[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir

Taylor, Jonn jonnt at taylortelephone.com
Fri May 2 09:29:06 MDT 2014 

Update on problem.

Looks like 4.1.7 winbind is very broke. It cannot renew the tickets.

May  2 10:18:53 node1 winbindd[25776]: [2014/05/02 10:18:53.793991, 0] 
../source3/libads/kerberos_util.c:74(ads_kinit_password)
May  2 10:18:53 node1 winbindd[25776]:   kerberos_kinit_password 
SHR01$@TAYLORTELEPHONE.COM failed: Preauthentication failed

I also noticed that I have to do a net ads join twice before winbind 
will auth an AD user. Not sure were to go from here.

Jonn

cat /etc/krb5.conf
[libdefaults]
  default_realm = TAYLORTELEPHONE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true

[appdefaults]
pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

[realms]
  TAYLORTELEPHONE.COM = {
  }

[domain_realm]
  taylortelephone.com = TAYLORTELEPHONE.COM
  .taylortelephone.com = TAYLORTELEPHONE.COM

testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[apps]"
Processing section "[share]"
Processing section "[QBData]"
Processing section "[safety]"
Processing section "[home]"
Processing section "[profiles]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
     workgroup = TAYLORTELEPHONE
     realm = TAYLORTELEPHONE.COM
     netbios name = SHR01
     netbios aliases = NODE1, NODE2
     server string = Cluster Share
     interfaces = eth0, lo
     security = ADS
     log file = /var/log/samba/log.samba
     server min protocol = NT1
     client signing = if_required
     server signing = if_required
     cluster addresses = 192.168.173.183, 192.168.173.184, 
192.168.173.3, 192.168.173.4
     clustering = Yes
     printcap name = /etc/printcap
     wins server = 192.168.173.13, 192.168.173.14
     template shell = /bin/bash
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind refresh tickets = Yes
     winbind offline logon = Yes
     fileid:algorithm = fsname
     idmap config * : schema_mode = rfc2307
     idmap config TAYLORTELEPHONE:backend = rid
     idmap config TAYLORTELEPHONE:range = 500-4000000
     idmap config * : range = 1000-4000000
     idmap config * : backend = tdb2
     admin users = "@TAYLORTELEPHONE\Domain Admins"
     inherit acls = Yes
     map acl inherit = Yes


On 04/28/2014 03:49 PM, Jonn Taylor wrote:
> On 4/28/2014 10:35 AM, Ali Bendriss wrote:
>>
>>
>> On 04/28/2014 01:23 PM, Taylor, Jonn wrote:
>>> Update on my problem. I resetup my 2 node cluster per the samba wiki 
>>> for
>>> 4.x and CTDB. The only difference is that I am using DRBD and GFS2. 
>>> CTDB
>>> is not syncing the winbind databases between nodes. I had to join each
>>> node before winbind would authenticate my users to AD. This morning I
>>> found that one of the 2 nodes stopped authenticating users again. It
>>> looks like CTDB is not syncing the samba/winbind databases to keep the
>>> nodes in sync.
>>>
>>> How can I prove this out?
>>>
>>> Jonn
>>
>> Hello,
>>
>> If I remember correctly, you can increase the ctdb log level in the 
>> ctdb config file (ctdb.conf). So you may find more info on what is 
>> going on.
>>
>> The last time I used ctdb :
>> - it was not necessary to have a shared private dir, ctdb maintain a 
>> database on each node
>> - you just need to join the whole cluster and not each node individually
>> - it is possible to let ctdb manage winbind for you (really usefull)
>>
>> I was using gfs2 on a shared FC disk array. The ping pong test was 
>> not that fast but the final setup was fast enough for our need.
>> I remember that during the setup I've started by running a simple 
>> http server on each node until the FS and network configuration was 
>> OK (switching on/off each node after the other). I then started to 
>> setup samba on it.
>>
>> hope this help
>>
>> -- 
>> Ali
> Still not having much luck. CTDB seems to replicating some part of the 
> database. What I cannot tell is if it isdoing the winbind part and if 
> winbind is using it.
>
> 2014/04/28 13:42:54.285328 [14275]: Vacuuming is disabled for 
> persistent database share_info.tdb
> 2014/04/28 13:42:54.285395 [14275]: Attached to database 
> '/var/ctdb/persistent/share_info.tdb.0'
> 2014/04/28 13:42:54.285412 [14275]: Attached to persistent database 
> share_info.tdb
> 2014/04/28 13:42:54.310343 [14275]: Vacuuming is disabled for 
> persistent database group_mapping.tdb
> 2014/04/28 13:42:54.310411 [14275]: Attached to database 
> '/var/ctdb/persistent/group_mapping.tdb.0'
> 2014/04/28 13:42:54.310430 [14275]: Attached to persistent database 
> group_mapping.tdb
> 2014/04/28 13:42:54.335646 [14275]: Vacuuming is disabled for 
> persistent database secrets.tdb
> 2014/04/28 13:42:54.335716 [14275]: Attached to database 
> '/var/ctdb/persistent/secrets.tdb.0'
> 2014/04/28 13:42:54.335732 [14275]: Attached to persistent database 
> secrets.tdb
> 2014/04/28 13:42:54.359342 [14275]: Vacuuming is disabled for 
> persistent database account_policy.tdb
> 2014/04/28 13:42:54.359410 [14275]: Attached to database 
> '/var/ctdb/persistent/account_policy.tdb.0'
> 2014/04/28 13:42:54.359427 [14275]: Attached to persistent database 
> account_policy.tdb
> 2014/04/28 13:42:54.383066 [14275]: Vacuuming is disabled for 
> persistent database registry.tdb
> 2014/04/28 13:42:54.383134 [14275]: Attached to database 
> '/var/ctdb/persistent/registry.tdb.0'
> 2014/04/28 13:42:54.383152 [14275]: Attached to persistent database 
> registry.tdb
> 2014/04/28 13:42:54.406811 [14275]: Vacuuming is disabled for 
> persistent database idmap2.tdb
> 2014/04/28 13:42:54.406878 [14275]: Attached to database 
> '/var/ctdb/persistent/idmap2.tdb.0'
> 2014/04/28 13:42:54.406895 [14275]: Attached to persistent database 
> idmap2.tdb
> 2014/04/28 13:42:54.430504 [14275]: Vacuuming is disabled for 
> persistent database passdb.tdb
> 2014/04/28 13:42:54.430572 [14275]: Attached to database 
> '/var/ctdb/persistent/passdb.tdb.0'
> 2014/04/28 13:42:54.430589 [14275]: Attached to persistent database 
> passdb.tdb
> 2014/04/28 13:42:54.454144 [14275]: Vacuuming is disabled for 
> persistent database ctdb.tdb
> 2014/04/28 13:42:54.454219 [14275]: Attached to database 
> '/var/ctdb/persistent/ctdb.tdb.0'
> 2014/04/28 13:42:54.454235 [14275]: Attached to persistent database 
> ctdb.tdb
> 2014/04/28 13:43:19.681884 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/ctdb.tdb.0' healthy
> 2014/04/28 13:43:19.681920 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/passdb.tdb.0' healthy
> 2014/04/28 13:43:19.681948 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/idmap2.tdb.0' healthy
> 2014/04/28 13:43:19.681970 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/registry.tdb.0' healthy
> 2014/04/28 13:43:19.681991 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/account_policy.tdb.0' healthy
> 2014/04/28 13:43:19.682012 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/secrets.tdb.0' healthy
> 2014/04/28 13:43:19.682033 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/group_mapping.tdb.0' healthy
> 2014/04/28 13:43:19.682054 [14275]: server/ctdb_ltdb_server.c:421 
> persistent db '/var/ctdb/persistent/share_info.tdb.0' healthy
> 2014/04/28 13:43:19.682086 [14275]: 
> server/ctdb_monitor.c:299ctdb_start_monitoring: 
> ctdb_recheck_persistent_health() OK
>

More information about the samba mailing list