CTDB 2.0: how to get rid of these messages?

Martin Schwenke martin at meltin.net
Sat Jun 22 03:41:44 MDT 2013


On Tue, 18 Jun 2013 09:40:25 +0200, Ulrich Sibiller
<u.sibiller at science-computing.de> wrote:

> Am 14.06.2013 22:55, schrieb Martin Schwenke:

> > * If you're using round-robin DNS then ensure that the DNS name for the
> >    cluster does not map to any private addresses.
> 
> check.
> 
> > * Configuring clients more carefully.  This is like the above but if
> >    the clients are using IPs (instead of a DNS name) to connect to
> >    Samba then they should not be configured to use private IPs.
> 
> Users use the round-robin DNS name to connect.
> 
> > * Configure Samba to only accept connections on public IPs.
> 
> This is what I added on all nodes:
> 
> interfaces = xx.yy.zz.216/24, xx.yy.zz.217/24, xx.yy.zz.219/24, xx.yy.zz.220/24, xx.yy.zz.221/24, 
> xx.yy.zz.218/24
> cluster addresses = xx.yy.zz.216, xx.yy.zz.217, xx.yy.zz.219, xx.yy.zz.220, xx.yy.zz.221, xx.yy.zz.218

I'm more of a CTDB person than a Samba person.  However, I don't think
you need the "cluster addresses" option.  That said, you probably know
more about WINS than me...  :-)

> At first the messages were gone for some hours but they have started to appear again.

Something is connecting on xx.yy.zz.236.  It must be either a client or
perhaps event something attempting to monitor the cluster.  Can you use
tcpdump or tshark to dump incoming connections to that IP on port 445
(and perhaps others if you see nothing on 445)?  Then you will know what
client is connecting...

> Do I need to add "bind interfaces only = yes"?

That would be worth a try.  Perhaps try running "netstat -tlnp" with
and without that setting?   Perhaps try connecting to the different
addresses with netcat or telnet?

> I also discovered that there is no nmbd running when I add the "interfaces" line to the config. When 
> I remove the line and restart ctdb it is back again. Is this correct behaviour?

> > * Add firewall rules to block SMB connections to private IPs.
> 
> I have not done this yet because I think the solution above should be sufficient. Apparently it is 
> not. But why?

I'll leave those for someone else to answer...  perhaps Michael, Volker or Metze...

peace & happiness,
martin


More information about the samba-technical mailing list