samba - Jan 2012 - Problem Accessing Samba share from Windows workstation via DNS Round Robin

I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san
storage. I have configured ctdb, samba and Kerberos and am able to map the share
on my windows workstation when I hit the ip of each of the two nodes.

I am able to mount this share via nfs on other linux servers ok.

However it does not appear to be authenticating when I try to map to the DNS
hostname that has been set up to round robins across the two ip's - I keep
getting prompted for a login and password and I get the following in
/var/log/messages: "krb5_rd_req failed (Key table entry not found)"

Node 1: 10.101.4.16
Node 2: 10.101.4.17
DNS A Name: clusterpub 10.101.4.16
DNS A Name: clusterpub 10.101.4.17

I have set the "netbios name = clusterpub" in smb.conf on both nodes

Interestingly, I am able to successfully connect to the "clusterpub"
share from one of the nodes via smbclient.

# smbclient //clusterpub/archive -U <user>
Enter <user> password:
Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5]
smb: \> dir
  .                     D        0  Fri Jan 20 14:28:01 2012
  ..                    D        0  Wed Jan 18 13:56:46 2012
  hello-from-samba               0  Fri Jan 20 14:28:01 2012

                64000 blocks of size 16777216. 63805 blocks available
smb: \>

What am I missing?

Peter Tan





The information contained in this email and any attachments is privileged and
confidential and is intended for use only by the addressee. Copying,
distributing, or disclosing the information contained in this email and any
attachments is prohibited unless expressly authorised by the sender. If you are
not the intended recipient, and you have received this message in error - do not
read, copy or distribute this email. If you have received this message in error,
please delete all copies of this message from your system and notify the sender
by return email. It is recommended that you scan this email and any attachments
for viruses. Ipswich City Council does not accept liability for any loss or
damage incurred directly or indirectly caused by opening this email and/or any
attachments.

On Fri, Jan 20, 2012 at 1:38 AM, Peter Tan <PTan at ipswich.qld.gov.au>
wrote:
> I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san
storage. I have configured ctdb, samba and Kerberos and am able to map the share
on my windows workstation when I hit the ip of each of the two nodes.
>
> I am able to mount this share via nfs on other linux servers ok.
>
> However it does not appear to be authenticating when I try to map to the
DNS hostname that has been set up to round robins across the two ip's - I
keep getting prompted for a login and password and I get the following in
/var/log/messages: "krb5_rd_req failed (Key table entry not found)"
Nor should it. They're not the same machine, and Kerberos tickets for
one are not going to be valid on the other. and DNS "round robin" is
always a crap shoot due to client DNS caching and ordering of returned
entries, over which you have *no* control from the server side.

NFS is an.... *entirely* different game. Once the mount is created,
it's tied to the IP address, not the DNS entries, and remains that way
unless detached and a new mount created. Autofs supports this sort of
thing, but most NFS setups don't rely on Kerberos tickets or, in fact,
any reliable authentication, especially the much simpler NFSv3 setups.
Simple setups use the uid's and gid's reported by the client and
assume that is enough. (It's really not for secure environments, which
is why Kerberos works so hard to make sure you really are who you say
you are, on both ends and is incorporated into NFSv4 and integrated
automatically most modern CIFS setups.)
> Node 1: 10.101.4.16
> Node 2: 10.101.4.17
> DNS A Name: clusterpub 10.101.4.16
> DNS A Name: clusterpub 10.101.4.17
This is not "round robin" unless your DNS server is prepared to
re-arrange the response order for lookups of "clusterpub", and even
then, clients can mess it up. It's duplicate A records: it's important
to keep this straight.
> I have set the "netbios name = clusterpub" in smb.conf on both
nodes
But they're not the same host. Presenting them both as the same host
is begging for confusion.
> Interestingly, I am able to successfully connect to the
"clusterpub" share from one of the nodes via smbclient.
>
> # smbclient //clusterpub/archive -U <user>
> Enter <user> password:
> Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5]
> smb: \> dir
> ?. ? ? ? ? ? ? ? ? ? ? D ? ? ? ?0 ?Fri Jan 20 14:28:01 2012
> ?.. ? ? ? ? ? ? ? ? ? ?D ? ? ? ?0 ?Wed Jan 18 13:56:46 2012
> ?hello-from-samba ? ? ? ? ? ? ? 0 ?Fri Jan 20 14:28:01 2012
>
> ? ? ? ? ? ? ? ?64000 blocks of size 16777216. 63805 blocks available
> smb: \>
>
> What am I missing?
>
> Peter Tan
That "round robin DNS" is not your friend, and never will be. Also,
smbclient is not the same as mounting a file system.

You might consider giving different netbios names: duplicate A records
are most usefully published *as well* as distinct hostnames, so you
can gracefully select one or the other host, and reverse DNS compatble
specific hostname to differentiate reverse DNS lookups between the two
hosts.

On Fri, 2012-01-20 at 16:38 +1000, Peter Tan wrote: 
> I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san
storage. I have configured ctdb, samba and Kerberos and am able to map the share
on my windows workstation when I hit the ip of each of the two nodes.
> 
> I am able to mount this share via nfs on other linux servers ok.
> 
> However it does not appear to be authenticating when I try to map to the
DNS hostname that has been set up to round robins across the two ip's - I
keep getting prompted for a login and password and I get the following in
/var/log/messages: "krb5_rd_req failed (Key table entry not found)"
> 
> Node 1: 10.101.4.16
> Node 2: 10.101.4.17
> DNS A Name: clusterpub 10.101.4.16
> DNS A Name: clusterpub 10.101.4.17
> 
> I have set the "netbios name = clusterpub" in smb.conf on both
nodes
> 
> Interestingly, I am able to successfully connect to the
"clusterpub" share from one of the nodes via smbclient.
> 
> # smbclient //clusterpub/archive -U <user>
> Enter <user> password:
> Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5]
> smb: \> dir
>   .                     D        0  Fri Jan 20 14:28:01 2012
>   ..                    D        0  Wed Jan 18 13:56:46 2012
>   hello-from-samba               0  Fri Jan 20 14:28:01 2012
> 
>                 64000 blocks of size 16777216. 63805 blocks available
> smb: \>
> 
> What am I missing?
You have 2 ways to solve this issue.

My preferred one is to join the cluster to the domain with the public
name (clusterpub) in your case, and share the keytab between the 2
nodes. They are logically a single server and need to share the same
credentials.

Another way I like a lot less is to make sure you have PTR records set
up so that they point to the respective private names, and join each
node with these names. I like this less because it relies on reverse
address resolution and kinda breaks the fact you are trying to present a
single service to the clients.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>