CTDB 2.0: how to get rid of these messages?

Ulrich Sibiller u.sibiller at science-computing.de
Tue Jun 18 01:40:25 MDT 2013

Am 14.06.2013 22:55, schrieb Martin Schwenke:
> This message comes from the code that registers client connections so
> that they can be handled efficiently during an IP failover.  This
> means that a client (probably Samba) is accepting connections on
> private addresses.  That's bad because those connections won't failover
> if a node has a problem.
> Your options include:
> * If you're using round-robin DNS then ensure that the DNS name for the
>    cluster does not map to any private addresses.


> * Configuring clients more carefully.  This is like the above but if
>    the clients are using IPs (instead of a DNS name) to connect to
>    Samba then they should not be configured to use private IPs.

Users use the round-robin DNS name to connect.

> * Configure Samba to only accept connections on public IPs.

This is what I added on all nodes:

interfaces = xx.yy.zz.216/24, xx.yy.zz.217/24, xx.yy.zz.219/24, xx.yy.zz.220/24, xx.yy.zz.221/24, 
cluster addresses = xx.yy.zz.216, xx.yy.zz.217, xx.yy.zz.219, xx.yy.zz.220, xx.yy.zz.221, xx.yy.zz.218

At first the messages were gone for some hours but they have started to appear again.

Do I need to add "bind interfaces only = yes"?

I also discovered that there is no nmbd running when I add the "interfaces" line to the config. When 
I remove the line and restart ctdb it is back again. Is this correct behaviour?

> * Add firewall rules to block SMB connections to private IPs.

I have not done this yet because I think the solution above should be sufficient. Apparently it is 
not. But why?

> You should also note that CTDB does not have any security on the
> private network.  If the private node IPs are exposed via the public
> network then it may be possible for users on the public network to do
> bad things to CTDB.  You might want to consider securing the private
> IPs/CTDB ports in some way.

Ok, this is on my todo list now.

Thank you,

Vorstandsvorsitzender/Chairman of the board of management:
Gerd-Lothar Leonhart
Vorstand/Board of Management:
Dr. Bernd Finkbeiner, Michael Heinrichs, 
Dr. Arno Steitz, Dr. Ingrid Zech
Vorsitzender des Aufsichtsrats/
Chairman of the Supervisory Board:
Philippe Miltin
Sitz/Registered Office: Tuebingen
Registergericht/Registration Court: Stuttgart
Registernummer/Commercial Register No.: HRB 382196

More information about the samba-technical mailing list