Hi Simo, Thanks for your email. (It is good to get some reassurances I am on the right track...:)
"My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials." This is how I have set it up (as per samba ctdb wiki documentation) using "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is really working as per your option two). As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): "krb5_rd_req failed (Key table entry not found)". # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) Cheers, Peter Tan -----Original Message----- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 1:40 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Fri, 2012-01-20 at 16:38 +1000, Peter Tan wrote: > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san > storage. I have configured ctdb, samba and Kerberos and am able to map the > share on my windows workstation when I hit the ip of each of the two nodes. > > I am able to mount this share via nfs on other linux servers ok. > > However it does not appear to be authenticating when I try to map to the DNS > hostname that has been set up to round robins across the two ip's - I keep > getting prompted for a login and password and I get the following in > /var/log/messages: "krb5_rd_req failed (Key table entry not found)" > > Node 1: 10.101.4.16 > Node 2: 10.101.4.17 > DNS A Name: clusterpub 10.101.4.16 > DNS A Name: clusterpub 10.101.4.17 > > I have set the "netbios name = clusterpub" in smb.conf on both nodes > > Interestingly, I am able to successfully connect to the "clusterpub" share > from one of the nodes via smbclient. > > # smbclient //clusterpub/archive -U <user> Enter <user> password: > Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] > smb: \> dir > . D 0 Fri Jan 20 14:28:01 2012 > .. D 0 Wed Jan 18 13:56:46 2012 > hello-from-samba 0 Fri Jan 20 14:28:01 2012 > > 64000 blocks of size 16777216. 63805 blocks available > smb: \> > > What am I missing? You have 2 ways to solve this issue. My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. Another way I like a lot less is to make sure you have PTR records set up so that they point to the respective private names, and join each node with these names. I like this less because it relies on reverse address resolution and kinda breaks the fact you are trying to present a single service to the clients. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <s...@samba.org> Principal Software Engineer at Red Hat, Inc. <s...@redhat.com> The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
