Find the answer to your Linux question:
Results 1 to 5 of 5
Hi Forum, I have a 2 node Samba CTDB cluster as ADS member server and an authentication issue with it. Kerberos works fine, kinit and klist show expected results. ctdb ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2013
    Posts
    5

    SAMBA - ADS Member Server - CTDB: Authentication error


    Hi Forum,

    I have a 2 node Samba CTDB cluster as ADS member server and an authentication issue with it. Kerberos works fine, kinit and klist show expected results. ctdb status shows that both of the two nodes are HEALTHY.

    Issue description:
    - If I turn off the clustering directive in smb.conf and shut down ctdb deamon, authentication of ADS users accessing a share directly on one of the nodes works perfectly. No problem neither with wbinfo -t nor with getent passwd.
    - With clustering directive activated and ctdb deamon running, ADS users cannot access the shares anymore, both wbinfo -t and getent passwd won't work. The errors are:
    Code:
    [root(at)glnode01 ~]# wbinfo -t
    checking the trust secret for domain MYDOMAIN via RPC calls failed
    error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
    failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
    Could not check secret
    and getent passwd only returns local users.


    The systems:

    1. File Server Cluster Nodes
    - OS: CentOS 6.4 64bit
    - Samba: 3.6.9-151.el6_4.1 (installed from repository by yum)
    - CTDB.x86_64: 1.0.114.5-3.el6 (installed from repository by yum)

    2. Windows ADS
    - Domain Controllers: Windows Server 2008 R2

    The configuration files:

    1. smb.conf
    Code:
    [root(at)glnode01 ~]# cat /etc/samba/smb.conf
    [global]
            workgroup = MYDOMAIN
            clustering = yes
            realm = MYDOMAIN.LOCAL
            preferred master = no
            server string = %h Server
            security = ADS
            encrypt passwords = yes
            log level = 3
            log file = /var/log/samba/log.%m
            max log size = 1000
            winbind enum users = Yes
            winbind enum groups = Yes
            winbind use default domain = Yes
            winbind nested groups = Yes
            winbind separator = +
            idmap backend = tdb2
            idmap uid = 600-20000
            idmap gid = 600-20000
    ;template primary group = "Domain Users"
            template shell = /bin/nologin
    
    [localtestshare]
            comment = Testing a local share
            path = /mnt/localtestshare
            available = yes
            read only = no
            browseable = yes
            writeable = yes
            valid users =(at)MYDOMAIN+GG_ITSTAFF MYDOMAIN+test.user
            admin users =(at)MYDOMAIN+GG_DOMAINADMINS
    
    [glustertestshare]
            comment = Testing a Gluster volume exported through CIFS
            path = /mnt/gldatavol1/glustertestshare
            available = yes
            read only = no
            browseable = yes
            writeable = yes
            valid users =(at)MYDOMAIN+GG_ITSTAFF MYDOMAIN+test.user
            admin users =(at)MYDOMAIN+GG_DOMAINADMINS
    2. nsswitch.conf
    Code:
    [root(at)glnode01 ~]# cat /etc/nsswitch.conf
    passwd:         compat winbind
    shadow:         compat
    group:          compat winbind
    
    hosts:          files dns wins
    ethers:         db files
    networks:       files dns
    protocols:      db files
    rpc:            db files
    services:       db files
    3. krb5.conf
    Code:
    [libdefaults]
            default_realm = MYDOMAIN.LOCAL
            clockskew = 300
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            krb4_config = /etc/krb.conf
            krb4_realms = /etc/krb.realms
            kdc_timesync = 1
            ccache_type = 4
            forwardable = true
            proxiable = true
    
    [realms]
            MYDOMAIN.LOCAL = {
                    kdc = dc1.mydomain.local:88
                    kdc = dc2.mydomain.local:88
                    kdc = dc3.mydomain.local:88
                    admin_server = dc1.mydomain.local
                    default_domain = MYDOMAIN.LOCAL
            }
    [domain_realm]
            .mydomain.local = MYDOMAIN.LOCAL
            mydomain.local = MYDOMAIN.LOCAL
            .mydomain = MYDOMAIN.LOCAL
    [login]
            krb4_convert = true
            krb4_get_tickets = false
    
    [appdefaults]
            pam = {
                    ticket_lifetime = 1d
                    renew_lifetime = 1d
                    forwardable = true
                    proxiable = false
                    retain_after_close = false
                    minimum_uid = 0
                    debug = false
            }
    4. /etc/sysconfig/ctdb
    Code:
    CTDB_RECOVERY_LOCK=/mnt/glusterlock/lockfile
    CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses
    CTDB_MANAGES_SAMBA=yes
    CTDB_MANAGES_WINBIND=yes
    CTDB_NODES=/etc/ctdb/nodes
    The related files are created and populated.

    5. I didn't setup PAM (common-auth, etc.), because I don't want the users to login on the server. As far as I understood the function of PAM correctly - and because authenticating the ADS users without clustering activated works without problem - I think that configuring the PAM files is not necessary.

    Thanks for your thoughts and hints!

    Kind Regards,
    Bob
    Last edited by uners; 10-10-2013 at 12:43 PM. Reason: Removed company related info

  2. #2
    Just Joined!
    Join Date
    Oct 2013
    Posts
    5
    I just noticed that on the second cluster node wbinfo -t and getent passwd work fine. I assumed that maybe the Domain-Join-Step was corrupt, so removed the ADS account of the first node and rejoined by
    Code:
    net ads join -U Mayadminaccount
    .

    The comman returned "success" and Active Directory Users and Computers lists the newly created computer account of node1.

    Now getent passwd and wbinfo -t work on the first node - but it doesn't work anymore on the second one. WTF?!

    It seems that the last ADS-joined node always works, but making the first one somehow unworkable.
    Last edited by uners; 10-10-2013 at 09:09 AM. Reason: grammar

  3. #3
    Just Joined!
    Join Date
    Oct 2013
    Posts
    5
    net ads testjoin results on the nodes:

    First node that has been joined to the ADS domain:

    Code:
    [root@glnode01 ~]# net ads testjoin
    kerberos_kinit_password GLNODE01$(at)MYDOMAIN.LOCAL failed: Preauthentication failed
    kerberos_kinit_password GLNODE01$(at)MYDOMAIN.LOCAL failed: Preauthentication failed
    Join to domain is not valid: Logon failure
    Second node that joined the domain:

    Code:
    [root@glnode02 ~]# net ads testjoin
    Join is OK

    In the Samba mailing list thread (https//lists.samba.org/archive/samba/2009-January/145805.html, the user's description of his CTDB/Samba-Custer setup contains the following:
    > I had asked this before, but I have a strange scenario where Windows node is
    > able to mount only from one of the CTDB-managed SMB servers. The NetBIOS
    > name is same on all the nodes and "net ads join" is issued only from one of
    > the CTDB nodes.
    In my setup the nodes have different names and I thought I would have to join each node to the ADS domain. Did I misinterpret sth.? Do I have to setup all the nodes with the same name?

  4. #4
    Just Joined!
    Join Date
    Oct 2013
    Posts
    5
    Quote Originally Posted by uners View Post
    In my setup the nodes have different names and I thought I would have to join each node to the ADS domain. Did I misinterpret sth.? Do I have to setup all the nodes with the same name?
    Yes, I was wrong. Having inserted the netbios name directive in the smb.conf on both of the nodes with the same value (I used "glustercluster") and having run the net ads join-command again, but only on one node, both wbinfo -t and getent passwd succeeded on the two nodes.

    But still no success authenticating ADS users to the testshare.

  5. #5
    Just Joined!
    Join Date
    Oct 2013
    Posts
    5
    Quote Originally Posted by uners View Post
    But still no success authenticating ADS users to the testshare.
    Works now. Don't know why. Rebooted the test client and worked.

    Thread closed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •