[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir

Taylor, Jonn jonnt at taylortelephone.com
Fri May 2 17:06:44 MDT 2014 

On 05/02/2014 05:09 PM, Ali Bendriss wrote:
>
>
> On 05/02/2014 09:54 PM, Taylor, Jonn wrote:
>>
>> On 05/02/2014 03:13 PM, Ali Bendriss wrote:
>>> [...]
>>>
>>> On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
>>>>      idmap config TAYLORTELEPHONE:range = 500-4000000
>>>>      idmap config TAYLORTELEPHONE:backend = rid
>>>
>>> I suggest that you comment those two line for now
>>> and set the loglevel to 3
>>> you may check the ctdb and winbind log on each node when doing each 
>>> step.
>>>
>>> ensure that ctdb is running on all nodes
>>> ctdb status
>>>
>>> then join the cluster on one node only:
>>> net ads join
>>>
>>> on each node start winbind and check the join wbinfo -t
>>>
>>> if it's ok
>>> uncomment the two idmap config lines
>>> correct your range as steve catch it.
>>> then restart ctdb and redo the join and re test
>>>
>>> -- 
>>> Ali
>> I tried what you suggested and that did not work. I had to join the
>> other node before auth would work. Here is what is in the logs on the
>> second node after I restarted winbind.
>>
>> May  2 15:49:43 node2 winbindd[22271]: [2014/05/02 15:49:43.374352, 0]
>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>> May  2 15:49:43 node2 winbindd[22271]:   Got sig[15] terminate
>> (is_parent=1)
>> May  2 15:49:43 node2 winbindd[22288]: [2014/05/02 15:49:43.378907, 0]
>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>> May  2 15:49:43 node2 winbindd[22288]:   Got sig[15] terminate
>> (is_parent=0)
>> May  2 15:49:43 node2 winbindd[23120]: [2014/05/02 15:49:43.378911, 0]
>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>> May  2 15:49:43 node2 winbindd[23120]:   Got sig[15] terminate
>> (is_parent=0)
>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.676547, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:49:43 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.750334, 0]
>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>> May  2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.770437, 0]
>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>> May  2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>> May  2 15:50:01 node2 winbindd[29028]: [2014/05/02 15:50:01.956887, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:01 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.201937, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.245574, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.298235, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.346062, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.388307, 0]
>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: Preauthentication
>> failed
>>
>
> you may try this kind of command to join the cluster:
> net ads leave (one each node to be sure) and on one node
> net ads join -d 5 -S ADS_server_IP -U Administrator
>
> otherwise I think you should test without the clustering first.
> stop ctdb on all node. disable the clustering in smb.conf
> remove any remaining krb ticket (in /tmp I think), flush the winbind 
> cache: net ads fluh
> and try to join one node with the same command:
> it should work without the need to do a kinit first.
> test the join with wbinfo
> Do the same on the other node (stop samba on the first node first).
> if it work you may leave each node from the domain and enable the 
> clustering and try to join the cluster again.
>
> hope this help.
>
> -- 
> Ali
Joining the first node always works. It is the second one that does not. 
If I force the second node to join they both break after a day.

Jonn

More information about the samba mailing list