[Samba] Join multiple CTDB managed Samba servers into Active
Directory
tim clusters
tim.clusters at gmail.com
Thu Dec 4 23:04:00 GMT 2008
Hi ,
I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating
Windows and Linux users via Active Directory.
The setup works fine, except only one server in the CTDB-cluster is able to
join the AD domain at a given instance. If you manually add the other server
into AD, the already connected server gets disconnected. There is no
specific error message logged in /var/log/message or /var/log/samba/log.smbd
or /var/log/samba/log.winbind + network snooping at Samba port(445) does not
provide any info. Please find the smb.conf and CTDB details attached.
Without CTDB, I can have Samba active on multiple servers joined to AD.
Following is the setup + error message when you manually try to join a
second CTDB node into Active Directory:
----------------
Configuration:
# CTDB Up and Virtualizing two Nodes into single entity
# CTDB configured to manage IP, NFS, Samba, and Winbind
[root at node-02 nfsexport]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252 OK (THIS NODE)
pnn:1 172.16.2.253 OK
Generation:1529093094
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:1
[root at node-01 ~]# ctdb ip
Public IPs on node 1
192.168.97.5 0
192.168.97.6 1
# Initially only node-02 was only able to join AD
[root at node-02 nfsexport]# net ads testjoin
Join is OK
# Able to see users in AD Domain
[root at node-02 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+peyton
TESTDOMAIN+eli
Join Error
-------------
# node-01 is unable to join AD
[root at node-01 ~]# net ads testjoin
[2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
# Manually Add node-01 to the AD
[root at node-01 ~]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1799)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'node-01'
domain_name : *
domain_name : 'TESTDOMAIN.LOCAL'
account_ou : NULL
admin_account : 'Administrator'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1830)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TESTDOMAIN'
dns_domain_name : 'testdomain.local'
dn :
'CN=node-01,CN=Computers,DC=testdomain,DC=local'
domain_sid : *
domain_sid :
S-1-5-21-3868838012-3874256186-1289404937
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-01' to realm 'testdomain.local'
[root at node-01 ~]# net ads testjoin
Join is OK
#Check AD Status from node-02
# Result: node-02 which was originally joined to AD gets revoked when
node-01 is manually added into AD
[root at node-02 nfsexport]# net ads testjoin
[2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
#Manually Add node-02 to the AD
[root at node-02 nfsexport]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:33:30, 1] libnet/libnet_join.c:libnet_Join(1799)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'node-02'
domain_name : *
domain_name : 'TESTDOMAIN.LOCAL'
account_ou : NULL
admin_account : 'Administrator'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/02 16:33:31, 1] libnet/libnet_join.c:libnet_Join(1830)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TESTDOMAIN'
dns_domain_name : 'testdomain.local'
dn :
'CN=node-02,CN=Computers,DC=testdomain,DC=local'
domain_sid : *
domain_sid :
S-1-5-21-3868838012-3874256186-1289404937
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-02' to realm 'testdomain.local'
[root at node-02 nfsexport]# net ads testjoin
Join is OK
#When node-02 is added into AD, node-01 gets revoked/disconnected from AD
[root at node-01 ~]# net ads testjoin
[2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
[root at node-02 nfsexport]# net ads testjoin
[2008/12/02 14:30:07, 0] passdb/secrets.c:secrets_init(71)
Failed to open /mnt/gpfs/CTDB/secrets.tdb
Join to domain is not valid: Access denied
-------------
Thanks in Advance,
-Tim
-------------- next part --------------
Software version
----------------
CTDB:
ctdb-1.0-64
ctdb-debuginfo-1.0-64
Samba:
samba-debuginfo-3.2.3-ctdb.50
samba-3.2.3-ctdb.50
samba-doc-3.2.3-ctdb.50
samba-winbind-32bit-3.2.3-ctdb.50
samba-client-3.2.3-ctdb.50
samba-swat-3.2.3-ctdb.50
samba-common-3.2.3-ctdb.50
Kerberos:
krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1
smb.conf
--------
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.LOCAL
security = ADS
password server = 192.168.10.10
private dir = /mnt/global/CTDB
client NTLMv2 auth = Yes
template homedir = /home/%D+%U
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
smb ports = 445
server signing = auto
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
use mmap = No
clustering = Yes
dns proxy = No
gpfs:sharemodes = no
fileid:mapping = global_GbE
idmap alloc TESTDOMAIN:range = 10777216-57554431
idmap config TESTDOMAIN:range = 10777216-57554431
idmap config TESTDOMAIN:backend = rid
idmap config TESTDOMAIN:default = yes
force unknown acl user = Yes
vfs objects = gpfs
log level = 3 passdb:5 auth:10 winbind:5
log file = /var/log/samba/log.%m
max log size = 50
[global-share]
comment = global NameSpace
path = /mnt/global/nfsexport
read only = No
inherit permissions = Yes
inherit acls = Yes
/etc/sysconfig/ctdb
-------------------
CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
CTDB_MANAGES_SAMBA=yes
CTDB_MANAGES_WINBIND=yes
CTDB_MANAGES_NFS=yes
CTDB_NODES=/etc/ctdb/nodes
More information about the samba
mailing list