[Samba] Join multiple CTDB managed Samba servers into Active Directory

tim clusters tim.clusters at gmail.com
Sun Dec 21 01:25:51 GMT 2008


Michael,

Thanks for your response.
You had indicated that "only one" node needs to join the cluster by issuing
"net ads join" and CTDB will take care propagating to other nodes.

Iam authenticating CTDB nodes to Active Directory(AD) via Kerberos. Do I
need to obtain Kerberos ticket by issuing "kinit" only on one node (and CTDB
will use this ticket for authenticating all other CTDB nodes to AD)  or do I
need to issue "kinit" on all the CTDB nodes?

Thanks,
-Kums
On Fri, Dec 19, 2008 at 2:28 AM, Michael Adam <obnox at samba.org> wrote:

> Hi,
>
> the nodes in the cluster should appear as ONE cifs server to the
> outside. I just has multiple IP addresses and one client request is
> served by one node of the cluster.
>
> So there should also only be one name (netbios name)
> the cluster nodes share. Then you just need to join the cluster _once_
> (issuing "net ads join" on _one_ node) ctdb will take care of
> storing the machine password in secrets.tdb so that join
> information is available to all nodes.
>
> So you should set the same "netbios name = XYZ" on smb.conf on
> all cluster nodes.
>
> In your smb.conf, you have set "private dir = /mnt/global/CTDB"
> this is on gpfs cluster storage. This should not be set with
> current versions of ctdb, since ctdb can now handle persistent
> tdb databases (like secrets.tdb). So please remove that setting.
>
> Also extend "vfs objects" to include "fileid" to ensure coherent
> locking across cluster nodes.
>
> I have updated the documentation at
> http://wiki.samba.org/index.php/CTDB_Setup
> to reflect these changes.
>
> If you want to use nfs4 als on gpfs, you should also set
>  force unknown acl user = yes
>  nfs4: mode = special
>  nfs4: chown = yes
>  nfs4: acedup = merge
> in your share definition.
>
> Since samba-3.2.3-ctdb.50 uses the simplified idmap code of
> 3.3.0, you can simply drop the options:
>
> >         idmap alloc TESTDOMAIN:range = 10777216-57554431
> >         idmap config TESTDOMAIN:default = yes
>
> so that your idmap config looks like this:
>
> >         idmap config TESTDOMAIN:range = 10777216-57554431
> >         idmap config TESTDOMAIN:backend = rid
>
> You might also want to set the defaults idmap config to s/th like:
>
>  idmap backend = tdb2
>  idmap uid = 1000000-20000000
>  idmap gid = 1000000-20000000
>
> Cheers - Michael
>
> tim clusters wrote:
> > Hi ,
> >
> > I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating
> > Windows and Linux users via Active Directory.
> >
> > The setup works fine, except only one server in the CTDB-cluster is able
> to
> > join the AD domain at a given instance. If you manually add the other
> server
> > into AD, the already connected server gets disconnected. There is no
> > specific error message logged in /var/log/message or
> /var/log/samba/log.smbd
> > or /var/log/samba/log.winbind + network snooping at Samba port(445) does
> not
> > provide any info.  Please find the smb.conf and CTDB details attached.
> >
> > Without CTDB, I can have Samba active on multiple servers joined to AD.
> > Following is the setup + error message when you manually try to join a
> > second CTDB node into Active Directory:
> > ----------------
> >
> > Configuration:
> >
> > # CTDB Up and Virtualizing two Nodes into single entity
> > # CTDB configured to manage IP, NFS, Samba, and Winbind
> > [root at node-02 nfsexport]# ctdb status
> > Number of nodes:2
> > pnn:0 172.16.2.252     OK (THIS NODE)
> > pnn:1 172.16.2.253     OK
> > Generation:1529093094
> > Size:2
> > hash:0 lmaster:0
> > hash:1 lmaster:1
> > Recovery mode:NORMAL (0)
> > Recovery master:1
> >
> > [root at node-01 ~]# ctdb ip
> > Public IPs on node 1
> > 192.168.97.5 0
> > 192.168.97.6 1
> > # Initially only node-02 was only able to join AD
> >
> > [root at node-02 nfsexport]# net ads testjoin
> > Join is OK
> >
> > # Able to see users in AD Domain
> > [root at node-02 ~]# wbinfo -u list
> > TESTDOMAIN+administrator
> > TESTDOMAIN+peyton
> > TESTDOMAIN+eli
> >
> > Join Error
> > -------------
> >
> > # node-01 is unable to join AD
> > [root at node-01 ~]# net ads testjoin
> > [2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > [2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > Join to domain is not valid: Logon failure
> >
> > # Manually Add node-01 to the AD
> > [root at node-01 ~]# net -d 1 ads join -U Administrator
> > Enter Administrator's password:
> > [2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1799)
> >   libnet_Join:
> >       libnet_JoinCtx: struct libnet_JoinCtx
> >           in: struct libnet_JoinCtx
> >               dc_name                  : NULL
> >               machine_name             : 'node-01'
> >               domain_name              : *
> >                   domain_name              : 'TESTDOMAIN.LOCAL'
> >               account_ou               : NULL
> >               admin_account            : 'Administrator'
> >               admin_password           : *
> >               machine_password         : NULL
> >               join_flags               : 0x00000023 (35)
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >                      0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >                      0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >                      1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >                      0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >                      0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >                      1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >                      1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >               os_version               : NULL
> >               os_name                  : NULL
> >               create_upn               : 0x00 (0)
> >               upn                      : NULL
> >               modify_config            : 0x00 (0)
> >               ads                      : NULL
> >               debug                    : 0x01 (1)
> >               use_kerberos             : 0x00 (0)
> >               secure_channel_type      : SEC_CHAN_WKSTA (2)
> > [2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1830)
> >   libnet_Join:
> >       libnet_JoinCtx: struct libnet_JoinCtx
> >           out: struct libnet_JoinCtx
> >               account_name             : NULL
> >               netbios_domain_name      : 'TESTDOMAIN'
> >               dns_domain_name          : 'testdomain.local'
> >               dn                       :
> > 'CN=node-01,CN=Computers,DC=testdomain,DC=local'
> >               domain_sid               : *
> >                   domain_sid               :
> > S-1-5-21-3868838012-3874256186-1289404937
> >               modified_config          : 0x00 (0)
> >               error_string             : NULL
> >               domain_is_ad             : 0x01 (1)
> >               result                   : WERR_OK
> > Using short domain name -- TESTDOMAIN
> > Joined 'node-01' to realm 'testdomain.local'
> >
> > [root at node-01 ~]# net ads testjoin
> > Join is OK
> >
> > #Check AD Status from node-02
> > # Result: node-02 which was originally joined to AD gets revoked when
> > node-01 is manually added into AD
> > [root at node-02 nfsexport]# net ads testjoin
> > [2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > [2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > Join to domain is not valid: Logon failure
> >
> > #Manually Add node-02 to the AD
> > [root at node-02 nfsexport]# net -d 1 ads join -U Administrator
> > Enter Administrator's password:
> > [2008/12/02 16:33:30,  1] libnet/libnet_join.c:libnet_Join(1799)
> >   libnet_Join:
> >       libnet_JoinCtx: struct libnet_JoinCtx
> >           in: struct libnet_JoinCtx
> >               dc_name                  : NULL
> >               machine_name             : 'node-02'
> >               domain_name              : *
> >                   domain_name              : 'TESTDOMAIN.LOCAL'
> >               account_ou               : NULL
> >               admin_account            : 'Administrator'
> >               admin_password           : *
> >               machine_password         : NULL
> >               join_flags               : 0x00000023 (35)
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> >                      0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> >                      0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> >                      0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> >                      1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> >                      0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> >                      0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> >                      1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> >                      1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> >               os_version               : NULL
> >               os_name                  : NULL
> >               create_upn               : 0x00 (0)
> >               upn                      : NULL
> >               modify_config            : 0x00 (0)
> >               ads                      : NULL
> >               debug                    : 0x01 (1)
> >               use_kerberos             : 0x00 (0)
> >               secure_channel_type      : SEC_CHAN_WKSTA (2)
> > [2008/12/02 16:33:31,  1] libnet/libnet_join.c:libnet_Join(1830)
> >   libnet_Join:
> >       libnet_JoinCtx: struct libnet_JoinCtx
> >           out: struct libnet_JoinCtx
> >               account_name             : NULL
> >               netbios_domain_name      : 'TESTDOMAIN'
> >               dns_domain_name          : 'testdomain.local'
> >               dn                       :
> > 'CN=node-02,CN=Computers,DC=testdomain,DC=local'
> >               domain_sid               : *
> >                   domain_sid               :
> > S-1-5-21-3868838012-3874256186-1289404937
> >               modified_config          : 0x00 (0)
> >               error_string             : NULL
> >               domain_is_ad             : 0x01 (1)
> >               result                   : WERR_OK
> > Using short domain name -- TESTDOMAIN
> > Joined 'node-02' to realm 'testdomain.local'
> > [root at node-02 nfsexport]# net ads testjoin
> > Join is OK
> > #When node-02 is added into AD, node-01 gets revoked/disconnected from AD
> > [root at node-01 ~]# net ads testjoin
> > [2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > [2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
> >   kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
> > Preauthentication failed
> > Join to domain is not valid: Logon failure
> > [root at node-02 nfsexport]# net ads testjoin
> > [2008/12/02 14:30:07,  0] passdb/secrets.c:secrets_init(71)
> >   Failed to open /mnt/gpfs/CTDB/secrets.tdb
> > Join to domain is not valid: Access denied
> >
> > -------------
> >
> > Thanks in Advance,
> > -Tim
>
> > Software version
> > ----------------
> >
> > CTDB:
> > ctdb-1.0-64
> > ctdb-debuginfo-1.0-64
> >
> > Samba:
> > samba-debuginfo-3.2.3-ctdb.50
> > samba-3.2.3-ctdb.50
> > samba-doc-3.2.3-ctdb.50
> > samba-winbind-32bit-3.2.3-ctdb.50
> > samba-client-3.2.3-ctdb.50
> > samba-swat-3.2.3-ctdb.50
> > samba-common-3.2.3-ctdb.50
> >
> > Kerberos:
> > krb5-workstation-1.5-17
> > krb5-libs-1.5-17
> > krb5-devel-1.5-17
> > krb5-auth-dialog-0.7-1
> > pam_krb5-2.2.11-1
> > krb5-devel-1.5-17
> > krb5-libs-1.5-17
> > pam_krb5-2.2.11-1
> >
> >
> > smb.conf
> > --------
> >
> > [global]
> >         workgroup = TESTDOMAIN
> >         realm = TESTDOMAIN.LOCAL
> >         security = ADS
> >         password server = 192.168.10.10
> >         private dir = /mnt/global/CTDB
> >         client NTLMv2 auth = Yes
> >         template homedir = /home/%D+%U
> >         template shell = /bin/bash
> >         winbind separator = +
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         smb ports = 445
> >         server signing = auto
> >         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> >         use mmap = No
> >         clustering = Yes
> >         dns proxy = No
> >         gpfs:sharemodes = no
> >         fileid:mapping = global_GbE
> >         idmap alloc TESTDOMAIN:range = 10777216-57554431
> >         idmap config TESTDOMAIN:range = 10777216-57554431
> >         idmap config TESTDOMAIN:backend = rid
> >         idmap config TESTDOMAIN:default = yes
> >         force unknown acl user = Yes
> >         vfs objects = gpfs
> >         log level = 3 passdb:5 auth:10 winbind:5
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >
> > [global-share]
> >         comment = global NameSpace
> >         path = /mnt/global/nfsexport
> >         read only = No
> >         inherit permissions = Yes
> >         inherit acls = Yes
> >
> >
> > /etc/sysconfig/ctdb
> > -------------------
> >
> > CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck
> > CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
> > CTDB_MANAGES_SAMBA=yes
> > CTDB_MANAGES_WINBIND=yes
> > CTDB_MANAGES_NFS=yes
> > CTDB_NODES=/etc/ctdb/nodes
>
> --
> Michael Adam <ma at sernet.de>  <obnox at samba.org>
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.SerNet.DE <http://www.sernet.de/>, mailto: Info @ SerNet.DE
>


More information about the samba mailing list