[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir

Taylor, Jonn jonnt at taylortelephone.com
Mon Apr 28 06:43:27 MDT 2014 

One more thing.... I had to do a kinit Administrator before doing the 
join before winbind would work. If I did not the join would work but 
winbind would not.

On 04/28/2014 07:26 AM, Taylor, Jonn wrote:
> This is the only thing that I see in the logs.
>
> Apr 28 07:23:40 node1 winbindd[26142]: [2014/04/28 07:23:40.125831, 0] 
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> Apr 28 07:23:40 node1 winbindd[26142]:   Kinit failed: 
> Preauthentication failed
>
> If I re-join the domain with net ads join it works again for awhile.
>
> Jonn
>
> On 04/28/2014 07:23 AM, Taylor, Jonn wrote:
>> Update on my problem. I resetup my 2 node cluster per the samba wiki 
>> for 4.x and CTDB. The only difference is that I am using DRBD and 
>> GFS2. CTDB is not syncing the winbind databases between nodes. I had 
>> to join each node before winbind would authenticate my users to AD. 
>> This morning I found that one of the 2 nodes stopped authenticating 
>> users again. It looks like CTDB is not syncing the samba/winbind 
>> databases to keep the nodes in sync.
>>
>> How can I prove this out?
>>
>> Jonn
>>
>> On 04/25/2014 02:16 PM, Jonn Taylor wrote:
>>> On 4/25/2014 11:56 AM, Rowland Penny wrote:
>>>> On 25/04/14 16:46, Taylor, Jonn wrote:
>>>>> I originally posted this on the dev list and opened a bug for this 
>>>>> but was asked to post this to the users list.
>>>>>
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10565
>>>>>
>>>>> Using sernet 4.1 packages. I am unable to get smbd to use private 
>>>>> dir.
>>>>> Set option in smb.conf and on command line.
>>>>>
>>>>> sernet-samba-libsmbclient0-4.1.7-7.el6.x86_64
>>>>> sernet-samba-libs-4.1.7-7.el6.x86_64
>>>>> sernet-samba-client-4.1.7-7.el6.x86_64
>>>>> sernet-samba-4.1.7-7.el6.x86_64
>>>>> sernet-samba-common-4.1.7-7.el6.x86_64
>>>>> sernet-samba-winbind-4.1.7-7.el6.x86_64
>>>>>
>>>>> [global]
>>>>>         workgroup = TAYLORTELEPHONE
>>>>>         realm = TAYLORTELEPHONE.COM
>>>>>         netbios name = SHR01
>>>>>         server string = Cluster Share
>>>>>         interfaces = eth0, lo
>>>>>         security = ADS
>>>>>         private dir = /clusterdata/private
>>>>>         log file = /var/log/samba/log.samba
>>>>>         server min protocol = NT1
>>>>>         client signing = if_required
>>>>>         server signing = if_required
>>>>>         clustering = Yes
>>>>>         printcap name = /etc/printcap
>>>>>         wins server = 192.168.173.13, 192.168.173.14
>>>>>         template shell = /bin/bash
>>>>>         winbind enum users = Yes
>>>>>         winbind enum groups = Yes
>>>>>         winbind use default domain = Yes
>>>>>         winbind refresh tickets = Yes
>>>>>         winbind offline logon = Yes
>>>>>         idmap config * : schema_mode = rfc2307
>>>>>         idmap config TAYLORTELEPHONE:backend = rid
>>>>>         idmap config TAYLORTELEPHONE:range = 500-4000000
>>>>>         idmap config * : range = 1000-4000000
>>>>>         idmap config * : backend = tdb2
>>>>>         admin users = "@TAYLORTELEPHONE\Domain Admins"
>>>>>         inherit acls = Yes
>>>>>         map acl inherit = Yes
>>>>>
>>>>> # SAMBA_START_MODE defines how Samba should be started. Valid options
>>>>> are one of
>>>>> #   "none"    to not enable it at all,
>>>>> #   "classic" to use the classic smbd/nmbd/winbind daemons
>>>>> #   "ad"      to use the Active Directory server (which starts the 
>>>>> smbd
>>>>> on its own)
>>>>> # (Be aware that you also need to enable the services/init scripts 
>>>>> that
>>>>> # automatically start up the desired daemons.)
>>>>> SAMBA_START_MODE="classic"
>>>>>
>>>>> # SAMBA_RESTART_ON_UPDATE defines if the the services should be
>>>>> restarted when
>>>>> # the RPMs are updated. Setting this to "yes" effectively enables the
>>>>> # functionality of the try-restart parameter of the init scripts.
>>>>> SAMBA_RESTART_ON_UPDATE="yes"
>>>>>
>>>>> # NMBD_EXTRA_OPTS may contain extra options that are passed as 
>>>>> additional
>>>>> # arguments to the nmbd daemon
>>>>> NMBD_EXTRA_OPTS=""
>>>>>
>>>>> # WINBINDD_EXTRA_OPTS may contain extra options that are passed as
>>>>> additional
>>>>> # arguments to the winbindd daemon
>>>>> WINBINDD_EXTRA_OPTS=""
>>>>>
>>>>> # SMBD_EXTRA_OPTS may contain extra options that are passed as 
>>>>> additional
>>>>> # arguments to the smbd daemon
>>>>> SMBD_EXTRA_OPTS="private-dir=/clusterdata/private"
>>>> Hi,
>>>>
>>>> I think that this should be:
>>>> SMBD_EXTRA_OPTS="--private-dir=/clusterdata/private"
>>>>
>>>> Rowland
>>>>
>>> What I was told is that the private dir is disabled when clustering 
>>> = yes is set in samba 4.1. I started all over and tried the setup 
>>> from the samba wiki. I still had to do a net ads join on both 
>>> servers but it is working. The only thing I need to check is if CTDB 
>>> is really replicating the databases for samba and winbind.
>>>
>>> Any know how to check this?
>>>>>
>>>>> # SAMBA_EXTRA_OPTS may contain extra options that are passed as 
>>>>> additional
>>>>> # arguments to the samba daemon
>>>>> SAMBA_EXTRA_OPTS=""
>>>>>
>>>>> # SAMBA_IGNORE_NSUPDATE_G defines whether the samba daemon should 
>>>>> be started
>>>>> # when 'nsupdate -g' is not available. Setting this to "yes" would 
>>>>> mean that
>>>>> # samba will be started even without 'nsupdate -g'. This will lead 
>>>>> to severe
>>>>> # problems without a proper workaround!
>>>>> SAMBA_IGNORE_NSUPDATE_G="no"
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list