Jason
Michael Gasch wrote:
> Isn't the slave ldap directory suppose to be only read only?
if it's readonly, slurpd can't update the slave (i've tested it, possibly i missed something ?)
the problem is: machines regularly change their passwords and if these changes are not done on the master, they're lost, if master comes back -> clients can't logon anymore and so on....
>I'm having some troubles > getting the failover to work what problems are you talking about?
these are my config files (/etc/ldap.conf for all machines not included but also very important in case of fail-over)
##### Samba PDC ##### # smb.conf
[global]
workgroup = NEVAN netbios name = nevanpdc server string = NevanPDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5 log file = /var/lib/samba/log.%m max log size = 10000
passdb backend = ldapsam:"ldap://localhost:389 ldap://nevanbdc.eva.mpg.de:389";
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no guest account = Guest
security = user local master = yes os level = 65 domain master = yes domain logons = yes
logon path = logon home =
encrypt passwords = yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes dns proxy = no
display charset = UTF8 unix charset = UTF8
[netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes writable = no share modes = no
# slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 7
database ldbm suffix "dc=eva,dc=mpg,dc=de" rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5} rootpw {MD5}++++++++++++++++++++++++
replogfile /var/lib/ldap/replog
replica host=nevanbdc.eva.mpg.de:389 binddn=cn=manager,dc=eva,dc=mpg,dc=de bindmethod=simple credentials="+++++++++"
directory /var/lib/ldap index objectClass eq index sambaSID eq index uid eq index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword by self write by * auth
access to * by * read
##### Samba BDC ##### # smb.conf
[global]
workgroup = NEVAN netbios name = nevanbdc server string = NevanBDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5 log file = /var/lib/samba/log.%m max log size = 10000
passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389 ldap://localhost:389";
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no guest account = Guest
security = user local master = yes os level = 65 domain master = no domain logons = yes
logon path = logon home =
encrypt passwords = yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes dns proxy = no
display charset = UTF8 unix charset = UTF8
[netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes writable = no share modes = no
# slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 2
database ldbm suffix "dc=eva,dc=mpg,dc=de" rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5} rootpw {MD5}++++++++++++++++++++++++
updatedn "cn=manager,dc=eva,dc=mpg,dc=de" updateref "nevanpdc.eva.mpg.de"
directory /var/lib/ldap index objectClass eq index sambaSID eq index uid eq index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword by self write by * auth
access to * by * read
Jason C. Waters schrieb:
Isn't the slave ldap directory suppose to be only read only? So when the master is down the users can't change their passwords, but everything else should work. What do you smb.conf and slapd.conf files look like for the master and the slave? I'm having some troubles getting the failover to work, so I wouldn't mind a peek. Thanks
Jason
Michael Gasch wrote:
hi
i'm looking for hints/experiences concering samba v3, openldap AND redundancy
my setup is:
Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails
if all instances are working properly, everything is okay replication is also fine (from Master -> Slave)
and now imagine:
LDAP Master dies
all smbd are contacting LDAP Slave and make their changes in the Slave directory
cause replication only works from Master->Slave, if Master comes up again, i have inconsistency in my LDAP Backends
e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master
we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on....
so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master
if slave comes up, replication is done properly
but if Master dies, i get an inconsistent domain
how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP
thx
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
