tim clusters
2008-Dec-04 23:12 UTC
[Samba] Join multiple CTDB managed Samba servers into Active Directory
Hi ,
I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating
Windows and Linux users via Active Directory.
The setup works fine, except only one server in the CTDB-cluster is able to
join the AD domain at a given instance. If you manually add the other server
into AD, the already connected server gets disconnected. There is no
specific error message logged in /var/log/message or /var/log/samba/log.smbd
or /var/log/samba/log.winbind + network snooping at Samba port(445) does not
provide any info. Please find the smb.conf and CTDB details attached.
Without CTDB, I can have Samba active on multiple servers joined to AD.
Following is the setup + error message when you manually try to join a
second CTDB node into Active Directory:
----------------
Configuration:
# CTDB Up and Virtualizing two Nodes into single entity
# CTDB configured to manage IP, NFS, Samba, and Winbind
[root@node-02 nfsexport]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252 OK (THIS NODE)
pnn:1 172.16.2.253 OK
Generation:1529093094
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:1
[root@node-01 ~]# ctdb ip
Public IPs on node 1
192.168.97.5 0
192.168.97.6 1
# Initially only node-02 was only able to join AD
[root@node-02 nfsexport]# net ads testjoin
Join is OK
# Able to see users in AD Domain
[root@node-02 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+peyton
TESTDOMAIN+eli
Join Error
-------------
# node-01 is unable to join AD
[root@node-01 ~]# net ads testjoin
[2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
# Manually Add node-01 to the AD
[root@node-01 ~]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1799)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'node-01'
domain_name : *
domain_name : 'TESTDOMAIN.LOCAL'
account_ou : NULL
admin_account : 'Administrator'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1830)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TESTDOMAIN'
dns_domain_name : 'testdomain.local'
dn :
'CN=node-01,CN=Computers,DC=testdomain,DC=local'
domain_sid : *
domain_sid :
S-1-5-21-3868838012-3874256186-1289404937
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-01' to realm 'testdomain.local'
[root@node-01 ~]# net ads testjoin
Join is OK
#Check AD Status from node-02
# Result: node-02 which was originally joined to AD gets revoked when
node-01 is manually added into AD
[root@node-02 nfsexport]# net ads testjoin
[2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
#Manually Add node-02 to the AD
[root@node-02 nfsexport]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:33:30, 1] libnet/libnet_join.c:libnet_Join(1799)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'node-02'
domain_name : *
domain_name : 'TESTDOMAIN.LOCAL'
account_ou : NULL
admin_account : 'Administrator'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/02 16:33:31, 1] libnet/libnet_join.c:libnet_Join(1830)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TESTDOMAIN'
dns_domain_name : 'testdomain.local'
dn :
'CN=node-02,CN=Computers,DC=testdomain,DC=local'
domain_sid : *
domain_sid :
S-1-5-21-3868838012-3874256186-1289404937
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-02' to realm 'testdomain.local'
[root@node-02 nfsexport]# net ads testjoin
Join is OK
#When node-02 is added into AD, node-01 gets revoked/disconnected from AD
[root@node-01 ~]# net ads testjoin
[2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
[2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361)
kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed:
Preauthentication failed
Join to domain is not valid: Logon failure
[root@node-02 nfsexport]# net ads testjoin
[2008/12/02 14:30:07, 0] passdb/secrets.c:secrets_init(71)
Failed to open /mnt/gpfs/CTDB/secrets.tdb
Join to domain is not valid: Access denied
-------------
Thanks in Advance,
-Tim
-------------- next part --------------
Software version
----------------
CTDB:
ctdb-1.0-64
ctdb-debuginfo-1.0-64
Samba:
samba-debuginfo-3.2.3-ctdb.50
samba-3.2.3-ctdb.50
samba-doc-3.2.3-ctdb.50
samba-winbind-32bit-3.2.3-ctdb.50
samba-client-3.2.3-ctdb.50
samba-swat-3.2.3-ctdb.50
samba-common-3.2.3-ctdb.50
Kerberos:
krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1
smb.conf
--------
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.LOCAL
security = ADS
password server = 192.168.10.10
private dir = /mnt/global/CTDB
client NTLMv2 auth = Yes
template homedir = /home/%D+%U
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
smb ports = 445
server signing = auto
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
use mmap = No
clustering = Yes
dns proxy = No
gpfs:sharemodes = no
fileid:mapping = global_GbE
idmap alloc TESTDOMAIN:range = 10777216-57554431
idmap config TESTDOMAIN:range = 10777216-57554431
idmap config TESTDOMAIN:backend = rid
idmap config TESTDOMAIN:default = yes
force unknown acl user = Yes
vfs objects = gpfs
log level = 3 passdb:5 auth:10 winbind:5
log file = /var/log/samba/log.%m
max log size = 50
[global-share]
comment = global NameSpace
path = /mnt/global/nfsexport
read only = No
inherit permissions = Yes
inherit acls = Yes
/etc/sysconfig/ctdb
-------------------
CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
CTDB_MANAGES_SAMBA=yes
CTDB_MANAGES_WINBIND=yes
CTDB_MANAGES_NFS=yes
CTDB_NODES=/etc/ctdb/nodes
Michael Adam
2008-Dec-19 09:28 UTC
[Samba] Join multiple CTDB managed Samba servers into Active Directory
Hi, the nodes in the cluster should appear as ONE cifs server to the outside. I just has multiple IP addresses and one client request is served by one node of the cluster. So there should also only be one name (netbios name) the cluster nodes share. Then you just need to join the cluster _once_ (issuing "net ads join" on _one_ node) ctdb will take care of storing the machine password in secrets.tdb so that join information is available to all nodes. So you should set the same "netbios name = XYZ" on smb.conf on all cluster nodes. In your smb.conf, you have set "private dir = /mnt/global/CTDB" this is on gpfs cluster storage. This should not be set with current versions of ctdb, since ctdb can now handle persistent tdb databases (like secrets.tdb). So please remove that setting. Also extend "vfs objects" to include "fileid" to ensure coherent locking across cluster nodes. I have updated the documentation at http://wiki.samba.org/index.php/CTDB_Setup to reflect these changes. If you want to use nfs4 als on gpfs, you should also set force unknown acl user = yes nfs4: mode = special nfs4: chown = yes nfs4: acedup = merge in your share definition. Since samba-3.2.3-ctdb.50 uses the simplified idmap code of 3.3.0, you can simply drop the options:> idmap alloc TESTDOMAIN:range = 10777216-57554431 > idmap config TESTDOMAIN:default = yesso that your idmap config looks like this:> idmap config TESTDOMAIN:range = 10777216-57554431 > idmap config TESTDOMAIN:backend = ridYou might also want to set the defaults idmap config to s/th like: idmap backend = tdb2 idmap uid = 1000000-20000000 idmap gid = 1000000-20000000 Cheers - Michael tim clusters wrote:> Hi , > > I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating > Windows and Linux users via Active Directory. > > The setup works fine, except only one server in the CTDB-cluster is able to > join the AD domain at a given instance. If you manually add the other server > into AD, the already connected server gets disconnected. There is no > specific error message logged in /var/log/message or /var/log/samba/log.smbd > or /var/log/samba/log.winbind + network snooping at Samba port(445) does not > provide any info. Please find the smb.conf and CTDB details attached. > > Without CTDB, I can have Samba active on multiple servers joined to AD. > Following is the setup + error message when you manually try to join a > second CTDB node into Active Directory: > ---------------- > > Configuration: > > # CTDB Up and Virtualizing two Nodes into single entity > # CTDB configured to manage IP, NFS, Samba, and Winbind > [root@node-02 nfsexport]# ctdb status > Number of nodes:2 > pnn:0 172.16.2.252 OK (THIS NODE) > pnn:1 172.16.2.253 OK > Generation:1529093094 > Size:2 > hash:0 lmaster:0 > hash:1 lmaster:1 > Recovery mode:NORMAL (0) > Recovery master:1 > > [root@node-01 ~]# ctdb ip > Public IPs on node 1 > 192.168.97.5 0 > 192.168.97.6 1 > # Initially only node-02 was only able to join AD > > [root@node-02 nfsexport]# net ads testjoin > Join is OK > > # Able to see users in AD Domain > [root@node-02 ~]# wbinfo -u list > TESTDOMAIN+administrator > TESTDOMAIN+peyton > TESTDOMAIN+eli > > Join Error > ------------- > > # node-01 is unable to join AD > [root@node-01 ~]# net ads testjoin > [2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > [2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > Join to domain is not valid: Logon failure > > # Manually Add node-01 to the AD > [root@node-01 ~]# net -d 1 ads join -U Administrator > Enter Administrator's password: > [2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1799) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'node-01' > domain_name : * > domain_name : 'TESTDOMAIN.LOCAL' > account_ou : NULL > admin_account : 'Administrator' > admin_password : * > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > [2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1830) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TESTDOMAIN' > dns_domain_name : 'testdomain.local' > dn : > 'CN=node-01,CN=Computers,DC=testdomain,DC=local' > domain_sid : * > domain_sid : > S-1-5-21-3868838012-3874256186-1289404937 > modified_config : 0x00 (0) > error_string : NULL > domain_is_ad : 0x01 (1) > result : WERR_OK > Using short domain name -- TESTDOMAIN > Joined 'node-01' to realm 'testdomain.local' > > [root@node-01 ~]# net ads testjoin > Join is OK > > #Check AD Status from node-02 > # Result: node-02 which was originally joined to AD gets revoked when > node-01 is manually added into AD > [root@node-02 nfsexport]# net ads testjoin > [2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > [2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > Join to domain is not valid: Logon failure > > #Manually Add node-02 to the AD > [root@node-02 nfsexport]# net -d 1 ads join -U Administrator > Enter Administrator's password: > [2008/12/02 16:33:30, 1] libnet/libnet_join.c:libnet_Join(1799) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'node-02' > domain_name : * > domain_name : 'TESTDOMAIN.LOCAL' > account_ou : NULL > admin_account : 'Administrator' > admin_password : * > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > use_kerberos : 0x00 (0) > secure_channel_type : SEC_CHAN_WKSTA (2) > [2008/12/02 16:33:31, 1] libnet/libnet_join.c:libnet_Join(1830) > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : 'TESTDOMAIN' > dns_domain_name : 'testdomain.local' > dn : > 'CN=node-02,CN=Computers,DC=testdomain,DC=local' > domain_sid : * > domain_sid : > S-1-5-21-3868838012-3874256186-1289404937 > modified_config : 0x00 (0) > error_string : NULL > domain_is_ad : 0x01 (1) > result : WERR_OK > Using short domain name -- TESTDOMAIN > Joined 'node-02' to realm 'testdomain.local' > [root@node-02 nfsexport]# net ads testjoin > Join is OK > #When node-02 is added into AD, node-01 gets revoked/disconnected from AD > [root@node-01 ~]# net ads testjoin > [2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > [2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361) > kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: > Preauthentication failed > Join to domain is not valid: Logon failure > [root@node-02 nfsexport]# net ads testjoin > [2008/12/02 14:30:07, 0] passdb/secrets.c:secrets_init(71) > Failed to open /mnt/gpfs/CTDB/secrets.tdb > Join to domain is not valid: Access denied > > ------------- > > Thanks in Advance, > -Tim> Software version > ---------------- > > CTDB: > ctdb-1.0-64 > ctdb-debuginfo-1.0-64 > > Samba: > samba-debuginfo-3.2.3-ctdb.50 > samba-3.2.3-ctdb.50 > samba-doc-3.2.3-ctdb.50 > samba-winbind-32bit-3.2.3-ctdb.50 > samba-client-3.2.3-ctdb.50 > samba-swat-3.2.3-ctdb.50 > samba-common-3.2.3-ctdb.50 > > Kerberos: > krb5-workstation-1.5-17 > krb5-libs-1.5-17 > krb5-devel-1.5-17 > krb5-auth-dialog-0.7-1 > pam_krb5-2.2.11-1 > krb5-devel-1.5-17 > krb5-libs-1.5-17 > pam_krb5-2.2.11-1 > > > smb.conf > -------- > > [global] > workgroup = TESTDOMAIN > realm = TESTDOMAIN.LOCAL > security = ADS > password server = 192.168.10.10 > private dir = /mnt/global/CTDB > client NTLMv2 auth = Yes > template homedir = /home/%D+%U > template shell = /bin/bash > winbind separator = + > winbind enum users = Yes > winbind enum groups = Yes > smb ports = 445 > server signing = auto > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > use mmap = No > clustering = Yes > dns proxy = No > gpfs:sharemodes = no > fileid:mapping = global_GbE > idmap alloc TESTDOMAIN:range = 10777216-57554431 > idmap config TESTDOMAIN:range = 10777216-57554431 > idmap config TESTDOMAIN:backend = rid > idmap config TESTDOMAIN:default = yes > force unknown acl user = Yes > vfs objects = gpfs > log level = 3 passdb:5 auth:10 winbind:5 > log file = /var/log/samba/log.%m > max log size = 50 > > [global-share] > comment = global NameSpace > path = /mnt/global/nfsexport > read only = No > inherit permissions = Yes > inherit acls = Yes > > > /etc/sysconfig/ctdb > ------------------- > > CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck > CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses > CTDB_MANAGES_SAMBA=yes > CTDB_MANAGES_WINBIND=yes > CTDB_MANAGES_NFS=yes > CTDB_NODES=/etc/ctdb/nodes-- Michael Adam <ma@sernet.de> <obnox@samba.org> SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20081219/24de93a5/attachment.bin