I'm using Samba 3.0.4, and I can't seem to get passdb backend = ldapsam:"ldaps://master.ldap ldaps://slave.ldap" to work. What version of samba are you running? If I use either or, it works fine. So instead of having two servers I would just have ldapsam:"ldaps://slave.ldap" Any ideas?

Jason

Michael Gasch wrote:
> Isn't the slave ldap directory suppose to be only read only?
if it's readonly, slurpd can't update the slave (i've tested it, possibly i missed something ?)


the problem is: machines regularly change their passwords and if these changes are not done on the master, they're lost, if master comes back -> clients can't logon anymore and so on....

 >I'm having some troubles
 > getting the failover to work
what problems are you talking about?

these are my config files (/etc/ldap.conf for all machines not included but also very important in case of fail-over)

##### Samba PDC #####
# smb.conf

[global]

   workgroup = NEVAN
   netbios name = nevanpdc
   server string = NevanPDC on Samba Version: %v

   username map = /etc/samba/username.map

   log level = 5
   log file = /var/lib/samba/log.%m
   max log size = 10000

passdb backend = ldapsam:"ldap://localhost:389 ldap://nevanbdc.eva.mpg.de:389";
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users


   guest ok = no
   guest account = Guest

   security = user
   local master = yes
   os level = 65
   domain master = yes
   domain logons = yes

   logon path =
   logon home =

   encrypt passwords = yes
   socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

   wins support = yes
   dns proxy = no

   display charset = UTF8
   unix charset = UTF8

[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no


# slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        7

database        ldbm
suffix          "dc=eva,dc=mpg,dc=de"
rootdn          "cn=manager,dc=eva,dc=mpg,dc=de"

password-hash   {MD5}
rootpw          {MD5}++++++++++++++++++++++++

replogfile /var/lib/ldap/replog

replica host=nevanbdc.eva.mpg.de:389
    binddn=cn=manager,dc=eva,dc=mpg,dc=de
    bindmethod=simple credentials="+++++++++"

directory       /var/lib/ldap
index   objectClass             eq
index   sambaSID                eq
index   uid                     eq
index   sambaPrimaryGroupSID    eq

lastmod         on

access to attrs=userPassword
       by self write
       by * auth

access to *
       by * read



##### Samba BDC #####
# smb.conf

[global]

   workgroup = NEVAN
   netbios name = nevanbdc
   server string = NevanBDC on Samba Version: %v

   username map = /etc/samba/username.map

   log level = 5
   log file = /var/lib/samba/log.%m
   max log size = 10000

passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389 ldap://localhost:389";
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users


   guest ok = no
   guest account = Guest

   security = user
   local master = yes
   os level = 65
   domain master = no
   domain logons = yes

   logon path =
   logon home =

   encrypt passwords = yes
   socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

   wins support = yes
   dns proxy = no

   display charset = UTF8
   unix charset = UTF8

[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no


# slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        2

database        ldbm
suffix          "dc=eva,dc=mpg,dc=de"
rootdn          "cn=manager,dc=eva,dc=mpg,dc=de"

password-hash   {MD5}
rootpw          {MD5}++++++++++++++++++++++++

updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
updateref "nevanpdc.eva.mpg.de"

directory       /var/lib/ldap
index   objectClass             eq
index   sambaSID                eq
index   uid                     eq
index   sambaPrimaryGroupSID    eq

lastmod         on

access to attrs=userPassword
       by self write
       by * auth

access to *
       by * read



Jason C. Waters schrieb:

Isn't the slave ldap directory suppose to be only read only? So when the master is down the users can't change their passwords, but everything else should work. What do you smb.conf and slapd.conf files look like for the master and the slave? I'm having some troubles getting the failover to work, so I wouldn't mind a peek. Thanks

Jason

Michael Gasch wrote:

hi

i'm looking for hints/experiences concering samba v3, openldap AND redundancy

my setup is:

Samba PDC with LDAP Master
Samba BDC with LDAP Slave
Samba Member Server, contacting first PDC, then BDC if the first fails

if all instances are working properly, everything is okay
replication is also fine (from Master -> Slave)

and now imagine:

LDAP Master dies
all smbd are contacting LDAP Slave and make their changes in the Slave directory
cause replication only works from Master->Slave, if Master comes up again, i have inconsistency in my LDAP Backends
e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master


we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on....

so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master
if slave comes up, replication is done properly


but if Master dies, i get an inconsistent domain

how do you get redundancy in your LDAP backend?
PDC/BDC redundancy works well, the single-point-of-failure is LDAP

thx





--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to