[Samba] Error in domain or kerberos after configuring CTDB

Stefan Kania stefan at kania-online.de
Mon Jan 27 20:31:12 UTC 2025 

As I see in your configuration you use smb.conf on the CTDB-Server. You 
should use the registry, because that's the way the configuration will 
replicate the configuration. CTDB stands for clustered trivial 
databases. The registry is a tdb-database. There are a lot more wrong 
configurations in your config.
Take a look at my tutorial from sambaxp 2020 
https://www.kania-online.de/wp-content/uploads/2020/05/ctdb-gluster.zip

Am 23.01.25 um 12:50 schrieb Carlos Alberto Panozzo Cunha via samba:
> Hello!
> 
> I have two Samba servers (domain members) in cluster format to provide file
> shares, as follows:
> 
> GlusterFS for data replication
> Heartbeat for HA
> 
> Everything works fine... however I made a recent improvement (I think)
> which was the addition of CTDB for replication of Samba connections, just
> that, and nothing more.
> It worked and works but after that both nodes of the cluster started to
> lose the trust relationship with the domain and other errors with Kerberos
> (I believe), it may not be the problem but it worked without these errors
> for over years and soon after adding CTDB this started....
> 
> Here is more information:
> 
> Samba version: Version 4.19.5-Ubuntu
> OS Version: Ubuntu 24.04.1 LTS
> 
> =========================
> 
> smb.conf
> 
> [global]
>          workgroup = XXXXXXDC
>          realm = INTERNO.XXXXXXX.SRV.BR
>          password server = 172.16.1.101, 172.16.1.102, *
>          username map = /etc/samba/user.map
>          kerberos method = system  keytab
>          security = ADS
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config XXXXXXDC : backend = rid
>          idmap config XXXXXXDC : range = 10000-999999
> 
>          allow trusted domains = yes
>          winbind use default domain = yes
>          winbind refresh tickets = Yes
>          winbind offline logon = yes
>          winbind cache time = 600
>          winbind reconnect delay = 3
> 
>          ## ADD LINE TO CTDB
>          clustering = yes
>          private dir = /mnt/DADOS-GLUSTERFS/CTBD/
> 
>          template shell = /bin/bash
>          template homedir = /home/%U
>          map to guest = bad user
>          guest ok = yes
>          map acl inherit = yes
>          store dos attributes = yes
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          ### TUNNING(many to small files) ###
> 
>          server multi channel support = yes
>          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
> SO_SNDBUF=131072
>          aio read size = 1
>          aio write size = 1
> 
>          min receivefile size = 16384
>          use sendfile = yes
>          read raw = yes
>          write raw = yes
>          getwd cache = yes
>          large readwrite = yes
>          kernel oplocks = yes
> 
> 
>          ### TUNNING ###
> 
>          include = /etc/samba/compartilhamentos.conf
> 
> ========
> 
> 
> /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = INTERNO.XXXXXXX.SRV.BR
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> ========
> 
>   cat ctdb.conf
> # See ctdb.conf(5) for documentation
> #
> # See ctdb-script.options(5) for documentation about event script
> # options
> 
> [logging]
>          # Enable logging to syslog
>          location = syslog
> 
>          # Default log level
>          log level = NOTICE
> 
> [cluster]
>          # Shared cluster lock file to avoid split brain.  Daemon
>          # default is no cluster lock.  Do NOT run CTDB without a
>          # cluster lock file unless you know exactly what you are
>          # doing.
>          #
>          # Please see the CLUSTER LOCK section in ctdb(7) for more
>          # details.
>          #
>          # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
>          lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
>          disable_ip_takeover = yes
>          only_locks = yes
> 
> ========
> 
> Erros in Syslog
> 
> 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]:   krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
> 2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]:  +>
> 2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
> action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
> could not be processed. Check for additional error messages before this
> one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
> 2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]:   )
> (krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/INTERNO.
> 
> 
> ========
> To resolve this, rejoin Samba to the domain and it works for another day or
> two, until the problems start again...
> 
> Any ideas on how to fix this?
> I'm thinking about removing CTDB but wanted to try to fix it first...
> 
> Regards;

More information about the samba mailing list