Hi , I have set up a 2-node CTDB cluster serving NFS and CIFS authenticating Windows and Linux users via Active Directory. The setup works fine, except only one server in the CTDB-cluster is able to join the AD domain at a given instance. If you manually add the other server into AD, the already connected server gets disconnected. Without CTDB, I can have Samba active on multiple servers joined to AD. There is no specific error message logged in /var/log/message or /var/log/samba/log.smbd or /var/log/samba/log.winbind + network snooping at Samba port(445) does not provide any info. Following is the setup + error message when you manually try to join a second CTDB node into Active Directory: ---------------- Configuration: # CTDB Up and Virtualizing two Nodes into single entity # CTDB configured to manage IP, NFS, Samba, and Winbind [root@node-02 nfsexport]# ctdb status Number of nodes:2 pnn:0 172.16.2.252 OK (THIS NODE) pnn:1 172.16.2.253 OK Generation:1529093094 Size:2 hash:0 lmaster:0 hash:1 lmaster:1 Recovery mode:NORMAL (0) Recovery master:1 [root@node-01 ~]# ctdb ip Public IPs on node 1 192.168.97.5 0 192.168.97.6 1 # Initially only node-02 was only able to join AD [root@node-02 nfsexport]# net ads testjoin Join is OK # Able to see users in AD Domain [root@node-02 ~]# wbinfo -u list TESTDOMAIN+administrator TESTDOMAIN+peyton TESTDOMAIN+eli Join Error ------------- # node-01 is unable to join AD [root@node-01 ~]# net ads testjoin [2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed [2008/12/02 15:59:47, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed Join to domain is not valid: Logon failure # Manually Add node-01 to the AD [root@node-01 ~]# net -d 1 ads join -U Administrator Enter Administrator's password: [2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1799) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'node-01' domain_name : * domain_name : 'TESTDOMAIN.LOCAL' account_ou : NULL admin_account : 'Administrator' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2008/12/02 16:06:11, 1] libnet/libnet_join.c:libnet_Join(1830) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'TESTDOMAIN' dns_domain_name : 'testdomain.local' dn : 'CN=node-01,CN=Computers,DC=testdomain,DC=local' domain_sid : * domain_sid : S-1-5-21-3868838012-3874256186-1289404937 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) result : WERR_OK Using short domain name -- TESTDOMAIN Joined 'node-01' to realm 'testdomain.local' [root@node-01 ~]# net ads testjoin Join is OK #Check AD Status from node-02 # Result: node-02 which was originally joined to AD gets revoked when node-01 is manually added into AD [root@node-02 nfsexport]# net ads testjoin [2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: Preauthentication failed [2008/12/02 16:21:14, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-02$@TESTDOMAIN.LOCAL failed: Preauthentication failed Join to domain is not valid: Logon failure #Manually Add node-02 to the AD [root@node-02 nfsexport]# net -d 1 ads join -U Administrator Enter Administrator's password: [2008/12/02 16:33:30, 1] libnet/libnet_join.c:libnet_Join(1799) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'node-02' domain_name : * domain_name : 'TESTDOMAIN.LOCAL' account_ou : NULL admin_account : 'Administrator' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) [2008/12/02 16:33:31, 1] libnet/libnet_join.c:libnet_Join(1830) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'TESTDOMAIN' dns_domain_name : 'testdomain.local' dn : 'CN=node-02,CN=Computers,DC=testdomain,DC=local' domain_sid : * domain_sid : S-1-5-21-3868838012-3874256186-1289404937 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) result : WERR_OK Using short domain name -- TESTDOMAIN Joined 'node-02' to realm 'testdomain.local' [root@node-02 nfsexport]# net ads testjoin Join is OK #When node-02 is added into AD, node-01 gets revoked/disconnected from AD [root@node-01 ~]# net ads testjoin [2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed [2008/12/02 16:33:45, 0] libads/kerberos.c:ads_kinit_password(361) kerberos_kinit_password node-01$@TESTDOMAIN.LOCAL failed: Preauthentication failed Join to domain is not valid: Logon failure [root@node-02 nfsexport]# net ads testjoin [2008/12/02 14:30:07, 0] passdb/secrets.c:secrets_init(71) Failed to open /mnt/gpfs/CTDB/secrets.tdb Join to domain is not valid: Access denied ------------- Is the error because CTDB secrets.tdb which contains information of how the node was joined to AD stored in a private storage? Seems like the first CTDB node that joins AD owns the file + Kerberos ticket. The rest of the nodes cannot authenticate to AD with this key as it belongs to other node. I may be totally wrong too. If Iam right, is there a way to resolve this? Following are configuration details: Software version ---------------- CTDB: ctdb-1.0-64 ctdb-debuginfo-1.0-64 Samba: samba-debuginfo-3.2.3-ctdb.50 samba-3.2.3-ctdb.50 samba-doc-3.2.3-ctdb.50 samba-winbind-32bit-3.2.3-ctdb.50 samba-client-3.2.3-ctdb.50 samba-swat-3.2.3-ctdb.50 samba-common-3.2.3-ctdb.50 Kerberos: krb5-workstation-1.5-17 krb5-libs-1.5-17 krb5-devel-1.5-17 krb5-auth-dialog-0.7-1 pam_krb5-2.2.11-1 krb5-devel-1.5-17 krb5-libs-1.5-17 pam_krb5-2.2.11-1 smb.conf -------- [global] workgroup = TESTDOMAIN realm = TESTDOMAIN.LOCAL security = ADS password server = 192.168.10.10 private dir = /mnt/global/CTDB client NTLMv2 auth = Yes template homedir = /home/%D+%U template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes smb ports = 445 server signing = auto socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 use mmap = No clustering = Yes dns proxy = No gpfs:sharemodes = no fileid:mapping = global_GbE idmap alloc TESTDOMAIN:range = 10777216-57554431 idmap config TESTDOMAIN:range = 10777216-57554431 idmap config TESTDOMAIN:backend = rid idmap config TESTDOMAIN:default = yes force unknown acl user = Yes vfs objects = gpfs log level = 3 passdb:5 auth:10 winbind:5 log file = /var/log/samba/log.%m max log size = 50 [global-share] comment = global NameSpace path = /mnt/global/nfsexport read only = No inherit permissions = Yes inherit acls = Yes /etc/sysconfig/ctdb ------------------- CTDB_RECOVERY_LOCK=/mnt/global/CTDB/recovery.lck CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses CTDB_MANAGES_SAMBA=yes CTDB_MANAGES_WINBIND=yes CTDB_MANAGES_NFS=yes CTDB_NODES=/etc/ctdb/nodes Thanks in Advance, -Tim
You should use the same "netbios name" on all nodes. Volker