[Samba] Join multiple CTDB managed Samba servers into Active Directory

tim clusters tim.clusters at gmail.com
Sun Dec 21 21:27:02 GMT 2008 

Hi Michael,

Thanks for the clarification. I presumed we had to kinit and obtain Kerberos
tickets before we join CTDB into AD. I did not know Samba tools would get
tickets internally, kindly apologize my ignorance.

I did as you suggested and did a fresh CTDB install. I destroyed Kerberos
tickets, left AD, then restarted CTDB, joined AD from one of the CTDB nodes.
Please see attached and let me know, if I missed any steps.
CTDB is all up and fine. However, the Windows client node is able to
mount/access only one of the CTDB managed SMB servers. When you try to
network mount from the other CTDB SMB server, the session just gets
terminated. Following is the snippet of log.smb.client.

[2008/12/21 12:29:35, 10] smbd/share_access.c:user_ok_token(231)
  user_ok_token: share global-share is ok for unix user TESTDOMAIN+peyton
[2008/12/21 12:29:35, 10]
smbd/share_access.c:is_share_read_only_for_token(273)
  is_share_read_only_for_user: share global-share is read-write for unix
user TESTDOMAIN+peyton
[2008/12/21 12:29:35,  1] smbd/service.c:make_connection_snum(1190)
  d2950-12 (::ffff:192.168.97.1) connect to service global-share initially
as user TESTDOMAIN+peyton (uid=10778326, gid=10777729) (pid 28873)
..
..
[2008/12/21 12:29:35,  3] smbd/reply.c:reply_tcon_and_X(727)
  tconX service=GLOBAL-SHARE
[2008/12/21 12:29:35, 10] lib/util.c:dump_data(2223)
  [000] 41 3A 00 4E 00 54 00 46  00 53 00 00 00           A:.N.T.F .S...
[2008/12/21 12:29:35,  5] lib/util_sock.c:read_socket_with_timeout(928)
  read_socket_with_timeout: blocking read. EOF from client.
[2008/12/21 12:29:35, 10] smbd/process.c:receive_smb_raw_talloc(276)
  receive_smb_raw: NT_STATUS_END_OF_FILE
[2008/12/21 12:29:35,  3] smbd/process.c:smbd_process(2035)
  receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting


However, if I restart Winbind on the SMB server ( the client was initially
UNABLE to mount from), mount works. BUT mount/access to the first SMB server
fails. So, at a given instance Windows client are able to mount only from
one of the CTDB managed SMB servers. I snooped network packets on port 445 +
CTDB/Samba/Winbind logs but could not find major error message then the
above.

>From a Linux smbclient, I can mount/access from both of the SMB server.

I guess, Iam missing something important. Please advise.

Regards,
-Tim

On Sun, Dec 21, 2008 at 9:40 AM, Michael Adam <obnox at samba.org> wrote:

> Hi Tim,
>
> tim clusters wrote:
> > Michael,
> >
> > Thanks for your response.
> > You had indicated that "only one" node needs to join the cluster by
> issuing
> > "net ads join" and CTDB will take care propagating to other nodes.
> >
> > Iam authenticating CTDB nodes to Active Directory(AD) via Kerberos. Do I
> > need to obtain Kerberos ticket by issuing "kinit" only on one node (and
> CTDB
> > will use this ticket for authenticating all other CTDB nodes to AD)  or
> do I
> > need to issue "kinit" on all the CTDB nodes?
>
> Hmm, "net ads join" and winbindd in ads mode do use kerberos.
> Usually you do _not_ need to call kinit manually. The samba tools
> do internally go and get tickets from the kdc and so on. All that
> needs to be propagated (via secrets.tdb) is the join information
> (machine account password)...
>
> Please elaborate your point, when I misunderstood you.
>
> Cheers - Michael
>
>
>
-------------- next part --------------

# CTDB State before FRESH INSTALL
[root at node-01 ~]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252     OK
pnn:1 172.16.2.253     OK (THIS NODE)
Generation:1728422679
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:0

# Disjoin from AD (issue from one CTDB node)
[root at node-01 ~]# net ads leave -U Administrator
Enter Administrator's password:
Deleted account for 'CTDB-HEAD' in realm 'TESTDOMAIN.LOCAL'

# Destroy KRB tickets on node1 and verify
[root at node-01 ~]# kdestroy
[root at node-01 ~]# klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# Destroy KRB tickets on node2 and verify
[root at node-02 ~]# kdestroy 
[root at node-02 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# Shutdown CTDB cluster
[root at host01 ~]# pdsh -w node-[01-02] "/etc/init.d/ctdb stop"
node-02: Shutting down ctdbd service: 
node-02: 
node-01: Shutting down ctdbd service: killing ctdbd 
node-01: 

# Start FRESH. START CTDB CLUSTER
[root at host01 ~]# pdsh -w node-[01-02] "/etc/init.d/ctdb start"
node-02: Starting ctdbd service: [  OK  ]
node-01: Starting ctdbd service: [  OK  ]

# Join AD from one node in the CTDB cluster
[root at node-01 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TESTDOMAIN
Joined 'CTDB-HEAD' to realm 'testdomain.local'

# Verify AD Join from node1
[root at node-01 ~]# net ads testjoin
Join is OK

[root at node-01 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# Verify AD Join from node2 to MAKE SURE AD Join is propagated via secrets.tdb
[root at node-02 ~]# net ads testjoin
Join is OK
[root at node-02 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

# Winbind on node1 can see users in AD
[root at node-01 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+krbtgt
TESTDOMAIN+testuser
TESTDOMAIN+peyton
TESTDOMAIN+eli

# Winbind on node2 can see users in AD
[root at node-02 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+guest
TESTDOMAIN+krbtgt
TESTDOMAIN+testuser
TESTDOMAIN+peyton
TESTDOMAIN+eli

# CTDB is healthy state
[root at node-01 ~]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252     OK
pnn:1 172.16.2.253     OK (THIS NODE)
Generation:1728422679
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:0

# Verify SMB state on CTDB nodes, all UP
[root at host01 ~]# pdsh -w node-[01-02] "/etc/init.d/smb status"
node-01: smbd (pid 2725 2695) is running...
node-02: smbd (pid 24702 24665) is running...
node-01: nmbd (pid 2698) is running...
node-02: nmbd (pid 24668) is running...

# Verify Winbind state on CTDB nodes, all UP
[root at host01 ~]# pdsh -w node-[01-02] "/etc/init.d/winbind status"
node-02: winbindd (pid 27569 26611 26610 24710 24707) is running...
node-01: winbindd (pid 6223 6122 6120) is running...

# Verify NFS state on CTDB nodes, all UP
[root at host01 ~]# pdsh -w node-[01-02] "/etc/init.d/nfs status"
node-01: rpc.mountd (pid 2955) is running...
node-02: rpc.mountd (pid 24932) is running...
node-01: nfsd (pid 2943 2942 2941 2940 2939 2938 2937 2936 2935 2934 2933 2932 2931 2930 2929 2928 2927 2926 2925 2924 2923 2922 2921 2920 2919 2918 2917 2916 2915 2914 2913 2912 2911 2910 2909 2908 2907 2906 2905 2904 2903 2902 2901 2900 2899 2898 2897 2896 2895 2894 2893 2892 2891 2890 2889 2888 2887 2886 2885 2884 2883 2882 2881 2880) is running...
node-02: nfsd (pid 24920 24919 24918 24917 24916 24915 24914 24913 24912 24911 24910 24909 24908 24907 24906 24905 24904 24903 24902 24901 24900 24899 24898 24897 24896 24895 24894 24893 24892 24891 24890 24889 24888 24887 24886 24885 24884 24883 24882 24881 24880 24879 24878 24877 24876 24875 24874 24873 24872 24871 24870 24869 24868 24867 24866 24865 24864 24863 24862 24861 24860 24859 24858 24857) is running...
node-01: rpc.rquotad (pid 2876) is running...
node-02: rpc.rquotad (pid 24853) is running...


# Linux Samba client can SMB mount from node1
[root at client ~]# smbclient -U TESTDOMAIN+peyton '\\192.168.97.5\global-share'
Enter TESTDOMAIN+peyton's password:
Domain=[TESTDOMAIN] OS=[Unix] Server=[Samba 3.2.3]
smb: \> dir
  .                                   D        0  Wed Dec 10 12:22:02 2008
  ..                                  D        0  Thu Dec 18 09:29:24 2008
  testfile.txt                        A     1141  Sun Dec 21 12:29:13 2008
  OFED-1.3.1                          D        0  Tue Jun  3 03:17:28 2008
  

                65535 blocks of size 33553920. 65535 blocks available
smb: \> exit

# Linux Samba client can SMB mount from node2
[root at client ~]# smbclient -U TESTDOMAIN+peyton '\\192.168.97.6\global-share'
Enter TESTDOMAIN+peyton's password:
Domain=[TESTDOMAIN] OS=[Unix] Server=[Samba 3.2.3]
smb: \> dir
  .                                   D        0  Wed Dec 10 12:22:02 2008
  ..                                  D        0  Thu Dec 18 09:29:24 2008
  testfile.txt                        A     1141  Sun Dec 21 12:29:13 2008
  OFED-1.3.1                          D        0  Tue Jun  3 03:17:28 2008


                65535 blocks of size 33553920. 65535 blocks available
smb: \> exit

More information about the samba mailing list