clustered single machine account / NTLM

Zachary Loafman zachary.loafman at
Sun Apr 20 20:33:17 GMT 2008

On our clusters, we end up joining every machine in the cluster to the
domain. This causes a lot of clutter, and we've been looking at how to
fix this issue for a while. During Tridge's ctdb presentation, he
mentioned that ctdb could now use a single machine account for the
cluster. We've talked about this internally for quite a while, but Todd
Stetcher believed it to be difficult to do if all the winbind processes
were allowed to communicate to the DC. Todd mentioned that the DC will
get confused if the NTLM sequence numbers from the same machine happen
to be out of sequence, even if the machines attempted to maintain
separate sessions. This is presumably the result of a bad choice on the
DC side of maintaining sequence numbers per machine and not per session.
Todd should hopefully correct me if I'm spouting gibberish here. :)

I recognize that there's an obvious solution to this problem involving a
single session (you can clearly proxy through one winbind process
instead of relying on N*winbind). This solution involves some extra
latency, but would more or less work. Given the separation smbd/winbind
in 3.2, it's not hard to imagine making this work, either.

So .. are ctdbs maintaining separate sessions to each DC using the same
machine account, and have you had any problems with that, or are the
smbds talking to one winbind so there's only one cluster<->DC session?

Zach Loafman | Staff Engineer | Isilon Systems

More information about the samba-technical mailing list