# a rough base config used by setup_samba.sh # created using "sofs conf backup" [CTDB_MANAGES_SAMBA] yes [CTDB_MANAGES_HTTPD] yes [CTDB_MANAGES_VSFTPD] yes [CTDB_MANAGES_NFS] yes [CTDB_MANAGES_SCP] yes [vsftpd] # no anon access anonymous_enable=NO # put locks onto the files currently transferred lock_upload_files=YES # enable write access write_enable=YES # prevent changing access rights – ACLs get screwed otherwise chmod_enable=NO # enable that user is able to see the root of gpfs chroot_local_user=YES # allow local user access local_enable=YES listen=YES pam_service_name=vsftpd # set the ftp root directory users can see when they connect to the FTP local_root=/var/opt/IBM/sofs/ftproot log_ftp_protocol=YES syslog_enable=YES [scpglobal] allowscp allowsftp chrootpath=/var/opt/IBM/sofs/scproot logfacility=LOG_USER [ftpexports] data=/gpfs/data [httpexports] ScriptAlias "/gpfs/data" "/var/www/cgi-bin/browse.cgi" RewriteRule ^/data(.*)$ "/gpfs/data$1" [R] [nfsexports] "/gpfs/data" *(rw,no_root_squash,fsid=834258092) [nfssharenames] # #Thu Jul 24 22:43:21 EST 2008 /gpfs/data=data [scpexports] data=/gpfs/data [smbconf/global] netbios name = @@CLUSTER@@ workgroup = @@WORKGROUP@@ realm = @@DOMAIN@@ server string = "IBM SoFS Cluster" disable netbios = yes disable spoolss = yes fileid:mapping = fsname use mmap = no gpfs:sharemodes = yes gpfs:leases = yes passdb backend = tdbsam idmap backend = tdb2 security = ADS preferred master = no idmap gid = 10000000-11000000 idmap uid = 10000000-11000000 kernel oplocks = yes syslog = 1 host msdfs = no notify:inotify = no vfs objects = shadow_copy2 syncops gpfs fileid shadow:snapdir = .snapshots shadow:fixinodes = yes auth methods = guest sam winbind smbd:backgroundqueue = False read only = no use sendfile = yes strict locking = yes posix locking = yes large readwrite = yes force unknown acl user = yes nfs4:mode = special nfs4:chown = yes nfs4:acedup = merge nfs4:sidmap = /etc/samba/sidmap.tdb groupdb:backend = tdb winbind:online check timeout = 30 template shell = /usr/bin/rssh template homedir = /var/opt/IBM/sofs/scproot dmapi support = no [smbconf/data] path = /gpfs/data comment = Data Share guest ok = no read only = no browseable = yes [/etc/ctdb/public_addresses:@@CLUSTER@@n1.@@DOMAIN@@] [/etc/ctdb/public_addresses:@@CLUSTER@@n2.@@DOMAIN@@] @@IPBASE@@.1.101/24 eth1 @@IPBASE@@.1.102/24 eth1 @@IPBASE@@.1.103/24 eth1 @@IPBASE@@.2.101/24 eth2 @@IPBASE@@.2.102/24 eth2 @@IPBASE@@.2.103/24 eth2 [/etc/ctdb/public_addresses:@@CLUSTER@@n3.@@DOMAIN@@] @@IPBASE@@.1.101/24 eth1 @@IPBASE@@.1.102/24 eth1 @@IPBASE@@.1.103/24 eth1 @@IPBASE@@.2.101/24 eth2 @@IPBASE@@.2.102/24 eth2 @@IPBASE@@.2.103/24 eth2 [/etc/ctdb/public_addresses:@@CLUSTER@@n4.@@DOMAIN@@] @@IPBASE@@.1.101/24 eth1 @@IPBASE@@.1.102/24 eth1 @@IPBASE@@.1.103/24 eth1 @@IPBASE@@.2.101/24 eth2 @@IPBASE@@.2.102/24 eth2 @@IPBASE@@.2.103/24 eth2 [/etc/krb5.conf] [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] @@DOMAIN@@ = { kdc = sofs1-ad.@@DOMAIN@@ } EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [/etc/samba/smb.conf] # Samba Configuration file. # # ****************** WARNING ******************************** # The contents of this file should not be modified directly ! # # The samba options are stored in the registry. # Use the "net conf" command to add/modify samba options in the registry # *************************************************************** [global] # enable clustering clustering=yes ctdb:registry.tdb=yes private dir=/gpfs/.ctdb/ # Load options from registry include=registry [/etc/sysconfig/authconfig] USEWINBINDAUTH=yes USEKERBEROS=no USESYSNETAUTH=no USEPAMACCESS=no USEMKHOMEDIR=no FORCESMARTCARD=no USESMBAUTH=no USESMARTCARD=no USELDAPAUTH=no USEDB=no USEWINBIND=no USESHADOW=yes PASSWDALGORITHM=md5 USELOCAUTHORIZE=no USEPASSWDQC=no USELDAP=no USEHESIOD=no USECRACKLIB=yes USENIS=no [/etc/sysconfig/ctdb] # Options to ctdbd. This is read by /etc/init.d/ctdb # you must specify the location of a shared lock file across all the # nodes. This must be on shared storage # there is no default CTDB_RECOVERY_LOCK=/gpfs/.ctdb/shared # should ctdb do IP takeover? If it should, then specify a file # containing the list of public IP addresses that ctdb will manage # Note that these IPs must be different from those in $NODES above # there is no default CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses # when doing IP takeover you also must specify what network interface # to use for the public addresses # there is no default CTDB_PUBLIC_INTERFACE=eth0 # should ctdb manage starting/stopping the Samba service for you? # default is to not manage Samba CTDB_MANAGES_SAMBA=yes # should ctdb manage starting/stopping the winbind service for you? # default is autodetect CTDB_MANAGES_WINBIND=yes # you may wish to raise the file descriptor limit for ctdb # use a ulimit command here. ctdb needs one file descriptor per # connected client (ie. one per connected client in Samba) ulimit -n 10000 # the NODES file must be specified or ctdb won't start # it should contain a list of IPs that ctdb will use # it must be exactly the same on all cluster nodes # defaults to /etc/ctdb/nodes CTDB_NODES=/etc/ctdb/nodes # the directory to put the local ctdb database files in # defaults to /var/ctdb CTDB_DBDIR=/var/ctdb # the script to run when ctdb needs to ask the OS for help, # such as when a IP address needs to be taken or released # defaults to /etc/ctdb/events CTDB_EVENT_SCRIPT=/etc/ctdb/events.d # the location of the local ctdb socket # defaults to /tmp/ctdb.socket CTDB_SOCKET=/tmp/ctdb.socket # what transport to use. Only tcp is currently supported # defaults to tcp CTDB_TRANSPORT="tcp" # where to log messages # the default is /var/log/log.ctdb CTDB_LOGFILE=/var/log/log.ctdb # what debug level to run at. Higher means more verbose # the default is 0 CTDB_DEBUGLEVEL=0 # set any default tuning options for ctdb # use CTDB_SET_XXXX=value where XXXX is the name of the tuning # variable # for example #CTDB_SET_TRAVERSETIMEOUT=60 #Disable the share check during monitor CTDB_SAMBA_SKIP_SHARE_CHECK=yes #Disable the config check during monitor CTDB_SAMBA_SKIP_CONF_CHECK=yes #Specify the SMB ports to check during monitor CTDB_SAMBA_CHECK_PORTS="445" # you can get a list of variables using "ctdb listvars" # any other options you might want. Run ctdbd --help for a list CTDB_OPTIONS=--syslog [/etc/sysconfig/vsftpd] # should ctdb manage starting/stopping the service for you? # default is to not manage it CTDB_MANAGES_VSFTPD=yes [/etc/sysconfig/http] # should ctdb manage starting/stopping the service for you? # default is to not manage it CTDB_MANAGES_HTTPD=yes [/etc/sysconfig/nfs] # # Define which protocol versions mountd # will advertise. The values are "no" or "yes" # with yes being the default #MOUNTD_NFS_V1="no" #MOUNTD_NFS_V2="no" #MOUNTD_NFS_V3="no" # # # Path to remote quota server. See rquotad(8) #RQUOTAD="/usr/sbin/rpc.rquotad" # Port rquotad should listen on. #RQUOTAD_PORT=875 # Optinal options passed to rquotad #RPCRQUOTADOPTS="" # # # TCP port rpc.lockd should listen on. #LOCKD_TCPPORT=32803 # UDP port rpc.lockd should listen on. #LOCKD_UDPPORT=32769 # # # Optional arguments passed to rpc.nfsd. See rpc.nfsd(8) #RPCNFSDARGS # Number of nfs server processes to be started. # The default is 8. #RPCNFSDCOUNT=8 # # # Optional arguments passed to rpc.mountd. See rpc.mountd(8) #RPCMOUNTDOPTS="" # Port rpc.mountd should listen on. #MOUNTD_PORT=892 # # # Optional arguments passed to rpc.statd. See rpc.statd(8) #STATDARG="" # Port rpc.statd should listen on. #STATD_PORT=662 # Outgoing port statd should used. The default is port # is random #STATD_OUTGOING_PORT=2020 # Specify callout program #STATD_HA_CALLOUT="/usr/local/bin/foo" # # # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8) #RPCIDMAPDARGS="" # # Set to turn on Secure NFS mounts. #SECURE_NFS="yes" # Optional arguments passed to rpc.gssd. See rpc.gssd(8) #RPCGSSDARGS="-vvv" # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) #RPCSVCGSSDARGS="-vvv" # Don't load security modules in to the kernel #SECURE_NFS_MODS="noload" # # Don't load sunrpc module. #RPCMTAB="noload" # # should ctdb manage starting/stopping the service for you? # default is to not manage it CTDB_MANAGES_NFS=yes STATD_PORT=32765 STATD_OUTGOING_PORT=32766 MOUNTD_PORT=32767 RQUOTAD_PORT=32768 LOCKD_UDPPORT=32769 LOCKD_TCPPORT=32769 NFS_TICKLE_SHARED_DIRECTORY=/gpfs/.ctdb/nfs-tickles STATD_SHARED_DIRECTORY=/gpfs/.ctdb/nfs-state NFS_HOSTNAME="@@CLUSTER@@" STATD_HOSTNAME="$NFS_HOSTNAME -H /etc/ctdb/statd-callout " RPCNFSDARGS="-N 4" [/etc/nsswitch.conf] # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus [/etc/pam.d/system-auth-ac] #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so [/etc/pam.d/vsftpd] #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed #auth required pam_shells.so auth sufficient pam_winbind.so auth include system-auth account sufficient pam_winbind.so account include system-auth session include system-auth session required pam_loginuid.so [/etc/rssh.conf] allowscp allowsftp chrootpath=/var/opt/IBM/sofs/scproot logfacility=LOG_USER [/etc/httpd/conf.d/shares.config] ScriptAlias "/gpfs/data" "/var/www/cgi-bin/browse.cgi" RewriteRule ^/data(.*)$ "/gpfs/data$1" [R] [/etc/vsftpd/vsftpd.conf] # no anon access anonymous_enable=NO # put locks onto the files currently transferred lock_upload_files=YES # enable write access write_enable=YES # prevent changing access rights – ACLs get screwed otherwise chmod_enable=NO # enable that user is able to see the root of gpfs chroot_local_user=YES # allow local user access local_enable=YES listen=YES pam_service_name=vsftpd # set the ftp root directory users can see when they connect to the FTP local_root=/var/opt/IBM/sofs/ftproot log_ftp_protocol=YES syslog_enable=YES [/var/opt/IBM/sofs/configs/scpexports] data=/gpfs/data [/var/opt/IBM/sofs/configs/ftpexports] data=/gpfs/data [/var/opt/IBM/sofs/scproot/etc/nsswitch.conf] # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus