Re: [Samba] Ldap replication
WINS servers aren't, at least in theory, absolutely essential. I have just found that over the years it makes locating/browsing for Windows/Samba resources more reliable (espectially with multiple network segments and multiple domains.) If you aren't using WINS, clients will locate other machines via broadcasts. If I understand everything correctly, WINS (name resolution) lets you use a central server (vs broadcast) for locating Windows/Samba "servers" (and by server this would include XP machine since they do can share files and printers.) Part of finding machines is finding the master browser, which then actually lists what shared resources are available across all the machines.If you don't use WINS, machines can take longer to show up in the Network Neighborhood. So if the PDC goes down, the BDC should become the master browser (listing available resources) and the clients should (eventually) give up trying to locate machines via the specified WINS server and switch back to broadcast.You could probably configure DHCP to assign multiple WINS server IP parameters to your Win clients- and then if your PDC looks like it will be down for a while you could make the BDC be the wins server. Unfortunately samba does not support WINS replication. If my PDC does go offline, since it is also the primary file server, WINS functionality becomes irrelevant. On 12/04/09 11:10, Michael Wood wrote: 2009/12/2 Gaiseric Vandal: [...] Make sure that all machines are using the same WINS server. I have my PDC as the WINS server. What needs to be done if the PDC fails? Update the config on all the machines to point to another WINS server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ldap replication
2009/12/2 Gaiseric Vandal : [...] > Make sure that all machines are using the same WINS server. I have my PDC > as the WINS server. What needs to be done if the PDC fails? Update the config on all the machines to point to another WINS server? -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ldap replication
On 12/02/09 01:51, Kevin Kimani wrote: Hi all, i have a setup where by there is a PDC thats authenticating users through ldap. i have several other BDCs' that are doing the replication of the main server. am trying to setup the users to be authenticated by the BDC but am not able to. Any suggestions will be quite helpful Regards kevin Do you mean samba replication or ldap replication? All DC's should be configured for security=user domain logons=yes passdb backend = ldapsam:ldap://yourldapserver They don't actually have to point to the same ldap server- they should be able to point to a replica ldap server (if that exists.) The PDC would have to point either to a master LDAP server or a writable replica. I have been setting this up with Sun Directory Server so I can't comment on OpenLDAP. On each DC the " net getdomainsid" should show that the machine SID is the same as the domain SID. I would also make sure that the output of "net groupmap list" and "pbedit -Lv" is the same on all DC's. I would make sure that the following "net rpc user info" command is returning the same results from each DC. e.g # net rpc user info someuser -U Administrator -S mypdc Password: Domain Users Sales Marketing # Make sure that all machines are using the same WINS server. I have my PDC as the WINS server. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ldap replication
Hi all, i have a setup where by there is a PDC thats authenticating users through ldap. i have several other BDCs' that are doing the replication of the main server. am trying to setup the users to be authenticated by the BDC but am not able to. Any suggestions will be quite helpful Regards kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP replication weirdness...
On Tue, 2005-03-22 at 20:35 -0600, Mccrory, Kevin B wrote: > I have the PDC/BDC with a master slave LDAP directory set up and > operating. > > One problem is that I've only been able to get the LDAP Master/Slave > replication working if I use Manager as the binddn for the replication. > I'm using the IDEALX smbldap tools. If I use another user I get a ERROR: > Insufficient access: no write access to entry error and a .rej file is > created. > > Each entry shows modifiersName: cn=Manager,dc=mphqcops,dc=opmg,dc=local > for all the change entries. Isn't this supposed to match the binddn > entry from the slapd.conf file various issues here - you seem to believe that they are related. in slapd.conf, you have a rootdn - that is a master and probably not the best dn to use for replication or samba. Also - on ldap-slave, you would have an updatedn which is the 'user' that the ldap-master would use to send updates to the slave. On the ldap-master, you would have a 'replica section that would list a binddn which is for the 'user' that updates the slave and 'credentials' which is the password for this user. None of this really has anything to do with samba (yet) In theory, the ldap-slave should have ACL's that pretty much deny all client writes except for the rootdn (which can never really be denied) and the updatedn - which is the 'user' that the ldap-master uses to propogate changes in the LDAP DSA. Thus in samba, you should probably use a different dn which can't write to the ldap-slave but could write to the ldap-master and samba is supposed to 'chase referrals' back to the master in order to make changes. Thus the reason for a line similar to this in the ldap-slave slapd.conf updateref ldaps://fqdn-my-ldap-master/ It really helps to have ldap all set up, master, slave, replication, acl's etc., before you bring samba into the fold. As for your last question, I would presume that the modifiersName would be whoever did the modification - i.e. (from samba - ldap admin dn = cn=blah,dc=example,dc=com) (from ldapadd - cn=Manager,dc=example,dc=com) (from turba - uid=me,ou=People,ou=Accounts,dc=example,dc=com) (on ldap-slave from ldap-master - cn=updatedn_name,dc=example,dc=com) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP replication weirdness...
I have the PDC/BDC with a master slave LDAP directory set up and operating. One problem is that I've only been able to get the LDAP Master/Slave replication working if I use Manager as the binddn for the replication. I'm using the IDEALX smbldap tools. If I use another user I get a ERROR: Insufficient access: no write access to entry error and a .rej file is created. Each entry shows modifiersName: cn=Manager,dc=mphqcops,dc=opmg,dc=local for all the change entries. Isn't this supposed to match the binddn entry from the slapd.conf file Kevin B. McCrory Network Engineer - COPS US Government Solutions 13600 EDS Drive Mail stop: A4S-B21 Herndon, VA 20171 * phone: +01-703-733-3255 * mailto:[EMAIL PROTECTED] * AKO mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication, the second, keep your internal domain away from .local domain , cause suse 9.1 will not resolve this by dns
Stefan Kania schrieb: Hello, I have two ldapservers with Samba PDC and BDC. I started with the PDC i use Suse 9.0 with ldap "out of the box" and Samba 3.0.2a. Everything is working fine with only the PDC running. Now i configured replication. In my slapd.conf file on the master server i added the following lines #permission access to * by dn="cn=repl,dc=felix,dc=local" write # database definition replogfile /var/lib/ldap/slurpd/slurpd.log replica uri=ldap://felixols01.felix.local:389 binddn="cn=repl,dc=felix,dc=local" bindmethod=simple credentials=topsecret tls=no In slapd.conf of my slave server i added: updatedn"cn=repl,dc=felix,dc=local" updateref ldap://felixsch01.felix.local I copied all database files from master to slave. Then i started all services in the following order: - ldapserver on slave - ldapserver on master - slurpd on master I checked replication. Everything was working i added some new objects on my master server and with the ldap-browser i could see the new object on my master and slave server. I can change all attributes on all objects and i can browse throug the whole ldap-tree. But now my problem started. It is no longer possible to log in to the system :-(. With login over ssh i got the message "permission denied" when i login as root everything works, then i try "su my-name" i got the message "no such user my-name". Also an "ldapsearch -x -h localhost (cn=my-name)" woun't bring up any results. Is there someone who can help me, im totally lost? Stefan Hi Stefan , i forgot something last week i set up a suse 9.1 in my internal smb dns net. i had a internal dns domain called .local too. Suse 9.1 one does the lookup for internal .local domain anymore Suse now implements .local Domains as mdns , for sure without any need and there is no fallback to dns, so if you have later a suse 9.1 machine and a local domain you will get into big troubles. I had to change my internal .loacl domain trough many hours. ( i have a big intranet ) Suse writes a small note about this in the release note of 9.1 and the support was not really helpfull, to this ( bug / feature ) see this link ( sorry german ) http://www.linux-club.de/viewtopic.php?t=6067 so for .local domains there is no fallback to dns planned, only resolution is done with multicast. In my opinion this breaks every rfc i read, and i will go away from suse in the future . You can fix this behavior in suse 9.1 by compile a new glibc and or copy created new libresolv to /lib. So this is only a warning for you , if your just starting with your dns and you want use suse in the future dont use a internal .local dns domain, cause suse is not willing to fix their special glibc version Best Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication
On Tue, 2004-05-11 at 15:58, Stefan Kania wrote: > But now my problem started. It is no longer possible to log in to the > system :-(. With login over ssh i got the message "permission denied" What are the entries in following files: nsswitch.conf ldap.conf libnssldap.conf libpamldap.conf > when i login as root everything works, then i try "su my-name" i got the > message "no such user my-name". Also an "ldapsearch -x -h localhost > (cn=my-name)" woun't bring up any results. This is because root exists in /etc/passwd file but my-name is in LDAP database. You need to add following line in your slapd.conf in permission section to be able to search anonymously: access to * by * read Also are you able to get the full user list by issuing this: # getent passwd regards, Nishant -- Nishant Sharma <[EMAIL PROTECTED]> Support - Enterprise Server Systems DeepRoot Linux, Bangalore India. Ph: +91-80-28565624 -- === ALL CSH USERS PLEASE NOTE Set the variable $LOSERS to all the people that you think are losers. This will cause all said losers to have the variable $PEOPLE-WHO-THINK-I-AM-A-LOSER updated in their .login file. Should you attempt to execute a job on a machine with poor response time and a machine on your local net is currently populated by losers, that machine will be freed up for your job through a cold boot process. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ldap replication
Hello, I have two ldapservers with Samba PDC and BDC. I started with the PDC i use Suse 9.0 with ldap "out of the box" and Samba 3.0.2a. Everything is working fine with only the PDC running. Now i configured replication. In my slapd.conf file on the master server i added the following lines #permission access to * by dn="cn=repl,dc=felix,dc=local" write # database definition replogfile /var/lib/ldap/slurpd/slurpd.log replica uri=ldap://felixols01.felix.local:389 binddn="cn=repl,dc=felix,dc=local" bindmethod=simple credentials=topsecret tls=no In slapd.conf of my slave server i added: updatedn"cn=repl,dc=felix,dc=local" updateref ldap://felixsch01.felix.local I copied all database files from master to slave. Then i started all services in the following order: - ldapserver on slave - ldapserver on master - slurpd on master I checked replication. Everything was working i added some new objects on my master server and with the ldap-browser i could see the new object on my master and slave server. I can change all attributes on all objects and i can browse throug the whole ldap-tree. But now my problem started. It is no longer possible to log in to the system :-(. With login over ssh i got the message "permission denied" when i login as root everything works, then i try "su my-name" i got the message "no such user my-name". Also an "ldapsearch -x -h localhost (cn=my-name)" woun't bring up any results. Is there someone who can help me, im totally lost? Stefan -- Kösliner Straße 75 48147 Münster Tel. 0251 / 3835950 www.kania-online.de signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication sleep seems not working
On Tue, 2004-03-02 at 14:23, Beast wrote: > * Andrew Bartlett <[EMAIL PROTECTED]> nulis: > > > > On the second try, it will works. > > > replication sleep = 1 (10 secs). > > > > That means that you must make your add user script sleep. We can't > > control that. > > This parameter confuse me. What this actually does? > > from the man page: > ... > This option simply causes Samba to wait a short time, to allow the LDAP server to > catch up. When *Samba* makes a modification, it will delay the next LDAP read to allow the local LDAP slave to catch up. If you make a modification in a custom script, you need to do likewise. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication sleep seems not working
* Andrew Bartlett <[EMAIL PROTECTED]> nulis: > > On the second try, it will works. > > replication sleep = 1 (10 secs). > > That means that you must make your add user script sleep. We can't > control that. This parameter confuse me. What this actually does? from the man page: ... This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. > > Andrew Bartlett > > -- > Andrew Bartlett [EMAIL PROTECTED] > Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] > Student Network Administrator, Hawker College [EMAIL PROTECTED] > http://samba.org http://build.samba.org http://hawkerc.net > --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication sleep seems not working
On Tue, 2004-03-02 at 00:19, Beast wrote: > When configuring samba PDC to use slave ldap, it seems parameter ldap > replication sleep did not work, setting any value did not make any different. > > I have samba PDC and slave/master ldap connected over fast-ethernet switch, > ldap replication take less than 2 seconds, however when adding (XP) machine > to domain it gives error " The username could not be found". > In machine log: > > Closing connections > [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(69) > Yielding connection to > [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(76) > yield_connection: tdb_delete for name failed with error Record does not exist. > > >From the samba pdc : > [EMAIL PROTECTED] samba]# id raptor2$ > uid=10110(raptor2$) gid=2005(wsjkt) groups=2005(wsjkt) > > Its only posix entries created by add machine script, no samba objectclass. > > On the second try, it will works. > replication sleep = 1 (10 secs). That means that you must make your add user script sleep. We can't control that. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ldap replication sleep seems not working
When configuring samba PDC to use slave ldap, it seems parameter ldap replication sleep did not work, setting any value did not make any different. I have samba PDC and slave/master ldap connected over fast-ethernet switch, ldap replication take less than 2 seconds, however when adding (XP) machine to domain it gives error " The username could not be found". In machine log: Closing connections [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. >From the samba pdc : [EMAIL PROTECTED] samba]# id raptor2$ uid=10110(raptor2$) gid=2005(wsjkt) groups=2005(wsjkt) Its only posix entries created by add machine script, no samba objectclass. On the second try, it will works. replication sleep = 1 (10 secs). --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP replication
Can you post you configuration file. from the document, look like they are running master & slave on the same machine, if your using two machine, you need to change following entry with replica host=127.0.0.1:3790 binddn="cn=replica,o=aphroland,c=us" bindmethod=simple credentials=linux to replica host= binddn="cn=replica,o=aphroland,c=us" bindmethod=simple credentials=linux -SR > Hi all, > > I know this is not ldap list, but I'm setting SAMBA LDAP BDC; I > think many of you have experience with this. > > I setup a replica, I > haven't done the following > > I followed > 1. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLConfigureOpenLDAP > > 2. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLSlaveServer > 3. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLTheInitialTransfe > r > > to setup replication, > > but slurpd doesn't not want to propagate from > the master to the slave at all. I check the replication log. the master > ldap replication's log (/var/lib/ldap/replication.log) was empty, while > slurpd replication log > /usr/local/var/openldap-slurpd/replication/rep.log had all the changed I > have made on the master, but the slave hasn't changed at all. I checked > from .rej, there's no .rej. The status file is empty as well. I have no > where to check for what's going on. > > Any idea? suggestion? > > Thanks! > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP replication
Hi, you better follow the official faqs on openldap for testing use Manager account as updater and do not use a crypted password or ssl. Slurp is sensitve to a exact copy of the ldap db files i recommend after setup the master stop it and copy i.e scp -r /var/lib/ldap slave.host:/var/lib then start the master ldap , slurpd and the the slave if your system is doing the replication fine you can strugle around with crypto and ssl features Best Regards - Original Message - From: "Loc Nguyen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 23, 2004 1:18 AM Subject: [Samba] LDAP replication > Hi all, > > I know this is not ldap list, but I'm setting SAMBA LDAP BDC; I > think many of you have experience with this. > > I setup a replica, I > haven't done the following > > I followed > 1. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLConfigureOpenLDAP > > 2. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLSlaveServer > 3. > http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLTheInitialTransfe > r > > to setup replication, > > but slurpd doesn't not want to propagate from > the master to the slave at all. I check the replication log. the master > ldap replication's log (/var/lib/ldap/replication.log) was empty, while > slurpd replication log > /usr/local/var/openldap-slurpd/replication/rep.log had all the changed I > have made on the master, but the slave hasn't changed at all. I checked > from .rej, there's no .rej. The status file is empty as well. I have no > where to check for what's going on. > > Any idea? suggestion? > > Thanks! > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP replication
Hi all, I know this is not ldap list, but I'm setting SAMBA LDAP BDC; I think many of you have experience with this. I setup a replica, I haven't done the following I followed 1. http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLConfigureOpenLDAP 2. http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLSlaveServer 3. http://howto.aphroland.de/HOWTO/LDAP/ReplicationOverSSLTheInitialTransfe r to setup replication, but slurpd doesn't not want to propagate from the master to the slave at all. I check the replication log. the master ldap replication's log (/var/lib/ldap/replication.log) was empty, while slurpd replication log /usr/local/var/openldap-slurpd/replication/rep.log had all the changed I have made on the master, but the slave hasn't changed at all. I checked from .rej, there's no .rej. The status file is empty as well. I have no where to check for what's going on. Any idea? suggestion? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Replication
Hey Vladimir, Right off the bat I can tell you from my experience (unless somebody corrects me) that you're going to have problems keeping ACLs with Domain Group references (i.e. ACLs that include groups in the NT4 Domain sense). Samba 2.2.x doesn't support Domain Groups. Samba 3.0 does, but as you mentioned you can't wait until that, and obviously alpha (beta?) level code would also be unacceptable. By Domain Groups I mean custom-created groups of users within the NT domain such as "Managers", "Marketing Personnel", etc...these can't be represented in Samba 2.2.x AFAIK - only a few "default" (read: required) groups exist. I hope I'm wrong, but sadly I don't think I am. Best On Thu, 2003-03-13 at 21:45, Zawalinski, Vladimir wrote: > >From Google searches, it seems that using SAMBA 2.2.7 + Open LDAP on Linux > patched for POSIX ACL support delivers a functional PDC/BDC pair, and that > directory replication can take place automatically once set up. > > Could someone please confirm that this actually works? > > The background to this issue is that we are moving a large number of NT4 > file servers to a LINUX platform, but need to keep security arrangements, > particularly file ACLs unchanged, but cannot wait until the production > release of Samba V3. -- Diego Rivera <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Replication
>From Google searches, it seems that using SAMBA 2.2.7 + Open LDAP on Linux patched for POSIX ACL support delivers a functional PDC/BDC pair, and that directory replication can take place automatically once set up. Could someone please confirm that this actually works? The background to this issue is that we are moving a large number of NT4 file servers to a LINUX platform, but need to keep security arrangements, particularly file ACLs unchanged, but cannot wait until the production release of Samba V3. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba