[Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin

simo idra at samba.org
Sun Jan 22 08:48:43 MST 2012

Nico, you present some many questionable 'facts' as absolutes I feel the
need to reply to your statements.

On Fri, 2012-01-20 at 08:40 -0500, Nico Kadel-Garcia wrote: 
> On Fri, Jan 20, 2012 at 1:38 AM, Peter Tan <PTan at ipswich.qld.gov.au> wrote:
> > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san storage. I have configured ctdb, samba and Kerberos and am able to map the share on my windows workstation when I hit the ip of each of the two nodes.
> >
> > I am able to mount this share via nfs on other linux servers ok.
> >
> > However it does not appear to be authenticating when I try to map to the DNS hostname that has been set up to round robins across the two ip's - I keep getting prompted for a login and password and I get the following in /var/log/messages: "krb5_rd_req failed (Key table entry not found)"
> Nor should it. They're not the same machine, and Kerberos tickets for
> one are not going to be valid on the other.

Why shouldn't you present a _cluster_ as a single node ? That's exactly
what a cluster should look like to a client.

> and DNS "round robin" is always a crap shoot due to client DNS caching
> and ordering of returned entries, over which you have *no* control from
> the server side.

This really does not matter in a controlled environment. It is good
enough for the task at hand. What you say may make sense in uncontrolled
environments like the internet but not in a local one.

> NFS is an.... *entirely* different game. Once the mount is created,
> it's tied to the IP address, not the DNS entries, and remains that way
> unless detached and a new mount created. Autofs supports this sort of
> thing, but most NFS setups don't rely on Kerberos tickets or, in fact,
> any reliable authentication, especially the much simpler NFSv3 setups.
> Simple setups use the uid's and gid's reported by the client and
> assume that is enough. (It's really not for secure environments, which
> is why Kerberos works so hard to make sure you really are who you say
> you are, on both ends and is incorporated into NFSv4 and integrated
> automatically most modern CIFS setups.)
> > Node 1:
> > Node 2:
> > DNS A Name: clusterpub
> > DNS A Name: clusterpub
> This is not "round robin" unless your DNS server is prepared to
> re-arrange the response order for lookups of "clusterpub", and even
> then, clients can mess it up. It's duplicate A records: it's important
> to keep this straight.

Uninteresting details in this kind of setup, really.

> > I have set the "netbios name = clusterpub" in smb.conf on both nodes
> But they're not the same host. Presenting them both as the same host
> is begging for confusion.

The point of a cluster is to present itself as a single node to clients,
I do not know what you are talking about here ...

> > Interestingly, I am able to successfully connect to the "clusterpub"
> share from one of the nodes via smbclient.


> That "round robin DNS" is not your friend, and never will be.

Oh come on, it works well enough.

> Also, smbclient is not the same as mounting a file system.

>From the protocol point of view it is exactly the same, your point is ?

> You might consider giving different netbios names: duplicate A records
> are most usefully published *as well* as distinct hostnames, so you
> can gracefully select one or the other host, and reverse DNS compatble
> specific hostname to differentiate reverse DNS lookups between the two
> hosts.

You can *add* those for admin purposes, clients should not be pointed to
specific cluster names, although IP take over will help avoiding issues,
if you have different names kerberos won't work anymore unless you share
all keytabs for all names. It also means retiring a name becomes
impossible in the long run, and also rebalancing clients when you add a
node to scale more becomes a hard task.

You do not certainly want to make the setup more complicated than it
needs to be. And round robin with share keytab in the name of the public
DNS name is the easiest.


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba mailing list