clustered single machine account / NTLM

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Apr 21 03:44:12 GMT 2008

On Sun, Apr 20, 2008 at 01:33:17PM -0700, Zachary Loafman wrote:
> On our clusters, we end up joining every machine in the cluster to the
> domain. This causes a lot of clutter, and we've been looking at how to
> fix this issue for a while. During Tridge's ctdb presentation, he
> mentioned that ctdb could now use a single machine account for the
> cluster. We've talked about this internally for quite a while, but Todd
> Stetcher believed it to be difficult to do if all the winbind processes
> were allowed to communicate to the DC. Todd mentioned that the DC will
> get confused if the NTLM sequence numbers from the same machine happen
> to be out of sequence, even if the machines attempted to maintain
> separate sessions. This is presumably the result of a bad choice on the
> DC side of maintaining sequence numbers per machine and not per session.
> Todd should hopefully correct me if I'm spouting gibberish here. :)
> I recognize that there's an obvious solution to this problem involving a
> single session (you can clearly proxy through one winbind process
> instead of relying on N*winbind). This solution involves some extra
> latency, but would more or less work. Given the separation smbd/winbind
> in 3.2, it's not hard to imagine making this work, either.
> So .. are ctdbs maintaining separate sessions to each DC using the same
> machine account, and have you had any problems with that, or are the
> smbds talking to one winbind so there's only one cluster<->DC session?

We're using separate connections per node.

Samba is protecting certain parts of the NETLOGON pipe setup
with a mutex, I'd have to look at exactly what. Our
experience is that once you have a working NETLOGON schannel
connection using the same wks account, the credential chains
seem to work independently of each other.

Do you have any logs that show the problems?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list