[Samba] Error in domain or kerberos after configuring CTDB
Carlos Alberto Panozzo Cunha
carlos.hollow at gmail.com
Mon Jan 27 13:59:51 UTC 2025
Hello!
I removed the configuration and stopped the CTDB service and the problems
with Kerberos and loss of domain relationship stopped occurring, they
haven't occurred for almost 4 days....
Regards;
Em qui., 23 de jan. de 2025 às 14:18, Carlos Alberto Panozzo Cunha <
carlos.hollow at gmail.com> escreveu:
> Hi
> More information..
>
> Another thing that indicates to me is CTDB and that several other Linux
> Domonio (not the same version of Samba) and Windows also do not present
> this problem (not with this frequency of 24 to 48 hours).
>
> Regards;
>
>
> Em qui., 23 de jan. de 2025 às 08:50, Carlos Alberto Panozzo Cunha <
> carlos.hollow at gmail.com> escreveu:
>
>> Hello!
>>
>> I have two Samba servers (domain members) in cluster format to provide
>> file shares, as follows:
>>
>> GlusterFS for data replication
>> Heartbeat for HA
>>
>> Everything works fine... however I made a recent improvement (I think)
>> which was the addition of CTDB for replication of Samba connections, just
>> that, and nothing more.
>> It worked and works but after that both nodes of the cluster started to
>> lose the trust relationship with the domain and other errors with Kerberos
>> (I believe), it may not be the problem but it worked without these errors
>> for over years and soon after adding CTDB this started....
>>
>> Here is more information:
>>
>> Samba version: Version 4.19.5-Ubuntu
>> OS Version: Ubuntu 24.04.1 LTS
>>
>> =========================
>>
>> smb.conf
>>
>> [global]
>> workgroup = XXXXXXDC
>> realm = INTERNO.XXXXXXX.SRV.BR
>> password server = 172.16.1.101, 172.16.1.102, *
>> username map = /etc/samba/user.map
>> kerberos method = system keytab
>> security = ADS
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config XXXXXXDC : backend = rid
>> idmap config XXXXXXDC : range = 10000-999999
>>
>> allow trusted domains = yes
>> winbind use default domain = yes
>> winbind refresh tickets = Yes
>> winbind offline logon = yes
>> winbind cache time = 600
>> winbind reconnect delay = 3
>>
>> ## ADD LINE TO CTDB
>> clustering = yes
>> private dir = /mnt/DADOS-GLUSTERFS/CTBD/
>>
>> template shell = /bin/bash
>> template homedir = /home/%U
>> map to guest = bad user
>> guest ok = yes
>> map acl inherit = yes
>> store dos attributes = yes
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> ### TUNNING(many to small files) ###
>>
>> server multi channel support = yes
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
>> SO_SNDBUF=131072
>> aio read size = 1
>> aio write size = 1
>>
>> min receivefile size = 16384
>> use sendfile = yes
>> read raw = yes
>> write raw = yes
>> getwd cache = yes
>> large readwrite = yes
>> kernel oplocks = yes
>>
>>
>> ### TUNNING ###
>>
>> include = /etc/samba/compartilhamentos.conf
>>
>> ========
>>
>>
>> /etc/krb5.conf
>>
>> [libdefaults]
>> default_realm = INTERNO.XXXXXXX.SRV.BR
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> ========
>>
>> cat ctdb.conf
>> # See ctdb.conf(5) for documentation
>> #
>> # See ctdb-script.options(5) for documentation about event script
>> # options
>>
>> [logging]
>> # Enable logging to syslog
>> location = syslog
>>
>> # Default log level
>> log level = NOTICE
>>
>> [cluster]
>> # Shared cluster lock file to avoid split brain. Daemon
>> # default is no cluster lock. Do NOT run CTDB without a
>> # cluster lock file unless you know exactly what you are
>> # doing.
>> #
>> # Please see the CLUSTER LOCK section in ctdb(7) for more
>> # details.
>> #
>> # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
>> lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
>> disable_ip_takeover = yes
>> only_locks = yes
>>
>> ========
>>
>> Erros in Syslog
>>
>> 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]:
>> krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
>> 2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]: +>
>> 2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
>> action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
>> could not be processed. Check for additional error messages before this
>> one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
>> 2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]: )
>> (krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
>> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
>> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/INTERNO.
>>
>>
>> ========
>> To resolve this, rejoin Samba to the domain and it works for another day
>> or two, until the problems start again...
>>
>> Any ideas on how to fix this?
>> I'm thinking about removing CTDB but wanted to try to fix it first...
>>
>> Regards;
>>
>
More information about the samba
mailing list