|
Home > Archive > Samba > June 2004 > [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
|
|
| Michael Gasch 2004-06-20, 11:54 pm |
| hi
i'm looking for hints/experiences concering samba v3, openldap AND
redundancy
my setup is:
Samba PDC with LDAP Master
Samba BDC with LDAP Slave
Samba Member Server, contacting first PDC, then BDC if the first fails
if all instances are working properly, everything is okay
replication is also fine (from Master -> Slave)
and now imagine:
LDAP Master dies
all smbd are contacting LDAP Slave and make their changes in the Slave
directory
cause replication only works from Master->Slave, if Master comes up
again, i have inconsistency in my LDAP Backends
e.g. a machine changes its machine password in Slave directory and can't
logon anymore cause the password change isn't replicated on Master
we also tried to setup slurpd (LDAP replication) on both LDAP Servers -
if both are up, everything is okay, if one is down, changes are made in
one directory, samba tells me it fails (e.g. changing passwords),
allthough it changes the attributes and so on....
so the problem is: if Slave dies, everything should go on working,
because PDC/BDC use at first LDAP Master
if slave comes up, replication is done properly
but if Master dies, i get an inconsistent domain
how do you get redundancy in your LDAP backend?
PDC/BDC redundancy works well, the single-point-of-failure is LDAP
thx
--
"Matrix - more than a vision"
****************************************
**********
Michael Gasch
- Central IT Department -
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig
Germany
****************************************
**********
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Jason C. Waters 2004-06-20, 11:54 pm |
| Isn't the slave ldap directory suppose to be only read only? So when
the master is down the users can't change their passwords, but
everything else should work. What do you smb.conf and slapd.conf files
look like for the master and the slave? I'm having some troubles
getting the failover to work, so I wouldn't mind a peek. Thanks
Jason
Michael Gasch wrote:
> hi
>
> i'm looking for hints/experiences concering samba v3, openldap AND
> redundancy
>
> my setup is:
>
> Samba PDC with LDAP Master
> Samba BDC with LDAP Slave
> Samba Member Server, contacting first PDC, then BDC if the first fails
>
> if all instances are working properly, everything is okay
> replication is also fine (from Master -> Slave)
>
> and now imagine:
>
> LDAP Master dies
> all smbd are contacting LDAP Slave and make their changes in the Slave
> directory
> cause replication only works from Master->Slave, if Master comes up
> again, i have inconsistency in my LDAP Backends
> e.g. a machine changes its machine password in Slave directory and
> can't logon anymore cause the password change isn't replicated on Master
>
> we also tried to setup slurpd (LDAP replication) on both LDAP Servers
> - if both are up, everything is okay, if one is down, changes are made
> in one directory, samba tells me it fails (e.g. changing passwords),
> allthough it changes the attributes and so on....
>
> so the problem is: if Slave dies, everything should go on working,
> because PDC/BDC use at first LDAP Master
> if slave comes up, replication is done properly
>
> but if Master dies, i get an inconsistent domain
>
> how do you get redundancy in your LDAP backend?
> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>
> thx
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Michael Gasch 2004-06-20, 11:54 pm |
| > Isn't the slave ldap directory suppose to be only read only?
if it's readonly, slurpd can't update the slave (i've tested it,
possibly i missed something ?)
the problem is: machines regularly change their passwords and if these
changes are not done on the master, they're lost, if master comes back
-> clients can't logon anymore and so on....
>I'm having some troubles
> getting the failover to work
what problems are you talking about?
these are my config files (/etc/ldap.conf for all machines not included
but also very important in case of fail-over)
##### Samba PDC #####
# smb.conf
[global]
workgroup = NEVAN
netbios name = nevanpdc
server string = NevanPDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5
log file = /var/lib/samba/log.%m
max log size = 10000
passdb backend = ldapsam:"ldap://localhost:389
ldap://nevanbdc.eva.mpg.de:389"
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no
guest account = Guest
security = user
local master = yes
os level = 65
domain master = yes
domain logons = yes
logon path =
logon home =
encrypt passwords = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes
dns proxy = no
display charset = UTF8
unix charset = UTF8
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 7
database ldbm
suffix "dc=eva,dc=mpg,dc=de"
rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5}
rootpw {MD5}++++++++++++++++++++++++
replogfile /var/lib/ldap/replog
replica host=nevanbdc.eva.mpg.de:389
binddn=cn=manager,dc=eva,dc=mpg,dc=de
bindmethod=simple credentials="+++++++++"
directory /var/lib/ldap
index objectClass eq
index sambaSID eq
index uid eq
index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword
by self write
by * auth
access to *
by * read
##### Samba BDC #####
# smb.conf
[global]
workgroup = NEVAN
netbios name = nevanbdc
server string = NevanBDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5
log file = /var/lib/samba/log.%m
max log size = 10000
passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
ldap://localhost:389"
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no
guest account = Guest
security = user
local master = yes
os level = 65
domain master = no
domain logons = yes
logon path =
logon home =
encrypt passwords = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes
dns proxy = no
display charset = UTF8
unix charset = UTF8
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 2
database ldbm
suffix "dc=eva,dc=mpg,dc=de"
rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5}
rootpw {MD5}++++++++++++++++++++++++
updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
updateref "nevanpdc.eva.mpg.de"
directory /var/lib/ldap
index objectClass eq
index sambaSID eq
index uid eq
index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword
by self write
by * auth
access to *
by * read
Jason C. Waters schrieb:
> Isn't the slave ldap directory suppose to be only read only? So when
> the master is down the users can't change their passwords, but
> everything else should work. What do you smb.conf and slapd.conf files
> look like for the master and the slave? I'm having some troubles
> getting the failover to work, so I wouldn't mind a peek. Thanks
>
> Jason
>
> Michael Gasch wrote:
>
>
>
>
--
"Matrix - more than a vision"
****************************************
**********
Michael Gasch
- Central IT Department -
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig
Germany
****************************************
**********
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| McKeever Chris 2004-06-20, 11:54 pm |
|
On Fri, 18 Jun 2004 15:38 , Michael Gasch <gasch@eva.mpg.de> sent:
>if it's readonly, slurpd can't update the slave (i've tested it,
>possibly i missed something ?)
>
>the problem is: machines regularly change their passwords and if these
>changes are not done on the master, they're lost, if master comes back
>-> clients can't logon anymore and so on....
maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be
(and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC
ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with
3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information
If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER
back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have
your system running again....
but like I said, maybe I am missing something
[vbcol=seagreen]
>
>what problems are you talking about?
>
>these are my config files (/etc/ldap.conf for all machines not included
>but also very important in case of fail-over)
>
>##### Samba PDC #####
># smb.conf
>
>[global]
>
> workgroup = NEVAN
> netbios name = nevanpdc
> server string = NevanPDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://localhost:389
>ldap://nevanbdc.eva.mpg.de:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = yes
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
># slapd.conf
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/samba.schema
>
>pidfile /var/run/slapd/slapd.pid
>argsfile /var/run/slapd/slapd.args
>loglevel 7
>
>database ldbm
>suffix "dc=eva,dc=mpg,dc=de"
>rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
>password-hash {MD5}
>rootpw {MD5}++++++++++++++++++++++++
>
>replogfile /var/lib/ldap/replog
>
>replica host=nevanbdc.eva.mpg.de:389
> binddn=cn=manager,dc=eva,dc=mpg,dc=de
> bindmethod=simple credentials="+++++++++"
>
>directory /var/lib/ldap
>index objectClass eq
>index sambaSID eq
>index uid eq
>index sambaPrimaryGroupSID eq
>
>lastmod on
>
>access to attrs=userPassword
> by self write
> by * auth
>
>access to *
> by * read
>
>
>
>##### Samba BDC #####
># smb.conf
>
>[global]
>
> workgroup = NEVAN
> netbios name = nevanbdc
> server string = NevanBDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
>ldap://localhost:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = no
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
># slapd.conf
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/samba.schema
>
>pidfile /var/run/slapd/slapd.pid
>argsfile /var/run/slapd/slapd.args
>loglevel 2
>
>database ldbm
>suffix "dc=eva,dc=mpg,dc=de"
>rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
>password-hash {MD5}
>rootpw {MD5}++++++++++++++++++++++++
>
>updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
>updateref "nevanpdc.eva.mpg.de"
>
>directory /var/lib/ldap
>index objectClass eq
>index sambaSID eq
>index uid eq
>index sambaPrimaryGroupSID eq
>
>lastmod on
>
>access to attrs=userPassword
> by self write
> by * auth
>
>access to *
> by * read
>
>
>
>Jason C. Waters schrieb:
-------------------------------------------
Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref.com
<A href="http://www.prupref.com">Prudential</A><A href="http://www.prupref.com">Chicago Real Estate</A>
---- Prudential Preferred Properties www.prupref.com
Success_Driven_By_Results
___Results_Driven_By_Commitment
______Commitment_Driven_By_Integrity
_________We_Are_Prudential_Preferred_Pro
perties
_______________
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Michael Gasch 2004-06-20, 11:54 pm |
|
> maybe I am missing something here - but why does your master ldap fail so often?
it doesn't - i'm just building the worst case szenario =)
>I agree with the other poster, the slave LDAPS should be
> (and I would almost move to _need_ to be) read only ..
and now tell me please how the master can replicate his LDAP tree to the
slave to get a 1:1 copy and a backup of my LDAP tree, if it's readonly
?!?!?!
>I am also curious as to why you have a samba server contacting either the PDC/BDC
> ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with
> 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information
if each smbd has it's own ldap instance running (DMs too), i have to
ensure, that all LDAP instances have the same information
before i can't solve the replication problem (MASTER=dead, changes are
made to SLAVE, MASTER comes back => inconsistency in LDAP trees) in case
of the MASTER dies and information has to be written to one of the
SLAVEs, i won't give each smbd his own passdb backend
it's my plan to have one PDC, one BDC, x DMs and one LDAP instance on
both DCs
> If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER
> back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have
> your system running again....
this is my temporary solution
bye
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Jason C. Waters 2004-06-20, 11:54 pm |
| I'm using Samba 3.0.4, and I can't seem to get passdb backend =
ldapsam:"ldaps://master.ldap ldaps://slave.ldap" to work. What version
of samba are you running? If I use either or, it works fine. So
instead of having two servers I would just have
ldapsam:"ldaps://slave.ldap" Any ideas?
Jason
Michael Gasch wrote:
> if it's readonly, slurpd can't update the slave (i've tested it,
> possibly i missed something ?)
>
> the problem is: machines regularly change their passwords and if these
> changes are not done on the master, they're lost, if master comes back
> -> clients can't logon anymore and so on....
>
> what problems are you talking about?
>
> these are my config files (/etc/ldap.conf for all machines not included
> but also very important in case of fail-over)
>
> ##### Samba PDC #####
> # smb.conf
>
> [global]
>
> workgroup = NEVAN
> netbios name = nevanpdc
> server string = NevanPDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://localhost:389
> ldap://nevanbdc.eva.mpg.de:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = yes
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
> # slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 7
>
> database ldbm
> suffix "dc=eva,dc=mpg,dc=de"
> rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
> password-hash {MD5}
> rootpw {MD5}++++++++++++++++++++++++
>
> replogfile /var/lib/ldap/replog
>
> replica host=nevanbdc.eva.mpg.de:389
> binddn=cn=manager,dc=eva,dc=mpg,dc=de
> bindmethod=simple credentials="+++++++++"
>
> directory /var/lib/ldap
> index objectClass eq
> index sambaSID eq
> index uid eq
> index sambaPrimaryGroupSID eq
>
> lastmod on
>
> access to attrs=userPassword
> by self write
> by * auth
>
> access to *
> by * read
>
>
>
> ##### Samba BDC #####
> # smb.conf
>
> [global]
>
> workgroup = NEVAN
> netbios name = nevanbdc
> server string = NevanBDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
> ldap://localhost:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = no
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
> # slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 2
>
> database ldbm
> suffix "dc=eva,dc=mpg,dc=de"
> rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
> password-hash {MD5}
> rootpw {MD5}++++++++++++++++++++++++
>
> updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
> updateref "nevanpdc.eva.mpg.de"
>
> directory /var/lib/ldap
> index objectClass eq
> index sambaSID eq
> index uid eq
> index sambaPrimaryGroupSID eq
>
> lastmod on
>
> access to attrs=userPassword
> by self write
> by * auth
>
> access to *
> by * read
>
>
>
> Jason C. Waters schrieb:
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Buchan Milne 2004-06-20, 11:54 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| hi
|
| i'm looking for hints/experiences concering samba v3, openldap AND
redundancy
|
| my setup is:
|
| Samba PDC with LDAP Master
| Samba BDC with LDAP Slave
| Samba Member Server, contacting first PDC, then BDC if the first fails
|
| if all instances are working properly, everything is okay
| replication is also fine (from Master -> Slave)
|
| and now imagine:
|
| LDAP Master dies
| all smbd are contacting LDAP Slave and make their changes in the Slave
directory
They won't be making changes, since you can't make changes against a
slave. The slave will return an error and a referral to the master
(which is down), so your changes will fail, but existing accounts will work.
| cause replication only works from Master->Slave, if Master comes up
again, i have inconsistency in my LDAP Backends
No you don't, unless your slave is misconfigured.
| e.g. a machine changes its machine password in Slave directory and
can't logon anymore cause the password change isn't replicated on Master
|
It's password change attempt will fail.
| we also tried to setup slurpd (LDAP replication) on both LDAP Servers
- - if both are up, everything is okay, if one is down, changes are made
in one directory, samba tells me it fails (e.g. changing passwords),
allthough it changes the attributes and so on....
|
Your configuration is broken.
| so the problem is: if Slave dies, everything should go on working,
because PDC/BDC use at first LDAP Master
| if slave comes up, replication is done properly
|
| but if Master dies, i get an inconsistent domain
|
You have a serious problem if your slave is accepting changes.
| how do you get redundancy in your LDAP backend?
| PDC/BDC redundancy works well, the single-point-of-failure is LDAP
Only if you've mis-configured it.
Note that these questions don't really have anything to do with samba,
you may want to ask on the openldap list.
Do you *really* need such a waste-of-bandwidth sig?
|
| "Matrix - more than a vision"
|
| ****************************************
**********
| Michael Gasch
|
| - Central IT Department -
|
| Max Planck Institute for Evolutionary Anthropology
| Deutscher Platz 6
| 04103 Leipzig
|
| Germany
| ****************************************
**********
|
|
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA0xWYrJK6UGDSBKcRAglDAJwL/+Rvr9c6LB4V7U2+cr7tHAHH0QCgg7Jd
SfcAdrspn+ut+YJuhO/ZWpQ=
=XRV3
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| José Ildefonso Camargo Tolosa 2004-06-20, 11:54 pm |
| Ok, let me see If I can help here:
Let me see: Your clients are updating data on the slave ldap server?,
Ok, you should not allow that (unless you try the "experimental"
multi-master replication code, wich can fail).
You should use other ldap user, like this:
cn=adminmaster,dc=cosa,dc=int
Wich have write permitions to the master, but read-only access on slaves
(by using different access statements in the master and the slave). I
use something like this in the master:
access to *
by dn="cn=ldapadmin,dc=merkurio,dc=int" write
by * read
And the updatedn would be the rootdn of the slave (so, it has write
access to the slave).
Ok, hope this can help,
Sincerely,
Ildefonso Camargo
icamargo@merkurio.com.ve
McKeever Chris wrote:
>On Fri, 18 Jun 2004 15:38 , Michael Gasch <gasch@eva.mpg.de> sent:
>
>
>
>
>
>maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be
>(and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC
>ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with
>3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information
>
>If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER
>back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have
>your system running again....
>
>but like I said, maybe I am missing something
>
>
>
........ removed .......
[vbcol=seagreen]
>-------------------------------------------
>Chris McKeever
>If you want to reply directly to me, please use cgmckeever--at--prupref.com
><A href="http://www.prupref.com">Prudential</A><A href="http://www.prupref.com">Chicago Real Estate</A>
>
>---- Prudential Preferred Properties www.prupref.com
>Success Driven By Results
> Results Driven By Commitment
> Commitment Driven By Integrity
> We Are Prudential Preferred Properties
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Michael Gasch 2004-06-26, 12:30 pm |
| Hi there & big thanks for your response
i studied some information and i'm still confused (a little bit)
>
> ----
> <http://www.openldap.org/doc/admin22/replication.html>
okay, nowhere in this doc they tell me to set the slave to readonly
if i even try, slurpd on master fails to replicate data to the slave
the second problem is: ldap slave sends referral to the clients pointing
them to ldap master
if ldap master is dead, no changes can be made
okay, some people in this list tell me, that's okay, but if no changes
can be made if master is dead, i don't really need an backup/slave
(ldap) server, because there's still some work to do, to get the team
"ldap+samba" go on working again
it's no failover solution in case of emergency and no admin is around
>From bgmilne@obsidian.co.za:
>They won't be making changes, since you can't make changes against a
>slave. The slave will return an error and a referral to the master
>(which is down), so your changes will fail, but existing accounts will
work.
but what about machine passwords? what if the windows machine tries to
change its machine password and master is dead?
is the password changed locally on the workstation or is the change
scheduled (for another try)?
if the smbd on the BDC tries to contact its ldap server (=ldap slave)
will it also be referred (by referrals) to the master?
thanks
greez
--
"Matrix - more than a vision"
****************************************
**********
Michael Gasch
- Central IT Department -
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig
Germany
****************************************
**********
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
| Thomas Reiß 2004-06-26, 12:31 pm |
| Hello Buchan Milne,
[..]
> No you don't, unless your slave is misconfigured.
>
> | e.g. a machine changes its machine password in Slave directory and
> can't logon anymore cause the password change isn't replicated on Master
> |
>
> It's password change attempt will fail.
[...]
>
> Only if you've mis-configured it.
>
> Note that these questions don't really have anything to do with samba,
> you may want to ask on the openldap list.
Sorry about when i ask too.
But i think this on Topic on this List.
The Question is:
What happens in Samba when the Master LDAP Server ist down and a Change-
Request for the Workstation-Machine-Account-Passwort comes?
- Is it possible that a User can't Logon on this Workstation?
- Or falls the Workstation out of the Domain?
(Nevermore a Member of the Domain)?
- When nothing happens, why is there a Mechanism for changes of Machine
Passworts (Security, or what else)?
- When i right understand, then is in this Szenario no Changes of
Passwort's, LastLogonTime usw. possible, right?
Thank You
Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
| |
|
|
|
|
|
|
|