[Samba] Error in domain or kerberos after configuring CTDB
Carlos Alberto Panozzo Cunha
carlos.hollow at gmail.com
Thu Jan 23 11:50:44 UTC 2025
Hello!
I have two Samba servers (domain members) in cluster format to provide file
shares, as follows:
GlusterFS for data replication
Heartbeat for HA
Everything works fine... however I made a recent improvement (I think)
which was the addition of CTDB for replication of Samba connections, just
that, and nothing more.
It worked and works but after that both nodes of the cluster started to
lose the trust relationship with the domain and other errors with Kerberos
(I believe), it may not be the problem but it worked without these errors
for over years and soon after adding CTDB this started....
Here is more information:
Samba version: Version 4.19.5-Ubuntu
OS Version: Ubuntu 24.04.1 LTS
=========================
smb.conf
[global]
workgroup = XXXXXXDC
realm = INTERNO.XXXXXXX.SRV.BR
password server = 172.16.1.101, 172.16.1.102, *
username map = /etc/samba/user.map
kerberos method = system keytab
security = ADS
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config XXXXXXDC : backend = rid
idmap config XXXXXXDC : range = 10000-999999
allow trusted domains = yes
winbind use default domain = yes
winbind refresh tickets = Yes
winbind offline logon = yes
winbind cache time = 600
winbind reconnect delay = 3
## ADD LINE TO CTDB
clustering = yes
private dir = /mnt/DADOS-GLUSTERFS/CTBD/
template shell = /bin/bash
template homedir = /home/%U
map to guest = bad user
guest ok = yes
map acl inherit = yes
store dos attributes = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
### TUNNING(many to small files) ###
server multi channel support = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
aio read size = 1
aio write size = 1
min receivefile size = 16384
use sendfile = yes
read raw = yes
write raw = yes
getwd cache = yes
large readwrite = yes
kernel oplocks = yes
### TUNNING ###
include = /etc/samba/compartilhamentos.conf
========
/etc/krb5.conf
[libdefaults]
default_realm = INTERNO.XXXXXXX.SRV.BR
dns_lookup_realm = false
dns_lookup_kdc = true
========
cat ctdb.conf
# See ctdb.conf(5) for documentation
#
# See ctdb-script.options(5) for documentation about event script
# options
[logging]
# Enable logging to syslog
location = syslog
# Default log level
log level = NOTICE
[cluster]
# Shared cluster lock file to avoid split brain. Daemon
# default is no cluster lock. Do NOT run CTDB without a
# cluster lock file unless you know exactly what you are
# doing.
#
# Please see the CLUSTER LOCK section in ctdb(7) for more
# details.
#
# cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
disable_ip_takeover = yes
only_locks = yes
========
Erros in Syslog
2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]: krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]: +>
2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
could not be processed. Check for additional error messages before this
one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]: )
(krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/INTERNO.
========
To resolve this, rejoin Samba to the domain and it works for another day or
two, until the problems start again...
Any ideas on how to fix this?
I'm thinking about removing CTDB but wanted to try to fix it first...
Regards;
More information about the samba
mailing list