Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
On Mon, 2012-01-23 at 12:40 +1000, Peter Tan wrote: > Hi Simo, > > It's ok I've worked it out. You were spot on wrt missing 'cifs' keytab > entries. I kinda expected these to be added when creating the keytab but I > guess not the case. All the doco I had read revolved around keytab 'host' > entries so I couldn't see what was missing (probably just my ignorance!:) > > I had to add them afterwards using: "net ads keytab add cifs -U " and > this did the trick! > > Is this a bug? The following link suggests it is a bug too? --> > https://bugzilla.samba.org/show_bug.cgi?id=8004 > > Anyway thank you very much for pointing me in the right direction! You are welcome. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, It's ok I've worked it out. You were spot on wrt missing 'cifs' keytab entries. I kinda expected these to be added when creating the keytab but I guess not the case. All the doco I had read revolved around keytab 'host' entries so I couldn't see what was missing (probably just my ignorance!:) I had to add them afterwards using: "net ads keytab add cifs -U " and this did the trick! Is this a bug? The following link suggests it is a bug too? --> https://bugzilla.samba.org/show_bug.cgi?id=8004 Anyway thank you very much for pointing me in the right direction! Cheers, Peter Tan Technical Specialist Enterprise Business Solutions Branch IPSWICH CITY COUNCIL PO Box 191 Ipswich Queensland 4305 T| 07 3810 7327 E: p...@ipswich.qld.gov.au W: www.ipswich.qld.gov.au Please consider the environment before printing this email -Original Message- From: Peter Tan Sent: Monday, 23 January 2012 11:21 AM To: 'simo' Cc: samba@lists.samba.org Subject: RE: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin Hi Simo, Thanks again for your reply. I'm not sure which keys are missing? Should there be an entry for "cifs"? How do I add the missing key(s)? Thanking you in advance. Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 11:07 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: > Hi Simo, > > Thanks for your email. (It is good to get some reassurances I am on > the right track...:) > > "My preferred one is to join the cluster to the domain with the public name > (clusterpub) in your case, and share the keytab between the 2 nodes. They are > logically a single server and need to share the same credentials." > > This is how I have set it up (as per samba ctdb wiki documentation) using > "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my > windows client. I can hit the individual node's share using IP: > \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is > really working as per your option two). > > As given before, incredibly I am able to successfully connect to > \\clusterpub\share using smbclient from one of the linux nodes using my > window domain login. I am confident winbind is working ok. > > It looks like Kerberos is having a problem. When trying to map from windows I > get the following error in /var/log/messages (on the node that dns happens to > send me to): "krb5_rd_req failed (Key table entry not found)". > > # klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- >2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) I think you are missing keys for cifs/fqdn@REALM Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, Thanks again for your reply. I'm not sure which keys are missing? Should there be an entry for "cifs"? How do I add the missing key(s)? Thanking you in advance. Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 11:07 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: > Hi Simo, > > Thanks for your email. (It is good to get some reassurances I am on > the right track...:) > > "My preferred one is to join the cluster to the domain with the public name > (clusterpub) in your case, and share the keytab between the 2 nodes. They are > logically a single server and need to share the same credentials." > > This is how I have set it up (as per samba ctdb wiki documentation) using > "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my > windows client. I can hit the individual node's share using IP: > \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is > really working as per your option two). > > As given before, incredibly I am able to successfully connect to > \\clusterpub\share using smbclient from one of the linux nodes using my > window domain login. I am confident winbind is working ok. > > It looks like Kerberos is having a problem. When trying to map from windows I > get the following error in /var/log/messages (on the node that dns happens to > send me to): "krb5_rd_req failed (Key table entry not found)". > > # klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- >2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) I think you are missing keys for cifs/fqdn@REALM Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: > Hi Simo, > > Thanks for your email. (It is good to get some reassurances I am on the right > track...:) > > "My preferred one is to join the cluster to the domain with the public name > (clusterpub) in your case, and share the keytab between the 2 nodes. They are > logically a single server and need to share the same credentials." > > This is how I have set it up (as per samba ctdb wiki documentation) using > "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my > windows client. I can hit the individual node's share using IP: > \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is > really working as per your option two). > > As given before, incredibly I am able to successfully connect to > \\clusterpub\share using smbclient from one of the linux nodes using my > window domain login. I am confident winbind is working ok. > > It looks like Kerberos is having a problem. When trying to map from windows I > get the following error in /var/log/messages (on the node that dns happens to > send me to): "krb5_rd_req failed (Key table entry not found)". > > # klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- >2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) >2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) >2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) I think you are missing keys for cifs/fqdn@REALM Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, Thanks for your email. (It is good to get some reassurances I am on the right track...:) "My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials." This is how I have set it up (as per samba ctdb wiki documentation) using "clusterpub" but it just refuses to let me map "\\clusterpub\share" on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share & \\10.101.4.17\share and these work fine (which is really working as per your option two). As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): "krb5_rd_req failed (Key table entry not found)". # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) Cheers, Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 1:40 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Fri, 2012-01-20 at 16:38 +1000, Peter Tan wrote: > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san > storage. I have configured ctdb, samba and Kerberos and am able to map the > share on my windows workstation when I hit the ip of each of the two nodes. > > I am able to mount this share via nfs on other linux servers ok. > > However it does not appear to be authenticating when I try to map to the DNS > hostname that has been set up to round robins across the two ip's - I keep > getting prompted for a login and password and I get the following in > /var/log/messages: "krb5_rd_req failed (Key table entry not found)" > > Node 1: 10.101.4.16 > Node 2: 10.101.4.17 > DNS A Name: clusterpub 10.101.4.16 > DNS A Name: clusterpub 10.101.4.17 > > I have set the "netbios name = clusterpub" in smb.conf on both nodes > > Interestingly, I am able to successfully connect to the "clusterpub" share > from one of the nodes via smbclient. > > # smbclient //clusterpub/archive -U Enter password: > Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] > smb: \> dir > . D0 Fri Jan 20 14:28:01 2012 > ..D0 Wed Jan 18 13:56:46 2012 > hello-from-samba 0 Fri Jan 20 14:28:01 2012 > > 64000 blocks of size 16777216. 63805 blocks available > smb: \> > > What am I missing? You have 2 ways to solve this issue. My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. Another way I like a lot less is to make sure you have PTR records set up so that they point to the respective private names, and join each node with these names. I like this less because it relies on reverse address resolution and kinda breaks the fact you are trying to present a single service to the clients. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council doe
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Nico, you present some many questionable 'facts' as absolutes I feel the need to reply to your statements. On Fri, 2012-01-20 at 08:40 -0500, Nico Kadel-Garcia wrote: > On Fri, Jan 20, 2012 at 1:38 AM, Peter Tan wrote: > > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san > > storage. I have configured ctdb, samba and Kerberos and am able to map the > > share on my windows workstation when I hit the ip of each of the two nodes. > > > > I am able to mount this share via nfs on other linux servers ok. > > > > However it does not appear to be authenticating when I try to map to the > > DNS hostname that has been set up to round robins across the two ip's - I > > keep getting prompted for a login and password and I get the following in > > /var/log/messages: "krb5_rd_req failed (Key table entry not found)" > > Nor should it. They're not the same machine, and Kerberos tickets for > one are not going to be valid on the other. Why shouldn't you present a _cluster_ as a single node ? That's exactly what a cluster should look like to a client. > and DNS "round robin" is always a crap shoot due to client DNS caching > and ordering of returned entries, over which you have *no* control from > the server side. This really does not matter in a controlled environment. It is good enough for the task at hand. What you say may make sense in uncontrolled environments like the internet but not in a local one. > NFS is an *entirely* different game. Once the mount is created, > it's tied to the IP address, not the DNS entries, and remains that way > unless detached and a new mount created. Autofs supports this sort of > thing, but most NFS setups don't rely on Kerberos tickets or, in fact, > any reliable authentication, especially the much simpler NFSv3 setups. > Simple setups use the uid's and gid's reported by the client and > assume that is enough. (It's really not for secure environments, which > is why Kerberos works so hard to make sure you really are who you say > you are, on both ends and is incorporated into NFSv4 and integrated > automatically most modern CIFS setups.) > > > Node 1: 10.101.4.16 > > Node 2: 10.101.4.17 > > DNS A Name: clusterpub 10.101.4.16 > > DNS A Name: clusterpub 10.101.4.17 > > This is not "round robin" unless your DNS server is prepared to > re-arrange the response order for lookups of "clusterpub", and even > then, clients can mess it up. It's duplicate A records: it's important > to keep this straight. Uninteresting details in this kind of setup, really. > > I have set the "netbios name = clusterpub" in smb.conf on both nodes > > But they're not the same host. Presenting them both as the same host > is begging for confusion. The point of a cluster is to present itself as a single node to clients, I do not know what you are talking about here ... > > Interestingly, I am able to successfully connect to the "clusterpub" > share from one of the nodes via smbclient. [...] > That "round robin DNS" is not your friend, and never will be. Oh come on, it works well enough. > Also, smbclient is not the same as mounting a file system. >From the protocol point of view it is exactly the same, your point is ? > You might consider giving different netbios names: duplicate A records > are most usefully published *as well* as distinct hostnames, so you > can gracefully select one or the other host, and reverse DNS compatble > specific hostname to differentiate reverse DNS lookups between the two > hosts. You can *add* those for admin purposes, clients should not be pointed to specific cluster names, although IP take over will help avoiding issues, if you have different names kerberos won't work anymore unless you share all keytabs for all names. It also means retiring a name becomes impossible in the long run, and also rebalancing clients when you add a node to scale more becomes a hard task. You do not certainly want to make the setup more complicated than it needs to be. And round robin with share keytab in the name of the public DNS name is the easiest. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
On Fri, 2012-01-20 at 16:38 +1000, Peter Tan wrote: > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san > storage. I have configured ctdb, samba and Kerberos and am able to map the > share on my windows workstation when I hit the ip of each of the two nodes. > > I am able to mount this share via nfs on other linux servers ok. > > However it does not appear to be authenticating when I try to map to the DNS > hostname that has been set up to round robins across the two ip's - I keep > getting prompted for a login and password and I get the following in > /var/log/messages: "krb5_rd_req failed (Key table entry not found)" > > Node 1: 10.101.4.16 > Node 2: 10.101.4.17 > DNS A Name: clusterpub 10.101.4.16 > DNS A Name: clusterpub 10.101.4.17 > > I have set the "netbios name = clusterpub" in smb.conf on both nodes > > Interestingly, I am able to successfully connect to the "clusterpub" share > from one of the nodes via smbclient. > > # smbclient //clusterpub/archive -U > Enter password: > Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] > smb: \> dir > . D0 Fri Jan 20 14:28:01 2012 > ..D0 Wed Jan 18 13:56:46 2012 > hello-from-samba 0 Fri Jan 20 14:28:01 2012 > > 64000 blocks of size 16777216. 63805 blocks available > smb: \> > > What am I missing? You have 2 ways to solve this issue. My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. Another way I like a lot less is to make sure you have PTR records set up so that they point to the respective private names, and join each node with these names. I like this less because it relies on reverse address resolution and kinda breaks the fact you are trying to present a single service to the clients. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Nico, Thanks for your reply. However, my configuration is entirely based on the recommendations from samba.org for setup of clustered file sharing using samba, ctdb, Kerberos, wins (& ocfs2). http://ctdb.samba.org/configuring.html & http://wiki.samba.org/index.php/CTDB_Setup : Quote: "Name resolution You need to setup some method for your Windows and NFS clients to find the nodes of the cluster, and automatically balance the load between the nodes. We recommend that you use public ip addresses using CTDB_PUBLIC_INTERFACE/CTDB_PUBLIC_ADDRESSES and that you setup a round-robin DNS entry for your cluster, listing all the public IP addresses that CTDB will be managing as a single DNS A record." So as far as I can tell this is how it is supposed to work. Perhaps it is an issue with Kerberos? Cheers -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Nico Kadel-Garcia Sent: Friday, 20 January 2012 11:40 PM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Fri, Jan 20, 2012 at 1:38 AM, Peter Tan wrote: > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san storage. I have configured ctdb, samba and Kerberos and am able to map the share on my windows workstation when I hit the ip of each of the two nodes. > > I am able to mount this share via nfs on other linux servers ok. > > However it does not appear to be authenticating when I try to map to the DNS hostname that has been set up to round robins across the two ip's - I keep getting prompted for a login and password and I get the following in /var/log/messages: "krb5_rd_req failed (Key table entry not found)" Nor should it. They're not the same machine, and Kerberos tickets for one are not going to be valid on the other. and DNS "round robin" is always a crap shoot due to client DNS caching and ordering of returned entries, over which you have *no* control from the server side. NFS is an *entirely* different game. Once the mount is created, it's tied to the IP address, not the DNS entries, and remains that way unless detached and a new mount created. Autofs supports this sort of thing, but most NFS setups don't rely on Kerberos tickets or, in fact, any reliable authentication, especially the much simpler NFSv3 setups. Simple setups use the uid's and gid's reported by the client and assume that is enough. (It's really not for secure environments, which is why Kerberos works so hard to make sure you really are who you say you are, on both ends and is incorporated into NFSv4 and integrated automatically most modern CIFS setups.) > Node 1: 10.101.4.16 > Node 2: 10.101.4.17 > DNS A Name: clusterpub 10.101.4.16 > DNS A Name: clusterpub 10.101.4.17 This is not "round robin" unless your DNS server is prepared to re-arrange the response order for lookups of "clusterpub", and even then, clients can mess it up. It's duplicate A records: it's important to keep this straight. > I have set the "netbios name = clusterpub" in smb.conf on both nodes But they're not the same host. Presenting them both as the same host is begging for confusion. > Interestingly, I am able to successfully connect to the "clusterpub" share from one of the nodes via smbclient. > > # smbclient //clusterpub/archive -U > Enter password: > Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] > smb: \> dir > . D 0 Fri Jan 20 14:28:01 2012 > .. D 0 Wed Jan 18 13:56:46 2012 > hello-from-samba 0 Fri Jan 20 14:28:01 2012 > > 64000 blocks of size 16777216. 63805 blocks available > smb: \> > > What am I missing? > > Peter Tan That "round robin DNS" is not your friend, and never will be. Also, smbclient is not the same as mounting a file system. You might consider giving different netbios names: duplicate A records are most usefully published *as well* as distinct hostnames, so you can gracefully select one or the other host, and reverse DNS compatble specific hostname to differentiate reverse DNS lookups between the two hosts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
On Fri, Jan 20, 2012 at 1:38 AM, Peter Tan wrote: > I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san > storage. I have configured ctdb, samba and Kerberos and am able to map the > share on my windows workstation when I hit the ip of each of the two nodes. > > I am able to mount this share via nfs on other linux servers ok. > > However it does not appear to be authenticating when I try to map to the DNS > hostname that has been set up to round robins across the two ip's - I keep > getting prompted for a login and password and I get the following in > /var/log/messages: "krb5_rd_req failed (Key table entry not found)" Nor should it. They're not the same machine, and Kerberos tickets for one are not going to be valid on the other. and DNS "round robin" is always a crap shoot due to client DNS caching and ordering of returned entries, over which you have *no* control from the server side. NFS is an *entirely* different game. Once the mount is created, it's tied to the IP address, not the DNS entries, and remains that way unless detached and a new mount created. Autofs supports this sort of thing, but most NFS setups don't rely on Kerberos tickets or, in fact, any reliable authentication, especially the much simpler NFSv3 setups. Simple setups use the uid's and gid's reported by the client and assume that is enough. (It's really not for secure environments, which is why Kerberos works so hard to make sure you really are who you say you are, on both ends and is incorporated into NFSv4 and integrated automatically most modern CIFS setups.) > Node 1: 10.101.4.16 > Node 2: 10.101.4.17 > DNS A Name: clusterpub 10.101.4.16 > DNS A Name: clusterpub 10.101.4.17 This is not "round robin" unless your DNS server is prepared to re-arrange the response order for lookups of "clusterpub", and even then, clients can mess it up. It's duplicate A records: it's important to keep this straight. > I have set the "netbios name = clusterpub" in smb.conf on both nodes But they're not the same host. Presenting them both as the same host is begging for confusion. > Interestingly, I am able to successfully connect to the "clusterpub" share > from one of the nodes via smbclient. > > # smbclient //clusterpub/archive -U > Enter password: > Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] > smb: \> dir > . D 0 Fri Jan 20 14:28:01 2012 > .. D 0 Wed Jan 18 13:56:46 2012 > hello-from-samba 0 Fri Jan 20 14:28:01 2012 > > 64000 blocks of size 16777216. 63805 blocks available > smb: \> > > What am I missing? > > Peter Tan That "round robin DNS" is not your friend, and never will be. Also, smbclient is not the same as mounting a file system. You might consider giving different netbios names: duplicate A records are most usefully published *as well* as distinct hostnames, so you can gracefully select one or the other host, and reverse DNS compatble specific hostname to differentiate reverse DNS lookups between the two hosts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba