2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication

Andrew Bartlett abartlet at samba.org
Sun Apr 6 22:25:17 GMT 2008


On Sat, 2008-04-05 at 15:50 +0200, Oliver Liebel wrote:
> Used Versions:
> OpenLDAP 2.4.8
> Samba4 from git  (Fri Apr 4 16:03:54 2008 +0200)
> Rev-Info
> 7fccd85
> 1207317834
> 7fccd85cc673c139bc1d57915e0fccd22316998c
> 
> 
> Setup First DC1 (hostname samba4) with OL as Backend.
> Backend-Provisioning with:
> #> bin/smbpython setup/provision-backend --realm=LDAP.LOCAL.SITE 
> --domain=LDAP --ldap-manager-pass=linux --ldap-backend-type=openldap 
> --simple-bind-dn="cn=Manager,dc=ldap,dc=local,dc=site"
> 
> - slapd.conf creation only works correct if an smb.conf with the wanted 
> settings exist, otherwise the hostname [cn=samba4]  is used as Base-DN, 
> tested it several times

You need to include the --server-role parameter.  We provision as a
standalone server by default (because even while everyone wants Samba4
as a DC at this point, I don't want to ever get back to 'samba4 broke my
network' because someone didn't actually want a DC). 

I'm adding some output to make clear how it has been configured.

> after that, same procedure on DC2 (samba4dc2),
> using the domain-sid from DC1 for provision,
> with second slapd listening on DC2 on port 9000, everything ok.
> after that, stopped smbd an slapd on DC2, then tried to join DC1, where 
> the following error occurs:
> 
> /#> net join LDAP BDC -U administrator -d 4
> ....
> failed to get principal from default ccache: No such file or directory: 
> open(/tmp/krb5cc_0): No such file or directory
> GENSEC backend 'sasl-DIGEST-MD5' registered
> ....
> We still need to perform a DsAddEntry() so that we can create the 
> CN=NTDS Settings container.
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> INTERNAL ERROR: Signal 11 in pid 5695 (4.0.0alpha4-GIT-UNKNOWN)
> Please read the file BUGS.txt in the distribution
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> PANIC: internal error
> BACKTRACE: 23 stack frames:
>  #0 net(call_backtrace+0x2b) [0x84a7e23]
>  #1 net(smb_panic+0x266) [0x84a815d]
>  #2 net [0x84a82f8]
>  #3 net(fault_setup+0) [0x84a832d]
>  #4 [0xffffe420]
>  #5 /usr/local/samba/lib/samba/ldb/update_keytab.so(config_path+0x1d) 
> [0xb77ed2b0]
>  #6 
> /usr/local/samba/lib/samba/ldb/update_keytab.so(smb_krb5_init_context+0x141) 
> [0xb758e13c]
>  #7 
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_get_krb5_context+0x67) 
> [0xb7568263]
>  #8 
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_keytab_name+0x42) 
> [0xb756922b]
>  #9 
> /usr/local/samba/lib/samba/ldb/update_keytab.so(cli_credentials_set_secrets+0x6e9) 
> [0xb7567641]
>  #10 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756538d]
>  #11 /usr/local/samba/lib/samba/ldb/update_keytab.so [0xb756554d]
>  #12 net(ldb_request+0x1ec) [0x84dd38c]
>  #13 net [0x84dcf4f]
>  #14 net(ldb_delete+0x87) [0x84de252]
>  #15 net [0x80bb141]
>  #16 net(libnet_Join+0x6e) [0x80bb5d3]
>  #17 net(net_join+0x212) [0x80b3836]
>  #18 net(net_run_function+0xc5) [0x80b2a19]
>  #19 net [0x80b2eba]
>  #20 net(main+0x22) [0x80b2f59]
>  #21 /lib/libc.so.6(__libc_start_main+0xe0) [0xb7d65fe0]
>  #22 net [0x80b28f1]
> Aborted/

> /Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gssapi_krb5
> GSS Update(krb5)(1) Update failed:  Miscellaneous failure (see text): 
> Failed to find SAMBA4DC2$@LDAP.LOCAL.SITE(kvno 1) in keytab 
> FILE:/usr/local/samba/var/lib/samba/private/secrets.keytab 
> (arcfour-hmac-md5)
> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> /
> which means in consequence, that the domain wont be reachable any
> more,
> if DC1 is down. (Tested it, domain is still working with DC2 kicked
> off)
> 
> so: can we find a way to get the keytabs on both DCs synchronized?
> except of that, all other stuff is working good and stable
> (even the re-synchonization of DC2 after re-enabling the DC again). 

Once the segfault in the keytab module is resolved, this should work. 

Thankyou very much for your patience with this.  

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080407/2ab6a9b4/attachment.bin


More information about the samba-technical mailing list