2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication
Andrew Bartlett
abartlet at samba.org
Sun Apr 6 22:25:17 GMT 2008
On Sat, 2008-04-05 at 15:50 +0200, Oliver Liebel wrote:
> Used Versions:
> OpenLDAP 2.4.8
> Samba4 from git (Fri Apr 4 16:03:54 2008 +0200)
> Rev-Info
> 7fccd85
> 1207317834
> 7fccd85cc673c139bc1d57915e0fccd22316998c
>
>
> Setup First DC1 (hostname samba4) with OL as Backend.
> Backend-Provisioning with:
> #> bin/smbpython setup/provision-backend --realm=LDAP.LOCAL.SITE
> --domain=LDAP --ldap-manager-pass=linux --ldap-backend-type=openldap
> --simple-bind-dn="cn=Manager,dc=ldap,dc=local,dc=site"
>
> - slapd.conf creation only works correct if an smb.conf with the wanted
> settings exist, otherwise the hostname [cn=samba4] is used as Base-DN,
> tested it several times
You need to include the --server-role parameter. We provision as a
standalone server by default (because even while everyone wants Samba4
as a DC at this point, I don't want to ever get back to 'samba4 broke my
network' because someone didn't actually want a DC).
I'm adding some output to make clear how it has been configured.
> after that, same procedure on DC2 (samba4dc2),
> using the domain-sid from DC1 for provision,
> with second slapd listening on DC2 on port 9000, everything ok.
> after that, stopped smbd an slapd on DC2, then tried to join DC1, where
> the following error occurs:
>
> /#> net join LDAP BDC -U administrator -d 4
> ....
> failed to get principal from default ccache: No such file or directory:
> open(/tmp/krb5cc_0): No such file or directory
> GENSEC backend 'sasl-DIGEST-MD5' registered
> ....
> We still need to perform a DsAddEntry() so that we can create the
> CN=NTDS Settings container.
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> INTERNAL ERROR: Signal 11 in pid 5695 (4.0.0alpha4-GIT-UNKNOWN)
> Please read the file BUGS.txt in the distribution
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> PANIC: internal error
> BACKTRACE: 23 stack frames:
> #0 net(call_backtrace+0x2b) [0x84a7e23]
> #1 net(smb_panic+0x266) [0x84a815d]
> #2 net [0x84a82f8]
> #3 net(fault_setup+0) [0x84a832d]
> #4 [0xffffe420]
> #5 /usr/local/samba/lib/samba/ldb/update_keytab.so(config_path+0x1d)
> [0xb77ed2b0]
> #6
> /usr/local/samba/lib/samba/ldb/update_keytab.so(smb_krb5_init_context+0x141)
> [0xb758e13c]
> #7
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_get_krb5_context+0x67)
> [0xb7568263]
> #8
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_keytab_name+0x42)
> [0xb756922b]
> #9
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_secrets+0x6e9)
> [0xb7567641]
> #10 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756538d]
> #11 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756554d]
> #12 net(ldb_request+0x1ec) [0x84dd38c]
> #13 net [0x84dcf4f]
> #14 net(ldb_delete+0x87) [0x84de252]
> #15 net [0x80bb141]
> #16 net(libnet_Join+0x6e) [0x80bb5d3]
> #17 net(net_join+0x212) [0x80b3836]
> #18 net(net_run_function+0xc5) [0x80b2a19]
> #19 net [0x80b2eba]
> #20 net(main+0x22) [0x80b2f59]
> #21 /lib/libc.so.6(__libc_start_main+0xe0) [0xb7d65fe0]
> #22 net [0x80b28f1]
> Aborted/
> /Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> GSS Update(krb5)(1) Update failed: Miscellaneous failure (see text):
> Failed to find SAMBA4DC2$@LDAP.LOCAL.SITE(kvno 1) in keytab
> FILE:/usr/local/samba/var/lib/samba/private/secrets.keytab
> (arcfour-hmac-md5)
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> /
> which means in consequence, that the domain wont be reachable any
> more,
> if DC1 is down. (Tested it, domain is still working with DC2 kicked
> off)
>
> so: can we find a way to get the keytabs on both DCs synchronized?
> except of that, all other stuff is working good and stable
> (even the re-synchonization of DC2 after re-enabling the DC again).
Once the segfault in the keytab module is resolved, this should work.
Thankyou very much for your patience with this.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080407/2ab6a9b4/attachment.bin
More information about the samba-technical
mailing list