CTDB secrets TDB issue

miguel.sanders at arcelormittal.com miguel.sanders at arcelormittal.com
Wed Dec 23 13:31:51 MST 2009 

Hi folks

I'm currently setting up a CTDB cluster of two nodes (nodeA and nodeB),
both of which have security = ads.
CTDB is functioning fine but I'm observing some strange anomalies with
the clustered secrets TDB.
The basic smb.conf on both nodes looks like:
[global]
        workgroup = XYZ
        realm = XYZ.BE
        security = ads
        clustering = yes
        idmap backend = tdb2
        fileid:mapping = fsname
        vfs objects = gpfs fileid
        gpfs:sharemodes = No
        force unknown acl user = yes
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
[TMP]
        path = /gpfsFS1/tmp
        writeable = yes
        vfs objects = gpfs fileid


Here are my chronological observations:

1) No TDBs on nodeA and nodeB (samba/CTDB)
2) Start CTDB cluster with CTDB_MANAGES_SAMBA="no" and
CTDB_MANAGES_WINBIND="no"
3) Run net ads join on nodeA: succesful
4) secrets.tdb is created on both nodes via CTDB (secrets.tdb.0 for
nodeA and secrets.tdb.1 for nodeB)
5) startup winbind on nodeA
6) wbinfo -t on nodeA : OK (checking the trust secret via RPC calls
succeeded)
7) Run net ads join on nodeB: succesful
8) startup winbind on nodeB
9) wbinfo -t on nodeB : OK (checking the trust secret via RPC calls
succeeded)
10) wbinfo -t on nodeA : NOK (checking the trust secret via RPC calls
failed ; error code was NT_STATUS_ACCESS_DENIED (0xc0000022) ; Could not
check secret)
11) Run net ads join on node A
12) wbinfo -t on nodeA : OK (checking the trust secret via RPC calls
succeeded)
13) wbinfo -t on nodeB : NOK (checking the trust secret via RPC calls
failed ; error code was NT_STATUS_ACCESS_DENIED (0xc0000022) ; Could not
check secret)

So the only conclusion is that that de clustered secrets TDB only
functions for the last cluster node that successfully joined the domain.
Did I do anything wrong? If not, any idea on how to debug this?

Cheers

Miguel

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****

More information about the samba-technical mailing list