Note:

This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Deploy an HA Samba Cluster with Windows Active Directory on OCI

Introduction

We will discuss how to configure high availability (HA) with automatic failover of Samba on Ubuntu instances into Oracle Cloud Infrastructure (OCI). This solution is a robust and reliable file server infrastructure, leveraging the power of a clustered Server Message Block (SMB) setup and completely license free. The cost is related only to the consumption (oCPU and block volume size).

The benefits of implementing a clustered SMB file server service in an organization are:

Reliability: The clustered configuration ensures high availability, minimizing the risk of downtime and ensuring constant access to critical files.
Fault Tolerance: In the event of a server failure, the clustered setup provides automatic failover, guaranteeing uninterrupted access to files and maintaining business continuity.
Resource Utilization: Efficient resource allocation ensures optimal utilization of server resources, maximizing productivity while minimizing operational costs.
High Performance: Implementing a clustered SMB file server is a strategic move towards creating a resilient, high performance IT environment tailored to meet the evolving business needs.

Architecture

Objective

Deploy a reliable file server in HA supporting SMB protocol integrated with Windows Active Directory.

Prerequisites

Access to an OCI tenancy.
Two Linux Ubuntu VMs.
One block volume.

Task 1: Set up the Environment

Create two Ubuntu 22.04 compute instances.
On both compute instances, establish the directory where you intend to store files and configure the Samba server. For example: /mnt/smb.
Create a block volume with the required size for your SMB datastore, and attach it to both compute instances (iSCSI, read/write - sharable). For more information, see Attaching a Volume to Multiple Instances.
Note the dev name assigned to the block volume attached using the following command.
```
sudo lsblk
```
Assign a secondary private IP address on the first node. This is a floating IP address. For example: 10.10.1.254.
Update the /etc/hosts file on both Ubuntu instances to include the IP addresses and hostnames of all nodes, including the Windows Active Directory server that will be used for user authentication. For example: 10.10.1.60 smb1, 10.10.1.29 smb2, 10.10.1.59 ad.testad.oci testad.oci AD.
Configure the iptables on both Ubuntu instances according to the needs.

Note: Ubuntu instances come with preconfigured iptables. The sixth rule in the INPUT section rejects everything else, so you have the option to either delete it or add specific protocols and ports that are allowed before this rule.
Install and configure the Oracle Cloud Infrastructure Command Line Interface (OCI CLI) on both Ubuntu instances. For more information, see Install the OCI CLI and configure it (configuration command: oci setup config).

Note: Install OCI CLI into /usr/bin or your user path to avoid permission problems, by default it is root.
```
bash -c "$(curl -L https://raw.githubusercontent.com/oracle/ocicli/master/scripts/install/install.sh)"
```

Task 2: Configure Oracle Cluster File System version 2 (OCFS2)

Oracle Cluster File System version 2 (OCFS2) is a general purpose shared disk file system developed by Oracle Corporation and released under the GNU General Public License.

To manage a shared writable block volume, we have to deploy OCFS2. For more information, see A Simple Guide to Oracle Cluster File System (OCFS2) using iSCSI on Oracle Cloud Infrastructure.

Run the following command on both nodes.
```
sudo apt-get install ocfs2-tools -y
```
Update the value of O2CB_ENABLED from false to true in the /etc/default/o2cb file.
```
O2CB_ENABLED=true
```

Enter the following code in the /etc/ocfs2/cluster.conf file.

Note: Take care of indentation and format of the file.

cluster:
   name = ocfs2
   heartbeat_mode = local
   node_count = 2
node:
   cluster = ocfs2
   number = 0
   ip_port = 7777
   ip_address = 10.10.1.60
   name = smb1
node:
   cluster = ocfs2
   number = 1
   ip_port = 7777
   ip_address = 10.10.1.29
   name = smb2

Now, start the o2cb service.
```
sudo /etc/init.d/o2cb start
```
Format the block volume device with OCFS2 file system. Run the following command only on the first node.

Note: The path of the device that we noted in step 3.
```
sudo mkfs.ocfs2 "MyOCFS2Cluster" /dev/sd*
```
Register the cluster using the following command.
```
sudo o2cb register-cluster ocfs2
```
Mount the block volume on the directory assigned for Samba server. For example: /mnt/smb.
```
sudo mount /dev/sd* /mnt/smb
```
Check the cluster status using the following command.
```
sudo o2cb list-nodes ocfs2
```

Enable the services using the following command.

sudo systemctl enable o2cb
sudo systemctl enable ocfs2

Update the fstab in /etc/fstab to mount the block volume automatically at startup.

Note: Adjust the /dev/sd\* device according to your dev name.
```
/dev/sd* /mnt/smb ocfs2     _netdev,defaults   0 0
```

Task 3: Set up the Samba Cluster

Samba allows file and print sharing between computers running on Microsoft Windows and Unix. It is an implementation of dozens of services and protocols, including: NetBIOS over TCP/IP (NBT) and SMB - sometimes referred to as Common Internet File System (CIFS).

Install Samba and Cluster Trivial Database (CTDB) on both nodes using the following command.
```
sudo apt-get install ctdb samba samba-common winbind smbclient -y
```

Edit the Samba configuration file.

sudo nano /etc/samba/smb.conf

Copy and paste the following parameters.

Note:

You have to configure it accordingly with your environment and windows domain/workgroup.

The netbios name parameter has to be the same for all your nodes.

[global]
      server string = samba_server
      workgroup = TESTAD
      password server = ad.testad.oci
      realm = testad.oci
      winbind enum groups = yes
      winbind enum users = yes
      winbind use default domain = yes
      security = ADS
      debuglevel = 2
      wins support = no
      idmap config TESTAD : backend = rid
      idmap config TESTAD : range = 10000 - 50000
      idmap config * : backend = tdb
      idmap config * : range = 1000-9999
      template shell = /bin/false
      winbind offline logon = false
      interfaces = lo ens3
      clustering = yes
      guest ok = yes
      bind interfaces only = no
      disable netbios = no
      netbios name = sambacluster1
      smb ports = 445
      log file = /var/log/samba/smb.log
      max log size = 10000
      veto files = /._*/.DS_Store/.Trashes/.TemporaryItems/
      delete veto files = yes
      nt acl support = yes
      inherit acls = yes
      map acl inherit = yes
      map archive = yes
      map hidden = yes
      map read only = yes
      map system = yes
      store dos attributes = yes
      inherit permissions = yes
      unix extensions = no
[samba_test]
      path = /mnt/smb
      browseable = yes
      writeable = yes
      read only = no
      public = yes
      inherit acls = no
      admin users = "testad.oci\administrator"
      create mask = 0744
      directory mask = 0755

To set up the cluster, edit the CTDB configuration file.

sudo nano  /etc/ctdb/ctdb.conf

Copy and paste the following parameters.

CTDB_NODES=/etc/ctdb/nodes
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
CTDB_RECOVERY_LOCK="/mnt/Samba/ctdb/.ctdb.lock"
CTDB_MANAGES_SAMBA=yes
CTDB_MANAGES_WINBIND=yes
CTDB_SERVICE_SMB=smbd

Edit the nodes configuration file for configuring the cluster.
```
sudo nano /etc/ctdb/nodes
```
Add the IP addresses of your nodes.
```
10.10.1.60
10.10.1.29
```
Edit the CTDB public address configuration file (the floating IP address).
```
Sudo nano /etc/ctdb/public_addresses
```
Add floating IP address.
```
10.10.1.254/0 ens3
```

We have to add the script to manage the floating IP address at the OCI level and to migrate it automatically in case of failover.

Sudo nano /etc/ctdb/functions

Add the following code after the add_ip_to_iface () section.

Note: Change the Oracle Cloud Identifier (OCID) and the hostname with your nodes VNICs OCID and the hostname.

##### OCI vNIC variables
   server="`hostname -s`"
   smb1vnic="ocid1.vnic.oc1.eu-frankfurt-1.YOUR_NODE1_VNIC_OCID"
   smb2vnic="ocid1.vnic.oc1.eu-frankfurt-1.YOUR_NODE2_VNIC_OCID"
   vnicip="10.10.1.254"
   #export LC_ALL=C.UTF-8
   #export LANG=C.UTF-8
   #touch /tmp/vip.log
   ##### OCI/IPaddr Integration
      if [ $server = "smb1" ]; then
         /usr/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $smb1vnic --ip-address $vnicip 2>/dev/null
      else
         /usr/bin/oci network vnic assign-private-ip --unassign-if-already-assigned --vnic-id $smb2vnic --ip-address $vnicip 2>/dev/null
      fi

Use the following command to troubleshoot the floating IP address migration if it does not work.
```
sudo journalctl -u ctdb.service
```

Task 4: Integrate Windows Active Directory

To integrate user access with Windows Active Directory server, we have to install Kerberos on both nodes.

sudo apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules

Use the following command to configure Kerberos.
```
sudo nano /etc/krb5.conf
```

Check the configuration file with the following code.

Note: Remember to use the Windows domain/realm configured in your environment.

[libdefaults]
      default_realm = TESTAD.OCI
# The following krb5.conf variables are only for MIT Kerberos.
      kdc_timesync = 1
      ccache_type = 4
      forwardable = true
      proxiable = true
# The following encryption type specification will be used by MIT Kerberos.
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
      fcc-mit-ticketflags = true
[realms]
      TESTAD.OCI = {
               kdc = ad.testad.oci
               admin_server = ad.testad.oci

The last step is join both hosts into the Windows domain using the following command.
```
Sudo net ads join -U Administrator -S testad.oci
```

Now, try to connect your client to the Samba server using the floating IP address and Windows Active Directory users (for example: //10.10.1.254/samba_test) and test the business continuity if one nodes is shutdown or restarted.

The new Samba cluster is ready now!

Acknowledgments

Author - Marco Santucci (EMEA Enterprise Cloud Solution Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Title and Copyright Information

Deploy an HA Samba Cluster with Windows Active Directory on OCI

F92316-02

February 2024

Deploy an HA Samba Cluster with Windows Active Directory on OCI

Introduction

Objective

Prerequisites

Task 1: Set up the Environment

Task 2: Configure Oracle Cluster File System version 2 (OCFS2)

Task 3: Set up the Samba Cluster

Task 4: Integrate Windows Active Directory

Related Links

Acknowledgments

More Learning Resources