[Samba] Error in domain or kerberos after configuring CTDB
Carlos Alberto Panozzo Cunha
carlos.hollow at gmail.com
Mon Jan 27 21:02:44 UTC 2025
Hello!
And your configuration there is not very different from mine, and even
simpler, and in fact as I said I only wanted to use CTDB to sync the
connections/locks of the SMBD processes, nothing else, the rest works
perfectly as stated.
However, when performing the configuration as stated, it generated the
problem reported... requiring its removal.
Regards;
Em seg., 27 de jan. de 2025 às 17:32, Stefan Kania via samba <
samba at lists.samba.org> escreveu:
> As I see in your configuration you use smb.conf on the CTDB-Server. You
> should use the registry, because that's the way the configuration will
> replicate the configuration. CTDB stands for clustered trivial
> databases. The registry is a tdb-database. There are a lot more wrong
> configurations in your config.
> Take a look at my tutorial from sambaxp 2020
> https://www.kania-online.de/wp-content/uploads/2020/05/ctdb-gluster.zip
>
> Am 23.01.25 um 12:50 schrieb Carlos Alberto Panozzo Cunha via samba:
> > Hello!
> >
> > I have two Samba servers (domain members) in cluster format to provide
> file
> > shares, as follows:
> >
> > GlusterFS for data replication
> > Heartbeat for HA
> >
> > Everything works fine... however I made a recent improvement (I think)
> > which was the addition of CTDB for replication of Samba connections, just
> > that, and nothing more.
> > It worked and works but after that both nodes of the cluster started to
> > lose the trust relationship with the domain and other errors with
> Kerberos
> > (I believe), it may not be the problem but it worked without these errors
> > for over years and soon after adding CTDB this started....
> >
> > Here is more information:
> >
> > Samba version: Version 4.19.5-Ubuntu
> > OS Version: Ubuntu 24.04.1 LTS
> >
> > =========================
> >
> > smb.conf
> >
> > [global]
> > workgroup = XXXXXXDC
> > realm = INTERNO.XXXXXXX.SRV.BR
> > password server = 172.16.1.101, 172.16.1.102, *
> > username map = /etc/samba/user.map
> > kerberos method = system keytab
> > security = ADS
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config XXXXXXDC : backend = rid
> > idmap config XXXXXXDC : range = 10000-999999
> >
> > allow trusted domains = yes
> > winbind use default domain = yes
> > winbind refresh tickets = Yes
> > winbind offline logon = yes
> > winbind cache time = 600
> > winbind reconnect delay = 3
> >
> > ## ADD LINE TO CTDB
> > clustering = yes
> > private dir = /mnt/DADOS-GLUSTERFS/CTBD/
> >
> > template shell = /bin/bash
> > template homedir = /home/%U
> > map to guest = bad user
> > guest ok = yes
> > map acl inherit = yes
> > store dos attributes = yes
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > ### TUNNING(many to small files) ###
> >
> > server multi channel support = yes
> > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
> > SO_SNDBUF=131072
> > aio read size = 1
> > aio write size = 1
> >
> > min receivefile size = 16384
> > use sendfile = yes
> > read raw = yes
> > write raw = yes
> > getwd cache = yes
> > large readwrite = yes
> > kernel oplocks = yes
> >
> >
> > ### TUNNING ###
> >
> > include = /etc/samba/compartilhamentos.conf
> >
> > ========
> >
> >
> > /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = INTERNO.XXXXXXX.SRV.BR
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > ========
> >
> > cat ctdb.conf
> > # See ctdb.conf(5) for documentation
> > #
> > # See ctdb-script.options(5) for documentation about event script
> > # options
> >
> > [logging]
> > # Enable logging to syslog
> > location = syslog
> >
> > # Default log level
> > log level = NOTICE
> >
> > [cluster]
> > # Shared cluster lock file to avoid split brain. Daemon
> > # default is no cluster lock. Do NOT run CTDB without a
> > # cluster lock file unless you know exactly what you are
> > # doing.
> > #
> > # Please see the CLUSTER LOCK section in ctdb(7) for more
> > # details.
> > #
> > # cluster lock = !/bin/false CLUSTER LOCK NOT CONFIGURED
> > lockdir = /mnt/DADOS-GLUSTERFS/CTBD/
> > disable_ip_takeover = yes
> > only_locks = yes
> >
> > ========
> >
> > Erros in Syslog
> >
> > 2025-01-22T14:22:45.120599-03:00 samba-cluster2 winbindd[1755688]:
> krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR
> > 2025-01-22T14:22:45.120616-03:00 samba-cluster2 winbindd[1755688]: +>
> > 2025-01-22T14:22:45.120633-03:00 samba-cluster2 rsyslogd[849]: rsyslogd:
> > action 'action-3-builtin:omfile' (module 'builtin:omfile') message lost,
> > could not be processed. Check for additional error messages before this
> > one. [v8.2312.0 try https://www.rsyslog.com/e/2027 ]
> > 2025-01-22T14:22:45.120650-03:00 samba-cluster2 winbindd[1755688]: )
> > (krbtgt/INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR) (krbtgt/
> > INTERNO.XXXXXX.SRV.BR at INTERNO.XXXXXX.SRV.BR) (cifs/
> > dc-samba-01.interno.xxxxxx.srv.br at INTERNO.XXXXXX.SRV.BR)
> (krbtgt/INTERNO.
> >
> >
> > ========
> > To resolve this, rejoin Samba to the domain and it works for another day
> or
> > two, until the problems start again...
> >
> > Any ideas on how to fix this?
> > I'm thinking about removing CTDB but wanted to try to fix it first...
> >
> > Regards;
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list