[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir
Taylor, Jonn
jonnt at taylortelephone.com
Mon May 5 07:48:23 MDT 2014
On 05/02/2014 06:06 PM, Taylor, Jonn wrote:
>
> On 05/02/2014 05:09 PM, Ali Bendriss wrote:
>>
>>
>> On 05/02/2014 09:54 PM, Taylor, Jonn wrote:
>>>
>>> On 05/02/2014 03:13 PM, Ali Bendriss wrote:
>>>> [...]
>>>>
>>>> On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
>>>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>>>> idmap config TAYLORTELEPHONE:backend = rid
>>>>
>>>> I suggest that you comment those two line for now
>>>> and set the loglevel to 3
>>>> you may check the ctdb and winbind log on each node when doing each
>>>> step.
>>>>
>>>> ensure that ctdb is running on all nodes
>>>> ctdb status
>>>>
>>>> then join the cluster on one node only:
>>>> net ads join
>>>>
>>>> on each node start winbind and check the join wbinfo -t
>>>>
>>>> if it's ok
>>>> uncomment the two idmap config lines
>>>> correct your range as steve catch it.
>>>> then restart ctdb and redo the join and re test
>>>>
>>>> --
>>>> Ali
>>> I tried what you suggested and that did not work. I had to join the
>>> other node before auth would work. Here is what is in the logs on the
>>> second node after I restarted winbind.
>>>
>>> May 2 15:49:43 node2 winbindd[22271]: [2014/05/02 15:49:43.374352, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May 2 15:49:43 node2 winbindd[22271]: Got sig[15] terminate
>>> (is_parent=1)
>>> May 2 15:49:43 node2 winbindd[22288]: [2014/05/02 15:49:43.378907, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May 2 15:49:43 node2 winbindd[22288]: Got sig[15] terminate
>>> (is_parent=0)
>>> May 2 15:49:43 node2 winbindd[23120]: [2014/05/02 15:49:43.378911, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May 2 15:49:43 node2 winbindd[23120]: Got sig[15] terminate
>>> (is_parent=0)
>>> May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.676547, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:49:43 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.750334, 0]
>>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>>> May 2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>>> May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.770437, 0]
>>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>>> May 2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>>> May 2 15:50:01 node2 winbindd[29028]: [2014/05/02 15:50:01.956887, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:01 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.201937, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:44 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.245574, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:44 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.298235, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:44 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.346062, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:44 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>> May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.388307, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May 2 15:50:44 node2 winbindd[29028]: Kinit failed:
>>> Preauthentication
>>> failed
>>>
>>
>> you may try this kind of command to join the cluster:
>> net ads leave (one each node to be sure) and on one node
>> net ads join -d 5 -S ADS_server_IP -U Administrator
>>
>> otherwise I think you should test without the clustering first.
>> stop ctdb on all node. disable the clustering in smb.conf
>> remove any remaining krb ticket (in /tmp I think), flush the winbind
>> cache: net ads fluh
>> and try to join one node with the same command:
>> it should work without the need to do a kinit first.
>> test the join with wbinfo
>> Do the same on the other node (stop samba on the first node first).
>> if it work you may leave each node from the domain and enable the
>> clustering and try to join the cluster again.
>>
>> hope this help.
>>
>> --
>> Ali
> Joining the first node always works. It is the second one that does
> not. If I force the second node to join they both break after a day.
>
> Jonn
>
I shutdown the other node so I could run and test a few days on just one
node. Everything was working on Saturday. This morning I started to look
at the logs and say the same error message that they keytab could not be
renewed. I did some digging in the logs and found this.
[2014/05/05 08:36:53.712058, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for "TAYLORTELEPHONE"
domain
[2014/05/05 08:36:53.712152, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712199, 4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
ads_dc_name: domain=TAYLORTELEPHONE
[2014/05/05 08:36:53.712255, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712320, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.712368, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.712425, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.712578, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712637, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.712755, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.712801, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.712887, 5]
../source3/libads/ldap.c:270(ads_try_connect)
ads_try_connect: sending CLDAP request to 192.168.173.14 (realm:
taylortelephone.com)
[2014/05/05 08:36:53.713739, 3] ../source3/libads/ldap.c:680(ads_connect)
Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.713804, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.713890, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.713938, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.713992, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714101, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.714158, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714258, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714302, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.714365, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.714411, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.714465, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714572, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.714629, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714739, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714785, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.716116, 5]
../source3/libads/kerberos.c:965(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: wrote file
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm
TAYLORTELEPHONE.COM KDC list = kdc = 192.168.173.14
kdc = 192.168.173.13
[2014/05/05 08:36:53.716212, 4]
../source3/libsmb/namequery_dc.c:153(ads_dc_name)
ads_dc_name: using server='DC2.TAYLORTELEPHONE.COM' IP=192.168.173.14
[2014/05/05 08:36:53.716273, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.716330, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.716408, 5]
../source3/libads/ldap.c:270(ads_try_connect)
ads_try_connect: sending CLDAP request to 192.168.173.14 (realm:
taylortelephone.com)
[2014/05/05 08:36:53.717025, 3] ../source3/libads/ldap.c:680(ads_connect)
Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.718073, 3] ../source3/libads/ldap.c:723(ads_connect)
Connected to LDAP server dc2.taylortelephone.com
[2014/05/05 08:36:53.718521, 4]
../source3/libads/ldap.c:2911(ads_current_time)
KDC time offset is 0 seconds
[2014/05/05 08:36:53.718860, 4]
../source3/libads/sasl.c:1304(ads_sasl_bind)
Found SASL mechanism GSS-SPNEGO
[2014/05/05 08:36:53.719340, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2014/05/05 08:36:53.719386, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2014/05/05 08:36:53.719429, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2014/05/05 08:36:53.719471, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2014/05/05 08:36:53.719514, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2014/05/05 08:36:53.719556, 3]
../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
*[2014/05/05 08:36:53.719774, 3]
../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)*
[2014/05/05 08:36:53.741217, 0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed:
Preauthentication failed
[2014/05/05 08:36:53.741333, 1]
../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
[2014/05/05 08:36:53.741427, 1]
../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
ADS uninitialized: Preauthentication failed
[2014/05/05 08:36:53.741538, 4]
../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 59
So what file or directory could not be found?
Jonn
More information about the samba
mailing list