Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Samba] Samba 4.1.7 CTDB winbind not syncing when connected to MS AD 2008R2 - WAS: Re: Samba 4.1.7 clustering not using private dir
275 views
Skip to first unread message
Taylor, Jonn
May 2, 2014, 11:29:06 AM5/2/14
to
Update on problem.
Looks like 4.1.7 winbind is very broke. It cannot renew the tickets.
May 2 10:18:53 node1 winbindd[25776]: [2014/05/02 10:18:53.793991, 0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
May 2 10:18:53 node1 winbindd[25776]: kerberos_kinit_password
SHR01$@TAYLORTELEPHONE.COM failed: Preauthentication failed
I also noticed that I have to do a net ads join twice before winbind
will auth an AD user. Not sure were to go from here.
Jonn
cat /etc/krb5.conf
[libdefaults]
default_realm = TAYLORTELEPHONE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
TAYLORTELEPHONE.COM = {
}
[domain_realm]
taylortelephone.com = TAYLORTELEPHONE.COM
.taylortelephone.com = TAYLORTELEPHONE.COM
testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[apps]"
Processing section "[share]"
Processing section "[QBData]"
Processing section "[safety]"
Processing section "[home]"
Processing section "[profiles]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TAYLORTELEPHONE
realm = TAYLORTELEPHONE.COM
netbios name = SHR01
netbios aliases = NODE1, NODE2
server string = Cluster Share
interfaces = eth0, lo
security = ADS
log file = /var/log/samba/log.samba
server min protocol = NT1
client signing = if_required
server signing = if_required
cluster addresses = 192.168.173.183, 192.168.173.184,
192.168.173.3, 192.168.173.4
clustering = Yes
printcap name = /etc/printcap
wins server = 192.168.173.13, 192.168.173.14
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
fileid:algorithm = fsname
idmap config * : schema_mode = rfc2307
idmap config TAYLORTELEPHONE:backend = rid
idmap config TAYLORTELEPHONE:range = 500-4000000
idmap config * : range = 1000-4000000
idmap config * : backend = tdb2
admin users = "@TAYLORTELEPHONE\Domain Admins"
inherit acls = Yes
map acl inherit = Yes
On 04/28/2014 03:49 PM, Jonn Taylor wrote:
> On 4/28/2014 10:35 AM, Ali Bendriss wrote:
>>
>>
>> On 04/28/2014 01:23 PM, Taylor, Jonn wrote:
>>> Update on my problem. I resetup my 2 node cluster per the samba wiki
>>> for
>>> 4.x and CTDB. The only difference is that I am using DRBD and GFS2.
>>> CTDB
>>> is not syncing the winbind databases between nodes. I had to join each
>>> node before winbind would authenticate my users to AD. This morning I
>>> found that one of the 2 nodes stopped authenticating users again. It
>>> looks like CTDB is not syncing the samba/winbind databases to keep the
>>> nodes in sync.
>>>
>>> How can I prove this out?
>>>
>>> Jonn
>>
>> Hello,
>>
>> If I remember correctly, you can increase the ctdb log level in the
>> ctdb config file (ctdb.conf). So you may find more info on what is
>> going on.
>>
>> The last time I used ctdb :
>> - it was not necessary to have a shared private dir, ctdb maintain a
>> database on each node
>> - you just need to join the whole cluster and not each node individually
>> - it is possible to let ctdb manage winbind for you (really usefull)
>>
>> I was using gfs2 on a shared FC disk array. The ping pong test was
>> not that fast but the final setup was fast enough for our need.
>> I remember that during the setup I've started by running a simple
>> http server on each node until the FS and network configuration was
>> OK (switching on/off each node after the other). I then started to
>> setup samba on it.
>>
>> hope this help
>>
>> --
>> Ali
> Still not having much luck. CTDB seems to replicating some part of the
> database. What I cannot tell is if it isdoing the winbind part and if
> winbind is using it.
>
> 2014/04/28 13:42:54.285328 [14275]: Vacuuming is disabled for
> persistent database share_info.tdb
> 2014/04/28 13:42:54.285395 [14275]: Attached to database
> '/var/ctdb/persistent/share_info.tdb.0'
> 2014/04/28 13:42:54.285412 [14275]: Attached to persistent database
> share_info.tdb
> 2014/04/28 13:42:54.310343 [14275]: Vacuuming is disabled for
> persistent database group_mapping.tdb
> 2014/04/28 13:42:54.310411 [14275]: Attached to database
> '/var/ctdb/persistent/group_mapping.tdb.0'
> 2014/04/28 13:42:54.310430 [14275]: Attached to persistent database
> group_mapping.tdb
> 2014/04/28 13:42:54.335646 [14275]: Vacuuming is disabled for
> persistent database secrets.tdb
> 2014/04/28 13:42:54.335716 [14275]: Attached to database
> '/var/ctdb/persistent/secrets.tdb.0'
> 2014/04/28 13:42:54.335732 [14275]: Attached to persistent database
> secrets.tdb
> 2014/04/28 13:42:54.359342 [14275]: Vacuuming is disabled for
> persistent database account_policy.tdb
> 2014/04/28 13:42:54.359410 [14275]: Attached to database
> '/var/ctdb/persistent/account_policy.tdb.0'
> 2014/04/28 13:42:54.359427 [14275]: Attached to persistent database
> account_policy.tdb
> 2014/04/28 13:42:54.383066 [14275]: Vacuuming is disabled for
> persistent database registry.tdb
> 2014/04/28 13:42:54.383134 [14275]: Attached to database
> '/var/ctdb/persistent/registry.tdb.0'
> 2014/04/28 13:42:54.383152 [14275]: Attached to persistent database
> registry.tdb
> 2014/04/28 13:42:54.406811 [14275]: Vacuuming is disabled for
> persistent database idmap2.tdb
> 2014/04/28 13:42:54.406878 [14275]: Attached to database
> '/var/ctdb/persistent/idmap2.tdb.0'
> 2014/04/28 13:42:54.406895 [14275]: Attached to persistent database
> idmap2.tdb
> 2014/04/28 13:42:54.430504 [14275]: Vacuuming is disabled for
> persistent database passdb.tdb
> 2014/04/28 13:42:54.430572 [14275]: Attached to database
> '/var/ctdb/persistent/passdb.tdb.0'
> 2014/04/28 13:42:54.430589 [14275]: Attached to persistent database
> passdb.tdb
> 2014/04/28 13:42:54.454144 [14275]: Vacuuming is disabled for
> persistent database ctdb.tdb
> 2014/04/28 13:42:54.454219 [14275]: Attached to database
> '/var/ctdb/persistent/ctdb.tdb.0'
> 2014/04/28 13:42:54.454235 [14275]: Attached to persistent database
> ctdb.tdb
> 2014/04/28 13:43:19.681884 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/ctdb.tdb.0' healthy
> 2014/04/28 13:43:19.681920 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/passdb.tdb.0' healthy
> 2014/04/28 13:43:19.681948 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/idmap2.tdb.0' healthy
> 2014/04/28 13:43:19.681970 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/registry.tdb.0' healthy
> 2014/04/28 13:43:19.681991 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/account_policy.tdb.0' healthy
> 2014/04/28 13:43:19.682012 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/secrets.tdb.0' healthy
> 2014/04/28 13:43:19.682033 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/group_mapping.tdb.0' healthy
> 2014/04/28 13:43:19.682054 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/share_info.tdb.0' healthy
> 2014/04/28 13:43:19.682086 [14275]:
> server/ctdb_monitor.c:299ctdb_start_monitoring:
> ctdb_recheck_persistent_health() OK
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Looks like 4.1.7 winbind is very broke. It cannot renew the tickets.
May 2 10:18:53 node1 winbindd[25776]: [2014/05/02 10:18:53.793991, 0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
May 2 10:18:53 node1 winbindd[25776]: kerberos_kinit_password
SHR01$@TAYLORTELEPHONE.COM failed: Preauthentication failed
I also noticed that I have to do a net ads join twice before winbind
will auth an AD user. Not sure were to go from here.
Jonn
cat /etc/krb5.conf
[libdefaults]
default_realm = TAYLORTELEPHONE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
TAYLORTELEPHONE.COM = {
}
[domain_realm]
taylortelephone.com = TAYLORTELEPHONE.COM
.taylortelephone.com = TAYLORTELEPHONE.COM
testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[apps]"
Processing section "[share]"
Processing section "[QBData]"
Processing section "[safety]"
Processing section "[home]"
Processing section "[profiles]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TAYLORTELEPHONE
realm = TAYLORTELEPHONE.COM
netbios name = SHR01
netbios aliases = NODE1, NODE2
server string = Cluster Share
interfaces = eth0, lo
security = ADS
log file = /var/log/samba/log.samba
server min protocol = NT1
client signing = if_required
server signing = if_required
cluster addresses = 192.168.173.183, 192.168.173.184,
192.168.173.3, 192.168.173.4
clustering = Yes
printcap name = /etc/printcap
wins server = 192.168.173.13, 192.168.173.14
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
fileid:algorithm = fsname
idmap config * : schema_mode = rfc2307
idmap config TAYLORTELEPHONE:backend = rid
idmap config TAYLORTELEPHONE:range = 500-4000000
idmap config * : range = 1000-4000000
idmap config * : backend = tdb2
admin users = "@TAYLORTELEPHONE\Domain Admins"
inherit acls = Yes
map acl inherit = Yes
On 04/28/2014 03:49 PM, Jonn Taylor wrote:
> On 4/28/2014 10:35 AM, Ali Bendriss wrote:
>>
>>
>> On 04/28/2014 01:23 PM, Taylor, Jonn wrote:
>>> Update on my problem. I resetup my 2 node cluster per the samba wiki
>>> for
>>> 4.x and CTDB. The only difference is that I am using DRBD and GFS2.
>>> CTDB
>>> is not syncing the winbind databases between nodes. I had to join each
>>> node before winbind would authenticate my users to AD. This morning I
>>> found that one of the 2 nodes stopped authenticating users again. It
>>> looks like CTDB is not syncing the samba/winbind databases to keep the
>>> nodes in sync.
>>>
>>> How can I prove this out?
>>>
>>> Jonn
>>
>> Hello,
>>
>> If I remember correctly, you can increase the ctdb log level in the
>> ctdb config file (ctdb.conf). So you may find more info on what is
>> going on.
>>
>> The last time I used ctdb :
>> - it was not necessary to have a shared private dir, ctdb maintain a
>> database on each node
>> - you just need to join the whole cluster and not each node individually
>> - it is possible to let ctdb manage winbind for you (really usefull)
>>
>> I was using gfs2 on a shared FC disk array. The ping pong test was
>> not that fast but the final setup was fast enough for our need.
>> I remember that during the setup I've started by running a simple
>> http server on each node until the FS and network configuration was
>> OK (switching on/off each node after the other). I then started to
>> setup samba on it.
>>
>> hope this help
>>
>> --
>> Ali
> Still not having much luck. CTDB seems to replicating some part of the
> database. What I cannot tell is if it isdoing the winbind part and if
> winbind is using it.
>
> 2014/04/28 13:42:54.285328 [14275]: Vacuuming is disabled for
> persistent database share_info.tdb
> 2014/04/28 13:42:54.285395 [14275]: Attached to database
> '/var/ctdb/persistent/share_info.tdb.0'
> 2014/04/28 13:42:54.285412 [14275]: Attached to persistent database
> share_info.tdb
> 2014/04/28 13:42:54.310343 [14275]: Vacuuming is disabled for
> persistent database group_mapping.tdb
> 2014/04/28 13:42:54.310411 [14275]: Attached to database
> '/var/ctdb/persistent/group_mapping.tdb.0'
> 2014/04/28 13:42:54.310430 [14275]: Attached to persistent database
> group_mapping.tdb
> 2014/04/28 13:42:54.335646 [14275]: Vacuuming is disabled for
> persistent database secrets.tdb
> 2014/04/28 13:42:54.335716 [14275]: Attached to database
> '/var/ctdb/persistent/secrets.tdb.0'
> 2014/04/28 13:42:54.335732 [14275]: Attached to persistent database
> secrets.tdb
> 2014/04/28 13:42:54.359342 [14275]: Vacuuming is disabled for
> persistent database account_policy.tdb
> 2014/04/28 13:42:54.359410 [14275]: Attached to database
> '/var/ctdb/persistent/account_policy.tdb.0'
> 2014/04/28 13:42:54.359427 [14275]: Attached to persistent database
> account_policy.tdb
> 2014/04/28 13:42:54.383066 [14275]: Vacuuming is disabled for
> persistent database registry.tdb
> 2014/04/28 13:42:54.383134 [14275]: Attached to database
> '/var/ctdb/persistent/registry.tdb.0'
> 2014/04/28 13:42:54.383152 [14275]: Attached to persistent database
> registry.tdb
> 2014/04/28 13:42:54.406811 [14275]: Vacuuming is disabled for
> persistent database idmap2.tdb
> 2014/04/28 13:42:54.406878 [14275]: Attached to database
> '/var/ctdb/persistent/idmap2.tdb.0'
> 2014/04/28 13:42:54.406895 [14275]: Attached to persistent database
> idmap2.tdb
> 2014/04/28 13:42:54.430504 [14275]: Vacuuming is disabled for
> persistent database passdb.tdb
> 2014/04/28 13:42:54.430572 [14275]: Attached to database
> '/var/ctdb/persistent/passdb.tdb.0'
> 2014/04/28 13:42:54.430589 [14275]: Attached to persistent database
> passdb.tdb
> 2014/04/28 13:42:54.454144 [14275]: Vacuuming is disabled for
> persistent database ctdb.tdb
> 2014/04/28 13:42:54.454219 [14275]: Attached to database
> '/var/ctdb/persistent/ctdb.tdb.0'
> 2014/04/28 13:42:54.454235 [14275]: Attached to persistent database
> ctdb.tdb
> 2014/04/28 13:43:19.681884 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/ctdb.tdb.0' healthy
> 2014/04/28 13:43:19.681920 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/passdb.tdb.0' healthy
> 2014/04/28 13:43:19.681948 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/idmap2.tdb.0' healthy
> 2014/04/28 13:43:19.681970 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/registry.tdb.0' healthy
> 2014/04/28 13:43:19.681991 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/account_policy.tdb.0' healthy
> 2014/04/28 13:43:19.682012 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/secrets.tdb.0' healthy
> 2014/04/28 13:43:19.682033 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/group_mapping.tdb.0' healthy
> 2014/04/28 13:43:19.682054 [14275]: server/ctdb_ltdb_server.c:421
> persistent db '/var/ctdb/persistent/share_info.tdb.0' healthy
> 2014/04/28 13:43:19.682086 [14275]:
> server/ctdb_monitor.c:299ctdb_start_monitoring:
> ctdb_recheck_persistent_health() OK
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
May 2, 2014, 11:56:07 AM5/2/14
to
On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
Hi
May not be relevant but:
ranges overlap.
Hi
May not be relevant but:
> idmap config * : schema_mode = rfc2307
> idmap config TAYLORTELEPHONE:backend = rid
You specify rfc2307 but then use rid.
> idmap config TAYLORTELEPHONE:backend = rid
ranges overlap.
Rowland Penny
May 2, 2014, 12:00:34 PM5/2/14
to
On 02/05/14 16:56, steve wrote:
> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>
> Hi
> May not be relevant but:
>> idmap config * : schema_mode = rfc2307
>> idmap config TAYLORTELEPHONE:backend = rid
> You specify rfc2307 but then use rid.
>
>> idmap config TAYLORTELEPHONE:range = 500-4000000
>> idmap config * : range = 1000-4000000
> ranges overlap.
>
>
I wonder if all your problems have anything to do with this line:
> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>
> Hi
> May not be relevant but:
>> idmap config * : schema_mode = rfc2307
>> idmap config TAYLORTELEPHONE:backend = rid
> You specify rfc2307 but then use rid.
>
>> idmap config TAYLORTELEPHONE:range = 500-4000000
>> idmap config * : range = 1000-4000000
> ranges overlap.
>
>
A cluster file system with Samba requires CTDB to be able to do it
safely. And CTDB and AD DC are incompatible.
Which you can find at the bottom of this page:
https://wiki.samba.org/index.php/SysVol_Replication
Rowland
Günter Kukkukk
May 2, 2014, 12:17:25 PM5/2/14
to
Am 02.05.2014 18:00, schrieb Rowland Penny:
> On 02/05/14 16:56, steve wrote:
>> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>>
>> Hi
>> May not be relevant but:
>>> idmap config * : schema_mode = rfc2307
>>> idmap config TAYLORTELEPHONE:backend = rid
>> You specify rfc2307 but then use rid.
>>
>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>> idmap config * : range = 1000-4000000
>> ranges overlap.
>>
>>
> I wonder if all your problems have anything to do with this line:
>
> A cluster file system with Samba requires CTDB to be able to do it safely. And CTDB and AD DC are incompatible.
>
> Which you can find at the bottom of this page:
>
> https://wiki.samba.org/index.php/SysVol_Replication
>
> Rowland
He's not using an AD DC, but an AD member server, see
> On 02/05/14 16:56, steve wrote:
>> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>>
>> Hi
>> May not be relevant but:
>>> idmap config * : schema_mode = rfc2307
>>> idmap config TAYLORTELEPHONE:backend = rid
>> You specify rfc2307 but then use rid.
>>
>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>> idmap config * : range = 1000-4000000
>> ranges overlap.
>>
>>
> I wonder if all your problems have anything to do with this line:
>
> A cluster file system with Samba requires CTDB to be able to do it safely. And CTDB and AD DC are incompatible.
>
> Which you can find at the bottom of this page:
>
> https://wiki.samba.org/index.php/SysVol_Replication
>
> Rowland
security = ADS
etc. in smb.conf
Cheers, Günter
--
Rowland Penny
May 2, 2014, 12:22:41 PM5/2/14
to
On 02/05/14 17:17, Günter Kukkukk wrote:
> Am 02.05.2014 18:00, schrieb Rowland Penny:
>> On 02/05/14 16:56, steve wrote:
>>> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>>>
>>> Hi
>>> May not be relevant but:
>>>> idmap config * : schema_mode = rfc2307
>>>> idmap config TAYLORTELEPHONE:backend = rid
>>> You specify rfc2307 but then use rid.
>>>
>>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>>> idmap config * : range = 1000-4000000
>>> ranges overlap.
>>>
>>>
>> I wonder if all your problems have anything to do with this line:
>>
>> A cluster file system with Samba requires CTDB to be able to do it safely. And CTDB and AD DC are incompatible.
>>
>> Which you can find at the bottom of this page:
>>
>> https://wiki.samba.org/index.php/SysVol_Replication
>>
>> Rowland
> He's not using an AD DC, but an AD member server, see
> security = ADS
> etc. in smb.conf
>
> Cheers, Günter
So, as long as none of the cluster machines are an AD DC it should work ?
> Am 02.05.2014 18:00, schrieb Rowland Penny:
>> On 02/05/14 16:56, steve wrote:
>>> On Fri, 2014-05-02 at 10:29 -0500, Taylor, Jonn wrote:
>>>
>>> Hi
>>> May not be relevant but:
>>>> idmap config * : schema_mode = rfc2307
>>>> idmap config TAYLORTELEPHONE:backend = rid
>>> You specify rfc2307 but then use rid.
>>>
>>>> idmap config TAYLORTELEPHONE:range = 500-4000000
>>>> idmap config * : range = 1000-4000000
>>> ranges overlap.
>>>
>>>
>> I wonder if all your problems have anything to do with this line:
>>
>> A cluster file system with Samba requires CTDB to be able to do it safely. And CTDB and AD DC are incompatible.
>>
>> Which you can find at the bottom of this page:
>>
>> https://wiki.samba.org/index.php/SysVol_Replication
>>
>> Rowland
> He's not using an AD DC, but an AD member server, see
> security = ADS
> etc. in smb.conf
>
> Cheers, Günter
Rowland
Taylor, Jonn
May 2, 2014, 12:57:26 PM5/2/14
to
identical HP DL385 servers with P400 raid array. Our AD servers are
windows 2008r2. This same setup worked very well under 3.6!
Jonn
Ali Bendriss
May 2, 2014, 2:07:00 PM5/2/14
to
socket = /tmp/ctdb.socket (or whatever it is) in smb.conf
cf man smb.conf
A verbose testparm may give you more info.
I don't have access to a samba server so I can't test it.
good luck
--
Ali
Taylor, Jonn
May 2, 2014, 3:06:37 PM5/2/14
to
run testparam.
cat /etc/samba/smb.conf
netbios aliases = NODE1 NODE2
server string = Cluster Share
interfaces = eth0, lo
security = ADS
clustering = Yes
interfaces = eth0, lo
security = ADS
ctdbd socket = /tmp/ctdb.socket
cluster addresses = 192.168.173.183 192.168.173.184 192.168.173.3
192.168.173.4
log file = /var/log/samba/log.samba
log level = 5
server max protocol = SMB3
server min protocol = NT1
client signing = auto
server signing = auto
printcap name = /etc/printcap
wins server = 192.168.173.13, 192.168.173.14
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = True
wins server = 192.168.173.13, 192.168.173.14
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind offline logon = True
idmap config TAYLORTELEPHONE:backend = rid
idmap config * : schema_mode = rfc2307
idmap config * : backend = tdb2
admin users = "@TAYLORTELEPHONE\Domain Admins"
inherit acls = Yes
map acl inherit = Yes
fileid:algorithm = fsname
admin users = "@TAYLORTELEPHONE\Domain Admins"
inherit acls = Yes
map acl inherit = Yes
Jonn
Ali Bendriss
May 2, 2014, 4:13:02 PM5/2/14
to
[...]
On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
> idmap config TAYLORTELEPHONE:range = 500-4000000
> idmap config TAYLORTELEPHONE:backend = rid
I suggest that you comment those two line for now
and set the loglevel to 3
you may check the ctdb and winbind log on each node when doing each step.
ensure that ctdb is running on all nodes
ctdb status
then join the cluster on one node only:
net ads join
on each node start winbind and check the join wbinfo -t
if it's ok
uncomment the two idmap config lines
correct your range as steve catch it.
then restart ctdb and redo the join and re test
--
Ali
On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
> idmap config TAYLORTELEPHONE:range = 500-4000000
> idmap config TAYLORTELEPHONE:backend = rid
and set the loglevel to 3
you may check the ctdb and winbind log on each node when doing each step.
ensure that ctdb is running on all nodes
ctdb status
then join the cluster on one node only:
net ads join
on each node start winbind and check the join wbinfo -t
if it's ok
uncomment the two idmap config lines
correct your range as steve catch it.
then restart ctdb and redo the join and re test
--
Ali
Taylor, Jonn
May 2, 2014, 4:54:26 PM5/2/14
to
On 05/02/2014 03:13 PM, Ali Bendriss wrote:
> [...]
>
> On 05/02/2014 08:06 PM, Taylor, Jonn wrote:
>> idmap config TAYLORTELEPHONE:range = 500-4000000
>> idmap config TAYLORTELEPHONE:backend = rid
>
> I suggest that you comment those two line for now
> and set the loglevel to 3
> you may check the ctdb and winbind log on each node when doing each step.
>
> ensure that ctdb is running on all nodes
> ctdb status
>
> then join the cluster on one node only:
> net ads join
>
> on each node start winbind and check the join wbinfo -t
>
> if it's ok
> uncomment the two idmap config lines
> correct your range as steve catch it.
> then restart ctdb and redo the join and re test
>
> --
> Ali
other node before auth would work. Here is what is in the logs on the
second node after I restarted winbind.
May 2 15:49:43 node2 winbindd[22271]: [2014/05/02 15:49:43.374352, 0]
../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
May 2 15:49:43 node2 winbindd[22271]: Got sig[15] terminate (is_parent=1)
May 2 15:49:43 node2 winbindd[22288]: [2014/05/02 15:49:43.378907, 0]
../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
May 2 15:49:43 node2 winbindd[22288]: Got sig[15] terminate (is_parent=0)
May 2 15:49:43 node2 winbindd[23120]: [2014/05/02 15:49:43.378911, 0]
../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
May 2 15:49:43 node2 winbindd[23120]: Got sig[15] terminate (is_parent=0)
May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.676547, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:49:43 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.750334, 0]
../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
May 2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
May 2 15:49:43 node2 winbindd[29028]: [2014/05/02 15:49:43.770437, 0]
../source3/rpc_client/cli_pipe.c:3126(cli_rpc_pipe_open_spnego)
May 2 15:49:43 node2 winbindd[29028]: cli_rpc_pipe_open_spnego:
cli_rpc_pipe_bind failed with error NT_STATUS_ACCESS_DENIED
May 2 15:50:01 node2 winbindd[29028]: [2014/05/02 15:50:01.956887, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:01 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.201937, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:44 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.245574, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:44 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.298235, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:44 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.346062, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:44 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
May 2 15:50:44 node2 winbindd[29028]: [2014/05/02 15:50:44.388307, 0]
../source3/libsmb/cliconnect.c:1843(cli_session_setup_spnego_send)
May 2 15:50:44 node2 winbindd[29028]: Kinit failed: Preauthentication
failed
Ali Bendriss
May 2, 2014, 6:09:23 PM5/2/14
to
net ads leave (one each node to be sure) and on one node
net ads join -d 5 -S ADS_server_IP -U Administrator
otherwise I think you should test without the clustering first.
stop ctdb on all node. disable the clustering in smb.conf
remove any remaining krb ticket (in /tmp I think), flush the winbind
cache: net ads fluh
and try to join one node with the same command:
it should work without the need to do a kinit first.
test the join with wbinfo
Do the same on the other node (stop samba on the first node first).
if it work you may leave each node from the domain and enable the
clustering and try to join the cluster again.
hope this help.
--
Ali
Taylor, Jonn
May 2, 2014, 7:06:44 PM5/2/14
to
If I force the second node to join they both break after a day.
Jonn
Taylor, Jonn
May 5, 2014, 9:48:23 AM5/5/14
to
node. Everything was working on Saturday. This morning I started to look
at the logs and say the same error message that they keytab could not be
renewed. I did some digging in the logs and found this.
[2014/05/05 08:36:53.712058, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for "TAYLORTELEPHONE"
domain
[2014/05/05 08:36:53.712152, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712199, 4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
ads_dc_name: domain=TAYLORTELEPHONE
[2014/05/05 08:36:53.712255, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712320, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.712368, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.712425, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.712578, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.712637, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.712755, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.712801, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.712887, 5]
../source3/libads/ldap.c:270(ads_try_connect)
ads_try_connect: sending CLDAP request to 192.168.173.14 (realm:
taylortelephone.com)
[2014/05/05 08:36:53.713739, 3] ../source3/libads/ldap.c:680(ads_connect)
Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.713804, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for taylortelephone.com:
"Default-First-Site-Name"
[2014/05/05 08:36:53.713890, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.713938, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.713992, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714101, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.714158, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714258, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714302, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.714365, 5]
../source3/libsmb/namequery.c:211(saf_fetch)
saf_fetch: Returning "dc2.taylortelephone.com" for
"taylortelephone.com" domain
[2014/05/05 08:36:53.714411, 3]
../source3/libsmb/namequery.c:3102(get_dc_list)
get_dc_list: preferred server list: "dc2.taylortelephone.com, *"
[2014/05/05 08:36:53.714465, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name taylortelephone.com#1C found.
[2014/05/05 08:36:53.714572, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.714629, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.714739, 4]
../source3/libsmb/namequery.c:3239(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2014/05/05 08:36:53.714785, 4]
../source3/libsmb/namequery.c:3240(get_dc_list)
get_dc_list: 192.168.173.14:389 192.168.173.13:389
[2014/05/05 08:36:53.716116, 5]
../source3/libads/kerberos.c:965(create_local_private_krb5_conf_for_domain)
create_local_private_krb5_conf_for_domain: wrote file
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm
TAYLORTELEPHONE.COM KDC list = kdc = 192.168.173.14
kdc = 192.168.173.13
[2014/05/05 08:36:53.716212, 4]
../source3/libsmb/namequery_dc.c:153(ads_dc_name)
ads_dc_name: using server='DC2.TAYLORTELEPHONE.COM' IP=192.168.173.14
[2014/05/05 08:36:53.716273, 5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
sitename_fetch: Returning sitename for TAYLORTELEPHONE.COM:
"Default-First-Site-Name"
[2014/05/05 08:36:53.716330, 5]
../source3/libsmb/namecache.c:165(namecache_fetch)
name dc2.taylortelephone.com#20 found.
[2014/05/05 08:36:53.716408, 5]
../source3/libads/ldap.c:270(ads_try_connect)
ads_try_connect: sending CLDAP request to 192.168.173.14 (realm:
taylortelephone.com)
[2014/05/05 08:36:53.717025, 3] ../source3/libads/ldap.c:680(ads_connect)
Successfully contacted LDAP server 192.168.173.14
[2014/05/05 08:36:53.718073, 3] ../source3/libads/ldap.c:723(ads_connect)
Connected to LDAP server dc2.taylortelephone.com
[2014/05/05 08:36:53.718521, 4]
../source3/libads/ldap.c:2911(ads_current_time)
KDC time offset is 0 seconds
[2014/05/05 08:36:53.718860, 4]
../source3/libads/sasl.c:1304(ads_sasl_bind)
Found SASL mechanism GSS-SPNEGO
[2014/05/05 08:36:53.719340, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2014/05/05 08:36:53.719386, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2014/05/05 08:36:53.719429, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2014/05/05 08:36:53.719471, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2014/05/05 08:36:53.719514, 3]
../source3/libads/sasl.c:955(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2014/05/05 08:36:53.719556, 3]
../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178@please_ignore
*[2014/05/05 08:36:53.719774, 3]
../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
directory)*
[2014/05/05 08:36:53.741217, 0]
../source3/libads/kerberos_util.c:74(ads_kinit_password)
[2014/05/05 08:36:53.741333, 1]
../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
[2014/05/05 08:36:53.741427, 1]
../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
ADS uninitialized: Preauthentication failed
[2014/05/05 08:36:53.741538, 4]
../source3/winbindd/winbindd_dual.c:1346(child_handler)
Finished processing child request 59
So what file or directory could not be found?
steve
May 5, 2014, 10:20:36 AM5/5/14
to
On Mon, 2014-05-05 at 08:48 -0500, Taylor, Jonn wrote:
> ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
> ** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
> directory)*
> [2014/05/05 08:36:53.741217, 0]
> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed:
> Preauthentication failed
> [2014/05/05 08:36:53.741333, 1]
> ../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
> ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
> [2014/05/05 08:36:53.741427, 1]
> ../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
> ADS uninitialized: Preauthentication failed
> [2014/05/05 08:36:53.741538, 4]
> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
> Finished processing child request 59
>
> So what file or directory could not be found?
>
> Jonn
>
Do you have the SHR01$ machine key in the keytab? Is the keytab
> ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
> ** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
> directory)*
> [2014/05/05 08:36:53.741217, 0]
> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
> kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed:
> Preauthentication failed
> [2014/05/05 08:36:53.741333, 1]
> ../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
> ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
> [2014/05/05 08:36:53.741427, 1]
> ../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
> ADS uninitialized: Preauthentication failed
> [2014/05/05 08:36:53.741538, 4]
> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
> Finished processing child request 59
>
> So what file or directory could not be found?
>
> Jonn
>
at /etc/krb5.keytab?
Taylor, Jonn
May 5, 2014, 12:52:04 PM5/5/14
to
On 05/05/2014 09:20 AM, steve wrote:
> On Mon, 2014-05-05 at 08:48 -0500, Taylor, Jonn wrote:
>
>> ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)**
>> ** ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or
>> directory)*
>> [2014/05/05 08:36:53.741217, 0]
>> ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>> kerberos_kinit_password SHR01$@TAYLORTELEPHONE.COM failed:
>> Preauthentication failed
>> [2014/05/05 08:36:53.741333, 1]
>> ../source3/winbindd/winbindd_ads.c:122(ads_cached_connection_connect)
>> ads_connect for domain TAYLORTELEPHONE failed: Preauthentication failed
>> [2014/05/05 08:36:53.741427, 1]
>> ../source3/winbindd/idmap_ad.c:199(idmap_ad_unixids_to_sids)
>> ADS uninitialized: Preauthentication failed
>> [2014/05/05 08:36:53.741538, 4]
>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>> Finished processing child request 59
>>
>> So what file or directory could not be found?
>>
>> Jonn
>>
> Do you have the SHR01$ machine key in the keytab? Is the keytab
> at /etc/krb5.keytab?
>
-UAdministrator . After a day I get that message.
steve
May 5, 2014, 5:58:48 PM5/5/14
to
klist -k
anything?
Taylor, Jonn
May 5, 2014, 10:13:38 PM5/5/14
to
krb5.conf file at /var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE
and loks like this.
[libdefaults]
default_realm = TAYLORTELEPHONE.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
TAYLORTELEPHONE.COM = {
kdc = 192.168.173.14
kdc = 192.168.173.13
}
Then it writes the keytab somewhere but that I can not find. I did a net
kdc = 192.168.173.13
}
ads join -d6 but nothing jumps out. This is the keytab part.
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 240
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
saf_fetch[join]: Returning "DC1.taylortelephone.com" for
"taylortelephone.com" domain
get_dc_list: preferred server list: "DC1.taylortelephone.com, *"
name taylortelephone.com#1C found.
name DC1.taylortelephone.com#20 found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.173.13:389 192.168.173.14:389
create_local_private_krb5_conf_for_domain: wrote file
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm
TAYLORTELEPHONE.COM KDC list = kdc = 192.168.173.13
/var/cache/samba/smb_krb5/krb5.conf.TAYLORTELEPHONE with realm
kdc = 192.168.173.14
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 40
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 44
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 12
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 32
check lock order 2 for g_lock.tdb
db_open_ctdb: opened database 'dbwrap_watchers.tdb' with dbid 0xbce979dd
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:758 transaction commit on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
name DC1.taylortelephone.com#20 found.
ads_try_connect: sending CLDAP request to 192.168.173.13 (realm:
taylortelephone.com)
Successfully contacted LDAP server 192.168.173.13
Connected to LDAP server DC1.taylortelephone.com
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178@please_ignore
not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 06 May 2014 01:05:35 CDT
ads_domain_func_level: 4
kerberos_secrets_store_des_salt: Storing salt
"host/shr01.taylor...@TAYLORTELEPHONE.COM"
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 1 for secrets.tdb
release lock order 1 for secrets.tdb
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
../source3/lib/dbwrap/dbwrap_ctdb.c:369 transaction started on db 0xb775fff6
check lock order 2 for g_lock.tdb
release lock order 2 for g_lock.tdb
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x2607456f
db_open_ctdb: opened database 'group_mapping.tdb' with dbid 0xe98e08b6
add_sid_to_builtin S-1-5-21-1647384629-2592896063-3438515345-512 is
already a member of S-1-5-32-544
db_open_ctdb: opened database 'g_lock.tdb' with dbid 0x2607456f
db_open_ctdb: opened database 'passdb.tdb' with dbid 0x7bbbd26c
tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
pdb_getsampwnam (TDB): error fetching database.
Key: USER_root
add_sid_to_builtin S-1-5-21-1647384629-2592896063-3438515345-513 is
already a member of S-1-5-32-545
name DC1.taylortelephone.com#20 found.
Connecting to 192.168.173.13 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 19800
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 0, auth_level 1
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 20
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 24
rpccli_netlogon_setup_creds: server DC1.taylortelephone.com credential
chain established.
Bind RPC Pipe: host DC1.taylortelephone.com auth_type 68, auth_level 6
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
seed xxxxxxxxxxxxxxxx
seed+time xxxxxxxxxxxxxxx
CLIENT xxxxxxxxxxxxxxxx
seed+time+1 xxxxxxxxxxxxxx
SERVER xxxxxxxxxxxxxxxxx
rpc_api_pipe: host DC1.taylortelephone.com
rpc_read_send: data_to_read: 104
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'TAYLORTELEPHONE'
dns_domain_name : 'taylortelephone.com'
forest_name : 'taylortelephone.com'
dn :
'CN=shr01,CN=Computers,DC=taylortelephone,DC=com'
domain_sid : *
domain_sid :
S-1-5-21-1647384629-2592896063-3438515345
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
result : WERR_OK
Using short domain name -- TAYLORTELEPHONE
Joined 'SHR01' to dns domain 'taylortelephone.com'
Not doing automatic DNS update in a clustered setup.
return code = 0
steve
May 6, 2014, 5:36:50 AM5/6/14
to
kerberos method =
in smb.conf?
Taylor, Jonn
May 6, 2014, 3:19:36 PM5/6/14
to
steve
May 7, 2014, 6:29:57 AM5/7/14
to
kerberos method = system keytab
then:
net ads keytab create -UAdministrator
Taylor, Jonn
May 7, 2014, 9:28:37 AM5/7/14
to
On 05/07/2014 05:29 AM, steve wrote:
> On Tue, 2014-05-06 at 14:19 -0500, Taylor, Jonn wrote:
>> On 05/06/2014 04:36 AM, steve wrote:
>>>> Then it writes the keytab somewhere but that I can not find.
>>> Do you have a:
>>> kerberos method =
>>> in smb.conf?
>>>
>>>
>> No
>>
> try:
> kerberos method = system keytab
> then:
> net ads keytab create -UAdministrator
>
>
Jonn Taylor
May 8, 2014, 12:40:36 PM5/8/14
to
On 5/7/2014 8:28 AM, Taylor, Jonn wrote:
>
> On 05/07/2014 05:29 AM, steve wrote:
>> On Tue, 2014-05-06 at 14:19 -0500, Taylor, Jonn wrote:
>>> On 05/06/2014 04:36 AM, steve wrote:
>>>>> Then it writes the keytab somewhere but that I can not find.
>>>> Do you have a:
>>>> kerberos method =
>>>> in smb.conf?
>>>>
>>>>
>>> No
>>>
>> try:
>> kerberos method = system keytab
>> then:
>> net ads keytab create -UAdministrator
>>
>>
> OK I will give that a try and post back. Thanks.
>
That did not work, in-fact it made it so both node IP's did not work
>
> On 05/07/2014 05:29 AM, steve wrote:
>> On Tue, 2014-05-06 at 14:19 -0500, Taylor, Jonn wrote:
>>> On 05/06/2014 04:36 AM, steve wrote:
>>>>> Then it writes the keytab somewhere but that I can not find.
>>>> Do you have a:
>>>> kerberos method =
>>>> in smb.conf?
>>>>
>>>>
>>> No
>>>
>> try:
>> kerberos method = system keytab
>> then:
>> net ads keytab create -UAdministrator
>>
>>
> OK I will give that a try and post back. Thanks.
>
under CTDB but the node alias worked. I took it out and shutdown one
node and now it is working with only 1 node and CTDB.
0 new messages