Yup unfortunately rights granted using net sam/rpc and usrmgr are saved locally in a TDB file(account_policy), this should probably be in LDAP, i suppose it sould be possible to rsync the tdb file.
On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen <david.christen...@viveli.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > John Du wrote: >> David Christensen wrote: >> >> Liutauras Adomaitis wrote: >> >> >> On Tue, Aug 4, 2009 at 7:39 PM, David >> Christensen<david.christen...@viveli.com><mailto:david.christen...@viveli.com> >> wrote: >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> With samba configured for high availability using heartbeat, I am not >> able to join new computers to the domain after a fail over. If I fail >> back to the "main" samba instance I can join the computer to the domain. >> >> However With samba in a fail over state and running on the backup PDC >> users can still authenticate and gain access to their shares. >> >> I have the two instances of samba configured nearly identical except for >> having them pointed to the instance of ldap that is running on the >> server itself (which is being replicated). Is there something else, >> some tdb file etc, that needs to be shared between the two instances of >> samba so a fail over appears identical to the ldap backend? >> >> Thanks. >> >> >> If you are running PDC+BDC configuration with LDAP backend with >> replication, then you must have master to master replication. In case >> of master - slave replication you canot write ot slave while your >> muster is not accessible. Usual slave has a redirection to master for >> write operations. Slave is readonly and thats why you can authenticate >> to BDC, but cannot join new machines to the domain. >> This may be your case >> >> Liutauras >> >> >> >> Liutauras, >> >> I have ldap using master-master replication so writing to either ldap >> instance is no problem. In addition I have both instances of samba >> configured as PDC's (the smb.conf file is identical on both PDC's except >> for two things, the ldap each talks to and the host name of the PDC >> itself; not using the netbios parameter), however only one of them is >> running at a time. The issue occurs when the 2nd PDC comes online. >> Based on the ldap logs the query I am seeing from the 2nd PDC in a >> failed over state is not the same query that the "primary" PDC does when >> I add a new computer successfuly. I never see the lookup for the admin >> user who has the right to add a computer, along with other missing >> search strings. >> >> Is there some SID or some other serial number etc. that the 2nd PDC is >> lacking that is causing this symptom? Why would a query from a near >> identical instance of samba to the same ldap DB be so different? >> >> >> I had the same problem with samba 3.0.28 on rhel 4. I fixed my problem >> by issuing "net rpc grant .." commands on the backup PDC. I never >> understood why it behaved that way but those commands worked for me. I >> thought those rights were in the LDAP database but it seemed that those >> rights are stored on the individual servers somehow. >> >> >> > John, > > Not familiar with net rpc grant, where is the invoked or added? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkp6A20ACgkQ5B+8XEnAvquDfACfZoxcbLHuoVAbqrUQauCbPD8R > VDYAn3Tz+0TfwD+Ip2HIKtVj5bG5reMc > =25vc > -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba