[Samba] Error in domain or kerberos after configuring CTDB

Carlos Alberto Panozzo Cunha carlos.hollow at gmail.com
Mon Jan 27 21:02:44 UTC 2025


Hello!

And your configuration there is not very different from mine, and even
simpler, and in fact as I said I only wanted to use CTDB to sync the
connections/locks of the SMBD processes, nothing else, the rest works
perfectly as stated.

However, when performing the configuration as stated, it generated the
problem reported... requiring its removal.

Regards;

Em seg., 27 de jan. de 2025 às 17:32, Stefan Kania via samba <
samba at lists.samba.org> escreveu:

> As I see in your configuration you use smb.conf on the CTDB-Server. You
> should use the registry, because that's the way the configuration will
> replicate the configuration. CTDB stands for clustered trivial
> databases. The registry is a tdb-database. There are a lot more wrong
> configurations in your config.
> Take a look at my tutorial from sambaxp 2020
> https://www.kania-online.de/wp-content/uploads/2020/05/ctdb-gluster.zip
>
> Am 23.01.25 um 12:50 schrieb Carlos Alberto Panozzo Cunha via samba:
> > Hello!
> >
> > I have two Samba servers (domain members) in cluster format to provide
> file
> > shares, as follows:
> >
> > GlusterFS for data replication
> > Heartbeat for HA
> >
> > Everything works fine... however I made a recent improvement (I think)
> > which was the addition of CTDB for replication of Samba connections, just
> > that, and nothing more.
> > It worked and works but after that both nodes of the cluster started to
> > lose the trust relationship with the domain and other errors with
> Kerberos
> > (I believe), it may not be the problem but it worked without these errors
> > for over years and soon after adding CTDB this started....
> >
> > Here is more information:
> >
> > Samba version: Version 4.19.5-Ubuntu
> > OS Version: Ubuntu 24.04.1 LTS
> >
> > =========================
> >
> > smb.conf
> >
> > [global]
> >          workgroup = XXXXXXDC
> >          realm = INTERNO.XXXXXXX.SRV.BR
> >          password server = 172.16.1.101, 172.16.1.102, *
> >          username map = /etc/samba/user.map
> >          kerberos method = system  keytab
> >          security = ADS
> >          idmap config * : backend = tdb
> >          idmap config * : range = 3000-7999
> >          idmap config XXXXXXDC : backend = rid
> >          idmap config XXXXXXDC : range = 10000-999999
> >
> >          allow trusted domains = yes
> >          winbind use default domain = yes
> >          winbind refresh tickets = Yes
> >          winbind offline logon = yes
> >          winbind cache time = 600
> >          winbind reconnect delay = 3
> >
> >          ## ADD LINE TO CTDB
> >          clustering = yes
> >          private dir = /mnt/DADOS-GLUSTERFS/CTBD/
> >
> >          template shell = /bin/bash
> >          template homedir = /home/%U
> >          map to guest = bad user
> >          guest ok = yes
> >          map acl inherit = yes
> >          store dos attributes = yes
> >          load printers = no
> >          printing = bsd
> >          printcap name = /dev/null
> >          disable spoolss = yes
> >
> >          ### TUNNING(many to small files) ###
> >
> >          server multi channel support = yes
> >          socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
> > SO_SNDBUF=131072
> >          aio read size = 1
> >          aio write size = 1
> >
> >          min receivefile size = 16384
> >          use sendfile = yes
> >          read raw = yes
> >          write raw = yes
> >          getwd cache = yes
> >          large readwrite = yes
> >          kernel oplocks = yes
> >
> >
> >          ### TUNNING ###
> >
> >          include = /etc/samba/compartilhamentos.conf
> >
> > ========
> >
> >
> > /etc/krb5.conf
> >
> > [libdefaults]
> >          default_realm = INTERNO.XXXXXXX.SRV.BR
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > ========
> >
> >   cat ctdb.conf
> > # See ctdb.conf(5) for documentation
> > #
> > # See ctdb-script.options(5) for documentation about event script
> > # options
> >
> > [logging]
> >          # Enable logging to syslog
> >          location = syslog
> >
> >          # Default log level
> >          log level = NOTICE
> >
> > [cluster]
> >          # Shared cluster lock file to avoid split brain.  Daemon
> >          # default is no cluster lock.  Do NOT run CTDB without a
> >          # cluster lock file unless you know exactly what you are
> >          # doing.
> >          #
> >          # Please see the CLUSTER LOCK section in ctdb(7) for more
> >          # details.
> >          #
> >          # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
> >          lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
> >          disable_ip_takeover = yes
> >          only_locks = yes
> >
> > ========
> >
> > Erros in Syslog
> >
> > 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]:
>  krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
> > 2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]:  +>
> > 2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
> > action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
> > could not be processed. Check for additional error messages before this
> > one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
> > 2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]:   )
> > (krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR)
> (krbtgt/INTERNO.
> >
> >
> > ========
> > To resolve this, rejoin Samba to the domain and it works for another day
> or
> > two, until the problems start again...
> >
> > Any ideas on how to fix this?
> > I'm thinking about removing CTDB but wanted to try to fix it first...
> >
> > Regards;
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list