[Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir

Taylor, Jonn jonnt at taylortelephone.com
Mon May 5 07:48:23 MDT 2014


On 05/02/2014 06:06 PM, Taylor, Jonn wrote:
>
> On 05/02/2014 05:09 PM, Ali Bendriss wrote:
>>
>>
>> On 05/02/2014 09:54 PM, Taylor, Jonn wrote:
>>>
>>> On 05/02/2014 03:13 PM, Ali Bendriss wrote:
>>>> [...]
>>>>
>>>> On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
>>>>>      idmap config TAYLORTELEPHONE:range = 500-4000000
>>>>>      idmap config TAYLORTELEPHONE:backend = rid
>>>>
>>>> I suggest that you comment those two line for now
>>>> and set the loglevel to 3
>>>> you may check the ctdb and winbind log on each node when doing each 
>>>> step.
>>>>
>>>> ensure that ctdb is running on all nodes
>>>> ctdb status
>>>>
>>>> then join the cluster on one node only:
>>>> net ads join
>>>>
>>>> on each node start winbind and check the join wbinfo -t
>>>>
>>>> if it's ok
>>>> uncomment the two idmap config lines
>>>> correct your range as steve catch it.
>>>> then restart ctdb and redo the join and re test
>>>>
>>>> -- 
>>>> Ali
>>> I tried what you suggested and that did not work. I had to join the
>>> other node before auth would work. Here is what is in the logs on the
>>> second node after I restarted winbind.
>>>
>>> May  2 15:49:43 node2 winbindd[22271]: [2014/05/02 15:49:43.374352, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May  2 15:49:43 node2 winbindd[22271]:   Got sig[15] terminate
>>> (is_parent=1)
>>> May  2 15:49:43 node2 winbindd[22288]: [2014/05/02 15:49:43.378907, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May  2 15:49:43 node2 winbindd[22288]:   Got sig[15] terminate
>>> (is_parent=0)
>>> May  2 15:49:43 node2 winbindd[23120]: [2014/05/02 15:49:43.378911, 0]
>>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> May  2 15:49:43 node2 winbindd[23120]:   Got sig[15] terminate
>>> (is_parent=0)
>>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.676547, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:49:43 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.750334, 0]
>>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>>> May  2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>>> May  2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.770437, 0]
>>> ../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
>>> May  2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
>>> cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
>>> May  2 15:50:01 node2 winbindd[29028]: [2014/05/02 15:50:01.956887, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:01 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.201937, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.245574, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.298235, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.346062, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>> May  2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.388307, 0]
>>> ../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
>>> May  2 15:50:44 node2 winbindd[29028]:   Kinit failed: 
>>> Preauthentication
>>> failed
>>>
>>
>> you may try this kind of command to join the cluster:
>> net ads leave (one each node to be sure) and on one node
>> net ads join -d 5 -S ADS_server_IP -U Administrator
>>
>> otherwise I think you should test without the clustering first.
>> stop ctdb on all node. disable the clustering in smb.conf
>> remove any remaining krb ticket (in /tmp I think), flush the winbind 
>> cache: net ads fluh
>> and try to join one node with the same command:
>> it should work without the need to do a kinit first.
>> test the join with wbinfo
>> Do the same on the other node (stop samba on the first node first).
>> if it work you may leave each node from the domain and enable the 
>> clustering and try to join the cluster again.
>>
>> hope this help.
>>
>> -- 
>> Ali
> Joining the first node always works. It is the second one that does 
> not. If I force the second node to join they both break after a day.
>
> Jonn
>
I shutdown the other node so I could run and test a few days on just one 
node. Everything was working on Saturday. This morning I started to look 
at the logs and say the same error message that they keytab could not be 
renewed. I did some digging in the logs and found this.

[2014/05/05 08:36:53.712058,  5] 
../source3/libsmb/namequery.c:211(saf_fetch)
   saf_fetch: Returning "dc2.taylortelephone.com" for "TAYLORTELEPHONE" 
domain
[2014/05/05 08:36:53.712152,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for taylortelephone.com: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.712199,  4] 
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
   ads_dc_name: domain=TAYLORTELEPHONE
[2014/05/05 08:36:53.712255,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for taylortelephone.com: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.712320,  5] 
../source3/libsmb/namequery.c:211(saf_fetch)
   saf_fetch: Returning "dc2.taylortelephone.com" for 
"taylortelephone.com" domain
[2014/05/05 08:36:53.712368,  3] 
../source3/libsmb/namequery.c:3102(get_dc_list)
   get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.712425,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name taylortelephone.com#1C found.
[2014/05/05 08:36:53.712578,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.712637,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.712755,  4] 
../source3/libsmb/namequery.c:3239(get_dc_list)
   get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.712801,  4] 
../source3/libsmb/namequery.c:3240(get_dc_list)
   get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.712887,  5] 
../source3/libads/ldap.c:270(ads_try_connect)
   ads_try_connect: sending CLDAP request to 192.168.173.14 (realm: 
taylortelephone.com)
[2014/05/05 08:36:53.713739,  3] ../source3/libads/ldap.c:680(ads_connect)
   Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.713804,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for taylortelephone.com: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.713890,  5] 
../source3/libsmb/namequery.c:211(saf_fetch)
   saf_fetch: Returning "dc2.taylortelephone.com" for 
"taylortelephone.com" domain
[2014/05/05 08:36:53.713938,  3] 
../source3/libsmb/namequery.c:3102(get_dc_list)
   get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.713992,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714101,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.714158,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714258,  4] 
../source3/libsmb/namequery.c:3239(get_dc_list)
   get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714302,  4] 
../source3/libsmb/namequery.c:3240(get_dc_list)
   get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.714365,  5] 
../source3/libsmb/namequery.c:211(saf_fetch)
   saf_fetch: Returning "dc2.taylortelephone.com" for 
"taylortelephone.com" domain
[2014/05/05 08:36:53.714411,  3] 
../source3/libsmb/namequery.c:3102(get_dc_list)
   get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.714465,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714572,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.714629,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714739,  4] 
../source3/libsmb/namequery.c:3239(get_dc_list)
   get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714785,  4] 
../source3/libsmb/namequery.c:3240(get_dc_list)
   get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.716116,  5] 
../source3/libads/kerberos.c:965(create_local_private_krb5_conf_for_domain)
   create_local_private_krb5_conf_for_domain: wrote file 
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm 
TAYLORTELEPHONE.COM KDC list =     kdc = 192.168.173.14
       kdc = 192.168.173.13

[2014/05/05 08:36:53.716212,  4] 
../source3/libsmb/namequery_dc.c:153(ads_dc_name)
   ads_dc_name: using server='DC2.TAYLORTELEPHONE.COM' IP=192.168.173.14
[2014/05/05 08:36:53.716273,  5] 
../source3/libads/sitename_cache.c:105(sitename_fetch)
   sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM: 
"Default-First-Site-Name"
[2014/05/05 08:36:53.716330,  5] 
../source3/libsmb/namecache.c:165(namecache_fetch)
   name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.716408,  5] 
../source3/libads/ldap.c:270(ads_try_connect)
   ads_try_connect: sending CLDAP request to 192.168.173.14 (realm: 
taylortelephone.com)
[2014/05/05 08:36:53.717025,  3] ../source3/libads/ldap.c:680(ads_connect)
   Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.718073,  3] ../source3/libads/ldap.c:723(ads_connect)
   Connected to LDAP server dc2.taylortelephone.com
[2014/05/05 08:36:53.718521,  4] 
../source3/libads/ldap.c:2911(ads_current_time)
   KDC time offset is 0 seconds
[2014/05/05 08:36:53.718860,  4] 
../source3/libads/sasl.c:1304(ads_sasl_bind)
   Found SASL mechanism GSS-SPNEGO
[2014/05/05 08:36:53.719340,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2014/05/05 08:36:53.719386,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2014/05/05 08:36:53.719429,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2014/05/05 08:36:53.719471,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2014/05/05 08:36:53.719514,  3] 
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2014/05/05 08:36:53.719556,  3] 
../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
   ads_sasl_spnego_bind: got server principal name = 
not_defined_in_RFC4178 at please_ignore
*[2014/05/05 08:36:53.719774,  3] 
../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
**  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or 
directory)*
[2014/05/05 08:36:53.741217,  0] 
../source3/libads/kerberos_util.c:74(ads_kinit_password)
   kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed: 
Preauthentication failed
[2014/05/05 08:36:53.741333,  1] 
../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
   ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
[2014/05/05 08:36:53.741427,  1] 
../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
   ADS uninitialized: Preauthentication failed
[2014/05/05 08:36:53.741538,  4] 
../source3/winbindd/winbindd_dual.c:1346(child_handler)
   Finished processing child request 59

So what file or directory could not be found?

Jonn



More information about the samba mailing list