[Samba] Join multiple CTDB managed Samba servers into Active Directory

tim clusters tim.clusters at gmail.com
Thu Dec 4 23:04:00 GMT 2008


Hi ,

I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating
Windows and Linux users via Active Directory.

The setup works fine, except only one server in the CTDB-cluster is able to
join the AD domain at a given instance. If you manually add the other server
into AD, the already connected server gets disconnected. There is no
specific error message logged in /var/log/message or /var/log/samba/log.smbd
or /var/log/samba/log.winbind + network snooping at Samba port(445) does not
provide any info.  Please find the smb.conf and CTDB details attached.

Without CTDB, I can have Samba active on multiple servers joined to AD.
Following is the setup + error message when you manually try to join a
second CTDB node into Active Directory:
----------------

Configuration:

# CTDB Up and Virtualizing two Nodes into single entity
# CTDB configured to manage IP, NFS, Samba, and Winbind
[root at node-02 nfsexport]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252     OK (THIS NODE)
pnn:1 172.16.2.253     OK
Generation:1529093094
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:1

[root at node-01 ~]# ctdb ip
Public IPs on node 1
192.168.97.5 0
192.168.97.6 1
# Initially only node-02 was only able to join AD

[root at node-02 nfsexport]# net ads testjoin
Join is OK

# Able to see users in AD Domain
[root at node-02 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+peyton
TESTDOMAIN+eli

Join Error
-------------

# node-01 is unable to join AD
[root at node-01 ~]# net ads testjoin
[2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure

# Manually Add node-01 to the AD
[root at node-01 ~]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1799)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'node-01'
              domain_name              : *
                  domain_name              : 'TESTDOMAIN.LOCAL'
              account_ou               : NULL
              admin_account            : 'Administrator'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1830)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'TESTDOMAIN'
              dns_domain_name          : 'testdomain.local'
              dn                       :
'CN=node-01,CN=Computers,DC=testdomain,DC=local'
              domain_sid               : *
                  domain_sid               :
S-1-5-21-3868838012-3874256186-1289404937
              modified_config          : 0x00 (0)
              error_string             : NULL
              domain_is_ad             : 0x01 (1)
              result                   : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-01' to realm 'testdomain.local'

[root at node-01 ~]# net ads testjoin
Join is OK

#Check AD Status from node-02
# Result: node-02 which was originally joined to AD gets revoked when
node-01 is manually added into AD
[root at node-02 nfsexport]# net ads testjoin
[2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure

#Manually Add node-02 to the AD
[root at node-02 nfsexport]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:33:30,  1] libnet/libnet_join.c:libnet_Join(1799)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'node-02'
              domain_name              : *
                  domain_name              : 'TESTDOMAIN.LOCAL'
              account_ou               : NULL
              admin_account            : 'Administrator'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2008/12/02 16:33:31,  1] libnet/libnet_join.c:libnet_Join(1830)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'TESTDOMAIN'
              dns_domain_name          : 'testdomain.local'
              dn                       :
'CN=node-02,CN=Computers,DC=testdomain,DC=local'
              domain_sid               : *
                  domain_sid               :
S-1-5-21-3868838012-3874256186-1289404937
              modified_config          : 0x00 (0)
              error_string             : NULL
              domain_is_ad             : 0x01 (1)
              result                   : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-02' to realm 'testdomain.local'
[root at node-02 nfsexport]# net ads testjoin
Join is OK
#When node-02 is added into AD, node-01 gets revoked/disconnected from AD
[root at node-01 ~]# net ads testjoin
[2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
[root at node-02 nfsexport]# net ads testjoin
[2008/12/02 14:30:07,  0] passdb/secrets.c:secrets_init(71)
  Failed to open /mnt/gpfs/CTDB/secrets.tdb
Join to domain is not valid: Access denied

-------------

Thanks in Advance,
-Tim
-------------- next part --------------
Software version
----------------

CTDB:
ctdb-1.0-64
ctdb-debuginfo-1.0-64

Samba:
samba-debuginfo-3.2.3-ctdb.50
samba-3.2.3-ctdb.50
samba-doc-3.2.3-ctdb.50
samba-winbind-32bit-3.2.3-ctdb.50
samba-client-3.2.3-ctdb.50
samba-swat-3.2.3-ctdb.50
samba-common-3.2.3-ctdb.50

Kerberos:
krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1


smb.conf
--------

[global]
        workgroup = TESTDOMAIN
        realm = TESTDOMAIN.LOCAL
        security = ADS
        password server = 192.168.10.10
        private dir = /mnt/global/CTDB
        client NTLMv2 auth = Yes
        template homedir = /home/%D+%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        smb ports = 445
        server signing = auto
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        use mmap = No
        clustering = Yes
        dns proxy = No
        gpfs:sharemodes = no
        fileid:mapping = global_GbE
        idmap alloc TESTDOMAIN:range = 10777216-57554431
        idmap config TESTDOMAIN:range = 10777216-57554431
        idmap config TESTDOMAIN:backend = rid
        idmap config TESTDOMAIN:default = yes
        force unknown acl user = Yes
        vfs objects = gpfs
        log level = 3 passdb:5 auth:10 winbind:5
        log file = /var/log/samba/log.%m
        max log size = 50

[global-share]
        comment = global NameSpace
        path = /mnt/global/nfsexport
        read only = No
        inherit permissions = Yes
        inherit acls = Yes


/etc/sysconfig/ctdb
-------------------

CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
CTDB_MANAGES_SAMBA=yes
CTDB_MANAGES_WINBIND=yes
CTDB_MANAGES_NFS=yes
CTDB_NODES=/etc/ctdb/nodes


More information about the samba mailing list