[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir

Ali Bendriss ali.bendriss at gmail.com
Fri May 2 16:09:23 MDT 2014 


On 05/02/2014 09:54 PM, Taylor, Jonn wrote:
>
> On 05/02/2014 03:13 PM, Ali Bendriss wrote:
>> [...]
>>
>> On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
>>>      idmap config TAYLORTELEPHONE:range = 500-4000000
>>>      idmap config TAYLORTELEPHONE:backend = rid
>>
>> I suggest that you comment those two line for now
>> and set the loglevel to 3
>> you may check the ctdb and winbind log on each node when doing each step.
>>
>> ensure that ctdb is running on all nodes
>> ctdb status
>>
>> then join the cluster on one node only:
>> net ads join
>>
>> on each node start winbind and check the join wbinfo -t
>>
>> if it's ok
>> uncomment the two idmap config lines
>> correct your range as steve catch it.
>> then restart ctdb and redo the join and re test
>>
>> --
>> Ali
> I tried what you suggested and that did not work. I had to join the
> other node before auth would work. Here is what is in the logs on the
> second node after I restarted winbind.
>
> May  2 15:49:43 node2 winbindd[22271]: [2014/05/02 15:49:43.374352, 0]
> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> May  2 15:49:43 node2 winbindd[22271]:   Got sig[15] terminate
> (is_parent=1)
> May  2 15:49:43 node2 winbindd[22288]: [2014/05/02 15:49:43.378907, 0]
> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> May  2 15:49:43 node2 winbindd[22288]:   Got sig[15] terminate
> (is_parent=0)
> May  2 15:49:43 node2 winbindd[23120]: [2014/05/02 15:49:43.378911, 0]
> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> May  2 15:49:43 node2 winbindd[23120]:   Got sig[15] terminate
> (is_parent=0)
> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.676547, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:49:43 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.750334, 0]
> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
> May  2 15:49:43 node2 winbindd[29028]:   cli_rpc_pipe_open_spnego:
> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.770437, 0]
> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
> May  2 15:49:43 node2 winbindd[29028]:   cli_rpc_pipe_open_spnego:
> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
> May  2 15:50:01 node2 winbindd[29028]: [2014/05/02 15:50:01.956887, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:01 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.201937, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.245574, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.298235, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.346062, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.388307, 0]
> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
> failed
>

you may try this kind of command to join the cluster:
net ads leave (one each node to be sure) and on one node
net ads join -d 5 -S ADS_server_IP -U Administrator

otherwise I think you should test without the clustering first.
stop ctdb on all node. disable the clustering in smb.conf
remove any remaining krb ticket (in /tmp I think), flush the winbind 
cache: net ads fluh
and try to join one node with the same command:
it should work without the need to do a kinit first.
test the join with wbinfo
Do the same on the other node (stop samba on the first node first).
if it work you may leave each node from the domain and enable the 
clustering and try to join the cluster again.

hope this help.

--
Ali

More information about the samba mailing list