Configuring Common Internet File System in ads mode
Prev Common Internet File System Next

Configuring Common Internet File System in ads mode

This section describes how to configure CIFS in ads mode.

In this mode, user authentication happens on the active directory using Kerberos. The cluster nodes act as member servers in the domain. You must have performed additional steps to make user and group mapping via winbind work.

A shared file system needs to be specified during the config operation. This file system is used to replicate the secrets.tdb file (machine password file) across all cluster nodes. Only one of the cluster nodes joins the domain using the cluster name. Once you have copied this file to all the cluster nodes, the domain controller sees all cluster nodes as one member server.

You must have configured Kerberos on all cluster nodes. The time on all cluster nodes needs to be synced up with the AD server/KDC.

The shared file system can also be used to store any tdb file that needs to be shared across all cluster nodes. Appropriate symlinks must be created on all cluster nodes.

You must backup your existing smb.conf file and ensure that the /var/log/samba file exists on all cluster nodes, before running the cfsshare config command.

Note:

If CNFS is already configured on the cluster, then specify the same shared_volume and mount_point for configuration of CIFS.

 
cfsshare config [-n] -p cifs -l samba_lockdir -c \
samba_config_file -t samba_topdir -m ads \
shared_disk_group shared_volume mount_point

For example:

# cfsshare config -p cifs -m ads -l /var/run \
-c /etc/samba/smb.conf -t /usr -s sfstest-ad -d \
SFSTEST-AD2 -r SFSTEST-AD2.LOCAL -u Administrator \
lockdg lockvol /locks

Note:

Check the path of the Samba lock directory and PID directory using the smdb -b command. Use the path of the PID directory for the -l samba_lock option.

Note:

The cfsshare config command fails if the shared_volume specified is already registered with VCS. Verify that the shared_volume is not registered with VCS by examining the output from the following command:

# /opt/VRTS/bin/cfsmntadm display

If the -n option is specified when using the cfsshare config command, you must follow the steps to complete the CIFS configuration:

To complete the CIFS configuration when using the -n option

  1. Copy the following lines to your smb.conf file:
    security = ads
workgroup = domainname
password server = AD_server_of_the_domain
realm = realm_name
  2. Run the following command to backup your existing secrets.tdb file:
    # mv -f pvtdir/secrets.tdb pvtdir/secrets.tdb.OLD

    where pvtdir is the private directory of your Samba installation.

  3. Copy the secrets.tdb file created in the locks file system to the private directory of your Samba installation:
    # cp -f mntpt/cifs/secrets.tdb pvtdir/secrets.tdb

    where mntpt is the mount point.

To unconfigure CIFS:

# cfsshare unconfig -p cifs

Note:

The unconfigure operation fails if any file systems are being shared via CIFS protocol.

You can configure both CNFS and CIFS at the same time by running the cfsshare config -p all command.

# cfsshare config -p all -m ads -l /var/run \
-c /etc/samba/smb.conf -t /usr -s sfstest-ad -d \
SFSTEST-AD2 -r SFSTEST-AD2.LOCAL -u Administrator \
lockdg lockvol /locks
Prev Up Next
Configuring Common Internet File System in domain mode Home Administering Common Internet File System