[Samba] Error in domain or kerberos after configuring CTDB

Carlos Alberto Panozzo Cunha carlos.hollow at gmail.com
Mon Jan 27 13:59:51 UTC 2025


Hello!

I removed the configuration and stopped the CTDB service and the problems
with Kerberos and loss of domain relationship stopped occurring, they
haven't occurred for almost 4 days....

Regards;

Em qui., 23 de jan. de 2025 às 14:18, Carlos Alberto Panozzo Cunha <
carlos.hollow at gmail.com> escreveu:

> Hi
> More information..
>
> Another thing that indicates to me is CTDB and that several other Linux
> Domonio (not the same version of Samba) and Windows also do not present
> this problem (not with this frequency of 24 to 48 hours).
>
> Regards;
>
>
> Em qui., 23 de jan. de 2025 às 08:50, Carlos Alberto Panozzo Cunha <
> carlos.hollow at gmail.com> escreveu:
>
>> Hello!
>>
>> I have two Samba servers (domain members) in cluster format to provide
>> file shares, as follows:
>>
>> GlusterFS for data replication
>> Heartbeat for HA
>>
>> Everything works fine... however I made a recent improvement (I think)
>> which was the addition of CTDB for replication of Samba connections, just
>> that, and nothing more.
>> It worked and works but after that both nodes of the cluster started to
>> lose the trust relationship with the domain and other errors with Kerberos
>> (I believe), it may not be the problem but it worked without these errors
>> for over years and soon after adding CTDB this started....
>>
>> Here is more information:
>>
>> Samba version: Version 4.19.5-Ubuntu
>> OS Version: Ubuntu 24.04.1 LTS
>>
>> =========================
>>
>> smb.conf
>>
>> [global]
>>         workgroup = XXXXXXDC
>>         realm = INTERNO.XXXXXXX.SRV.BR
>>         password server = 172.16.1.101, 172.16.1.102, *
>>         username map = /etc/samba/user.map
>>         kerberos method = system  keytab
>>         security = ADS
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
>>         idmap config XXXXXXDC : backend = rid
>>         idmap config XXXXXXDC : range = 10000-999999
>>
>>         allow trusted domains = yes
>>         winbind use default domain = yes
>>         winbind refresh tickets = Yes
>>         winbind offline logon = yes
>>         winbind cache time = 600
>>         winbind reconnect delay = 3
>>
>>         ## ADD LINE TO CTDB
>>         clustering = yes
>>         private dir = /mnt/DADOS-GLUSTERFS/CTBD/
>>
>>         template shell = /bin/bash
>>         template homedir = /home/%U
>>         map to guest = bad user
>>         guest ok = yes
>>         map acl inherit = yes
>>         store dos attributes = yes
>>         load printers = no
>>         printing = bsd
>>         printcap name = /dev/null
>>         disable spoolss = yes
>>
>>         ### TUNNING(many to small files) ###
>>
>>         server multi channel support = yes
>>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
>> SO_SNDBUF=131072
>>         aio read size = 1
>>         aio write size = 1
>>
>>         min receivefile size = 16384
>>         use sendfile = yes
>>         read raw = yes
>>         write raw = yes
>>         getwd cache = yes
>>         large readwrite = yes
>>         kernel oplocks = yes
>>
>>
>>         ### TUNNING ###
>>
>>         include = /etc/samba/compartilhamentos.conf
>>
>> ========
>>
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>>         default_realm = INTERNO.XXXXXXX.SRV.BR
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>> ========
>>
>>  cat ctdb.conf
>> # See ctdb.conf(5) for documentation
>> #
>> # See ctdb-script.options(5) for documentation about event script
>> # options
>>
>> [logging]
>>         # Enable logging to syslog
>>         location = syslog
>>
>>         # Default log level
>>         log level = NOTICE
>>
>> [cluster]
>>         # Shared cluster lock file to avoid split brain.  Daemon
>>         # default is no cluster lock.  Do NOT run CTDB without a
>>         # cluster lock file unless you know exactly what you are
>>         # doing.
>>         #
>>         # Please see the CLUSTER LOCK section in ctdb(7) for more
>>         # details.
>>         #
>>         # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
>>         lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
>>         disable_ip_takeover = yes
>>         only_locks = yes
>>
>> ========
>>
>> Erros in Syslog
>>
>> 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]:
>> krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
>> 2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]:  +>
>> 2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
>> action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
>> could not be processed. Check for additional error messages before this
>> one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
>> 2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]:   )
>> (krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/INTERNO.
>>
>>
>> ========
>> To resolve this, rejoin Samba to the domain and it works for another day
>> or two, until the problems start again...
>>
>> Any ideas on how to fix this?
>> I'm thinking about removing CTDB but wanted to try to fix it first...
>>
>> Regards;
>>
>


More information about the samba mailing list