDB. In addition to that, all other Samba services should be stopped. If key-based SSH authentication without a password has been configured for the root user between the nodes, you can use the onnode tool to run these commands on all nodes from a single node:
For RHEL 7 and RHEL 8, run:
# onnode all systemctl start ctdb # onnode all systemctl stop winbind # onnode all systemctl stop smb
For RHEL 6, run:
# onnode all service ctdb start # onnode all service winbind stop # onnode all service smb stop
Note
- If your configuration has CTDB managing Winbind and Samba, they can be temporarily disabled with the following commands (to be executed prior to the above stop commands) so as to prevent CTDB going into an unhealthy state when they are shut down:
# onnode all ctdb event script disable legacy 49.winbind # onnode all ctdb event script disable legacy 50.samba
- For some versions of Red Hat Gluster Storage, a bug in the selinux policy prevents 'ctdb disablescript SCRIPT' from succeeding. If this is the case, 'chmod -x /etc/ctdb/events.d/SCRIPT' can be executed as a workaround from a root shell.
- Shutting down winbind and smb is primarily to prevent access to SMB services during this AD integration. These services may be left running but access to them should be prevented through some other means.
The join is initiated via the
net
utility from a single node:
Warning
The following step must be executed only on one cluster node and should not be repeated on other cluster nodes. CTDB makes sure that the whole cluster is joined by this step.
# net ads join -U Administrator Enter Administrator's password: Using short domain name -- ADDOM Joined 'RHS-SMB' to dns domain addom.example.com' Not doing automatic DNS update in a clustered setup.
Once the join is successful, the cluster ip addresses and the cluster netbios name should be made public in the network. For registering multiple public cluster IP addresses in the AD DNS server, the
net
utility can be used again:
# net ads dns register rhs-smb <PUBLIC IP 1> <PUBLIC IP 2> ...
This command will make sure the DNS name
rhs-smb
will resolve to the given public IP addresses. The DNS registrations use the cluster machine account for authentication in AD, which means this operation only can be done after the join has succeeded.
Registering the NetBIOS name of the cluster is done by the nmbd service. In order to make sure that the nmbd instances on the hosts don’t overwrite each other’s registrations, the ‘cluster addresses’ smb.conf option should be set to the list of public addresses of the whole cluster.
7.2.3. Verify/Test Active Directory and Services
When the join is successful, the Samba and the Winbind daemons can be started.
Start nmdb, winbind and smb services using the following commands:
For RHEL 7 and RHEL 8, run:
# onnode all systemctl start nmb # onnode all systemctl start winbind # onnode all systemctl start smb
For RHEL 6, run:
# onnode all service nmb start # onnode all service winbind start # onnode all service smb start
Note
- If you previously disabled CTDB’s ability to manage Winbind and Samba they can be re-enabled with the following commands:
# onnode all ctdb event script enable legacy 50.samba # onnode all ctdb event script enable legacy 49.winbind
- With the latest ctdb-4.9.8-105.el7rhgs.x86_64 package, the paths of ctdb managed service scripts have changed. The script files are now available under /etc/ctdb/events/legacy/ after enabling them from /usr/share/ctdb/events/legacy.
- To enable ctdb event script, execute the following command:
ctdb event script enable legacy 49.winbind
- To enable ctbd event script on all nodes, execute the following command:
# onnode all ctdb event script enable legacy 49.winbind
Execute the following verification steps:
- Verify the join by executing the following stepsVerify the join to check if the created machine account can be used to authenticate to the AD LDAP server using the following command:
# net ads testjoin Join is OK
- Execute the following command to display the machine account’s LDAP object
# net ads status -P objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: rhs-smb distinguishedName: CN=rhs-smb,CN=Computers,DC=addom,DC=example,DC=com instanceType: 4 whenCreated: 20150922013713.0Z whenChanged: 20151126111120.0Z displayName: RHS-SMB$ uSNCreated: 221763 uSNChanged: 324438 name: rhs-smb objectGUID: a178177e-4aa4-4abc-9079-d1577e137723 userAccountControl: 69632 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130880426605312806 lastLogoff: 0 lastLogon: 130930100623392945 localPolicyFlags: 0 pwdLastSet: 130930098809021309 primaryGroupID: 515 objectSid: S-1-5-21-2562125317-1564930587-1029132327-1196 accountExpires: 9223372036854775807 logonCount: 1821 sAMAccountName: rhs-smb$ sAMAccountType: 805306369 dNSHostName: rhs-smb.addom.example.com servicePrincipalName: HOST/rhs-smb.addom.example.com servicePrincipalName: HOST/RHS-SMB objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=addom,DC=example,DC=com isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130929563322279307 msDS-SupportedEncryptionTypes: 31
- Execute the following command to display general information about the AD server:
# net ads info LDAP server: 10.11.12.1 LDAP server name: dc1.addom.example.com Realm: ADDOM.EXAMPLE.COM Bind Path: dc=ADDOM,dc=EXAMPLE,dc=COM LDAP port: 389 Server time: Thu, 26 Nov 2015 11:15:04 UTC KDC server: 10.11.12.1 Server time offset: -26
- Verify if winbind is operating correctly by executing the following stepsExecute the following command to verify if winbindd can use the machine account for authentication to AD
# wbinfo -t checking the trust secret for domain ADDOM via RPC calls succeeded
- Execute the following command to resolve the given name to a Windows SID
# wbinfo --name-to-sid 'ADDOM\Administrator' S-1-5-21-2562125317-1564930587-1029132327-500 SID_USER (1)
- Execute the following command to verify authentication:
# wbinfo -a 'ADDOM\user' Enter ADDOM\user's password: plaintext password authentication succeeded Enter ADDOM\user's password: challenge/response password authentication succeeded
or,# wbinfo -a 'ADDOM\user%password' plaintext password authentication succeeded challenge/response password authentication succeeded
- Execute the following command to verify if the id-mapping is working properly:
# wbinfo --sid-to-uid <SID-OF-ADMIN> 1000000
- Execute the following command to verify if the winbind Name Service Switch module works correctly:
# getent passwd 'ADDOM\Administrator' ADDOM\administrator:*:1000000:1000004::/home/ADDOM/administrator:/bin/false
- Execute the following command to verify if samba can use winbind and the NSS module correctly:
# smbclient -L rhs-smb -U 'ADDOM\Administrator' Domain=[ADDOM] OS=[Windows 6.1] Server=[Samba 4.2.4] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.2.4) Domain=[ADDOM] OS=[Windows 6.1] Server=[Samba 4.2.4] Server Comment --------- ------- RHS-SMB Samba 4.2.4 Workgroup Master --------- ------- ADDOM RHS-SMB