Bug 5941 - Join multiple CTDB managed Samba servers into Active Directory
Summary: Join multiple CTDB managed Samba servers into Active Directory
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Clustering (show other bugs)
Version: 3.2.3
Hardware: x86 Linux
: P3 critical
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-04 18:28 UTC by Tim Clusters
Modified: 2008-12-05 03:20 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Clusters 2008-12-04 18:28:33 UTC
Hi ,

I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating Windows and Linux users via Active Directory.

The setup works fine, except only one server in the CTDB-cluster is able to join the AD domain at a given instance. If you manually add the other server into AD, the already connected server gets disconnected. 

Without CTDB, I can have Samba active on multiple servers joined to AD.

There is no specific error message logged in /var/log/message or /var/log/samba/log.smbd or /var/log/samba/log.winbind + network snooping at Samba port(445) does not provide any info. 

Following is the setup + error message when you manually try to join a second CTDB node into Active Directory:
----------------
Configuration:
# CTDB Up and Virtualizing two Nodes into single entity
# CTDB configured to manage IP, NFS, Samba, and Winbind
[root@node-02 nfsexport]# ctdb status
Number of nodes:2
pnn:0 172.16.2.252     OK (THIS NODE)
pnn:1 172.16.2.253     OK
Generation:1529093094
Size:2
hash:0 lmaster:0
hash:1 lmaster:1
Recovery mode:NORMAL (0)
Recovery master:1
[root@node-01 ~]# ctdb ip
Public IPs on node 1
192.168.97.5 0
192.168.97.6 1

# Initially only node-02 was only able to join AD
[root@node-02 nfsexport]# net ads testjoin
Join is OK
# Able to see users in AD Domain
[root@node-02 ~]# wbinfo -u list
TESTDOMAIN+administrator
TESTDOMAIN+peyton
TESTDOMAIN+eli

Join Error
-------------
# node-01 is unable to join AD
[root@node-01 ~]# net ads testjoin
[2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed
[2008/12/02 15:59:47,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure

# Manually Add node-01 to the AD
[root@node-01 ~]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1799)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'node-01'
              domain_name              : *
                  domain_name              : 'TESTDOMAIN.LOCAL'
              account_ou               : NULL
              admin_account            : 'Administrator'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2008/12/02 16:06:11,  1] libnet/libnet_join.c:libnet_Join(1830)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'TESTDOMAIN'
              dns_domain_name          : 'testdomain.local'
              dn                       : 'CN=node-01,CN=Computers,DC=testdomain,DC=local'
              domain_sid               : *
                  domain_sid               : S-1-5-21-3868838012-3874256186-1289404937
              modified_config          : 0x00 (0)
              error_string             : NULL
              domain_is_ad             : 0x01 (1)
              result                   : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-01' to realm 'testdomain.local'

[root@node-01 ~]# net ads testjoin
Join is OK

#Check AD Status from node-02
# Result: node-02 which was originally joined to AD gets revoked when node-01 is manually added into AD
[root@node-02 nfsexport]# net ads testjoin
[2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: Preauthentication failed
[2008/12/02 16:21:14,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure

#Manually Add node-02 to the AD
[root@node-02 nfsexport]# net -d 1 ads join -U Administrator
Enter Administrator's password:
[2008/12/02 16:33:30,  1] libnet/libnet_join.c:libnet_Join(1799)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          in: struct libnet_JoinCtx
              dc_name                  : NULL
              machine_name             : 'node-02'
              domain_name              : *
                  domain_name              : 'TESTDOMAIN.LOCAL'
              account_ou               : NULL
              admin_account            : 'Administrator'
              admin_password           : *
              machine_password         : NULL
              join_flags               : 0x00000023 (35)
                     0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                     0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                     0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                     0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                     0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                     1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                     0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                     0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                     1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                     1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
              os_version               : NULL
              os_name                  : NULL
              create_upn               : 0x00 (0)
              upn                      : NULL
              modify_config            : 0x00 (0)
              ads                      : NULL
              debug                    : 0x01 (1)
              use_kerberos             : 0x00 (0)
              secure_channel_type      : SEC_CHAN_WKSTA (2)
[2008/12/02 16:33:31,  1] libnet/libnet_join.c:libnet_Join(1830)
  libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'TESTDOMAIN'
              dns_domain_name          : 'testdomain.local'
              dn                       : 'CN=node-02,CN=Computers,DC=testdomain,DC=local'
              domain_sid               : *
                  domain_sid               : S-1-5-21-3868838012-3874256186-1289404937
              modified_config          : 0x00 (0)
              error_string             : NULL
              domain_is_ad             : 0x01 (1)
              result                   : WERR_OK
Using short domain name -- TESTDOMAIN
Joined 'node-02' to realm 'testdomain.local'
[root@node-02 nfsexport]# net ads testjoin
Join is OK

#When node-02 is added into AD, node-01 gets revoked/disconnected from AD
[root@node-01 ~]# net ads testjoin
[2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed
[2008/12/02 16:33:45,  0] libads/kerberos.c:ads_kinit_password(361)
  kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed
Join to domain is not valid: Logon failure
[root@node-02 nfsexport]# net ads testjoin
[2008/12/02 14:30:07,  0] passdb/secrets.c:secrets_init(71)
  Failed to open /mnt/gpfs/CTDB/secrets.tdb
Join to domain is not valid: Access denied
 
-------------

Is the error because CTDB secrets.tdb which contains information of how the node was joined to AD stored in a private storage? Seems like the first CTDB node that joins AD owns the file + Kerberos ticket. The rest of the nodes cannot authenticate to AD with this key as it belongs to other node. I may be totally wrong too. If Iam right, is there a way to resolve this?

Following are configuration details:

Software version
----------------

CTDB:
ctdb-1.0-64
ctdb-debuginfo-1.0-64

Samba:
samba-debuginfo-3.2.3-ctdb.50
samba-3.2.3-ctdb.50
samba-doc-3.2.3-ctdb.50
samba-winbind-32bit-3.2.3-ctdb.50
samba-client-3.2.3-ctdb.50
samba-swat-3.2.3-ctdb.50
samba-common-3.2.3-ctdb.50

Kerberos:
krb5-workstation-1.5-17
krb5-libs-1.5-17
krb5-devel-1.5-17
krb5-auth-dialog-0.7-1
pam_krb5-2.2.11-1
krb5-devel-1.5-17
krb5-libs-1.5-17
pam_krb5-2.2.11-1


smb.conf
--------

[global]
        workgroup = TESTDOMAIN
        realm = TESTDOMAIN.LOCAL
        security = ADS
        password server = 192.168.10.10
        private dir = /mnt/global/CTDB
        client NTLMv2 auth = Yes
        template homedir = /home/%D+%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        smb ports = 445
        server signing = auto
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        use mmap = No
        clustering = Yes
        dns proxy = No
        gpfs:sharemodes = no
        fileid:mapping = global_GbE
        idmap alloc TESTDOMAIN:range = 10777216-57554431
        idmap config TESTDOMAIN:range = 10777216-57554431
        idmap config TESTDOMAIN:backend = rid
        idmap config TESTDOMAIN:default = yes
        force unknown acl user = Yes
        vfs objects = gpfs
        log level = 3 passdb:5 auth:10 winbind:5
        log file = /var/log/samba/log.%m
        max log size = 50

[global-share]
        comment = global NameSpace
        path = /mnt/global/nfsexport
        read only = No
        inherit permissions = Yes
        inherit acls = Yes


/etc/sysconfig/ctdb
-------------------

CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck
CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
CTDB_MANAGES_SAMBA=yes
CTDB_MANAGES_WINBIND=yes
CTDB_MANAGES_NFS=yes
CTDB_NODES=/etc/ctdb/nodes

 
Thanks in Advance,
-Tim
Comment 1 Volker Lendecke 2008-12-05 03:20:15 UTC
You should use the same "netbios name" on all nodes.

Volker