Fw: [Samba] LDAP redudancy problem
Doing some other tests, we determinate that the problem occurs when Fileservers and Ldap servers are not on the same IP subnet. When they are on different subnets, the TCP timeout is about 3 minutes. We could change some kernel IP settings (as syn_retries) but we do not want to do thatanother side effects would occur As the samba 'ldap timeout' parameter seems to be effective for "global" URI (master+replica), there is no fail over before 3 minutes. So, we would have to setup "ldap timeout" from 15 seconds to 3 minutes to make it work but it's too much longer... If we are on the same subnet, ARP timeout occurs. As the master server is down, the corresponding arp entry on the fileserver expires about 30 seconds later, then the arp entry is set to "incomplete" and the timeout is now about 6 seconds ! So, 30 seconds after the Master ldap server is down, Samba server switches to Replica server after only 6s for each new client connection. I would prefer 'samba' ldap timeout failover parameter instead of different network timeouts corresponding to different network architecturesDon't you think ? Has anybody ever test LDAP redundancy with different IP subnets ? >> Hi, Redhat 4, Samba server 3.0.22. We are testing LDAP redudancy. We have 2 LDAP servers. If we stop LDAP services on the first LDAP server, everything works fine : the samba server detects the failed ldap server and switch to the available LDAP server. Clients can be authenticated, everything works fine. But, if the first LDAP server is unavailable (does not respond to ping), the samba server does not swith to the second LDAP server : [2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346) smbldap_search_suffix: Problem during the LDAP search: (Time limit exceeded) [2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [adminocs] -> [adminocs] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614) Closing connections We have tried using smaller and greater values of ldap timeout in smb.conf but it does not help. ( from 5 to 600) We have tried using smaller and greater values in the /etc/ldap.conf for bind_timelimit and timelimit (30 by default, from 5 to 300), but it does not help. Here is our smb.conf related to ldap : passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com ldap://itdsd2l2.altissemiconductor.com"; ldap passwd sync = Yes ldap admin dn = cn=samba,ou=DSA,ou=manuf,o=altissemiconductor.com,cn=mfg ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap timeout = 15 ldap ssl = start_tls Is there a way to change the bind timeout for samba server to switch to the available node before the "search time limit exceeded" ? Do I miss something ? Regards, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP redudancy problem
No idea about this point ? >> Hi, Redhat 4, Samba server 3.0.22. We are testing LDAP redudancy. We have 2 LDAP servers. If we stop LDAP services on the first LDAP server, everything works fine : the samba server detects the failed ldap server and switch to the available LDAP server. Clients can be authenticated, everything works fine. But, if the first LDAP server is unavailable (does not respond to ping), the samba server does not swith to the second LDAP server : [2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346) smbldap_search_suffix: Problem during the LDAP search: (Time limit exceeded) [2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [adminocs] -> [adminocs] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614) Closing connections We have tried using smaller and greater values of ldap timeout in smb.conf but it does not help. ( from 5 to 600) We have tried using smaller and greater values in the /etc/ldap.conf for bind_timelimit and timelimit (30 by default, from 5 to 300), but it does not help. Here is our smb.conf related to ldap : passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com ldap://itdsd2l2.altissemiconductor.com"; ldap passwd sync = Yes ldap admin dn = cn=samba,ou=DSA,ou=manuf,o=altissemiconductor.com,cn=mfg ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap timeout = 15 ldap ssl = start_tls Is there a way to change the bind timeout for samba server to switch to the available node before the "search time limit exceeded" ? Do I miss something ? Regards, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP redudancy problem
Hi, Redhat 4, Samba server 3.0.22. We are testing LDAP redudancy. We have 2 LDAP servers. If we stop LDAP services on the first LDAP server, everything works fine : the samba server detects the failed ldap server and switch to the available LDAP server. Clients can be authenticated, everything works fine. But, if the first LDAP server is unavailable (does not respond to ping), the samba server does not swith to the second LDAP server : [2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346) smbldap_search_suffix: Problem during the LDAP search: (Time limit exceeded) [2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [adminocs] -> [adminocs] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614) Closing connections We have tried using smaller and greater values of ldap timeout in smb.conf but it does not help. ( from 5 to 600) We have tried using smaller and greater values in the /etc/ldap.conf for bind_timelimit and timelimit (30 by default, from 5 to 300), but it does not help. Here is our smb.conf related to ldap : passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com ldap://itdsd2l2.altissemiconductor.com"; ldap passwd sync = Yes ldap admin dn = cn=samba,ou=DSA,ou=manuf,o=altissemiconductor.com,cn=mfg ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap timeout = 15 ldap ssl = start_tls Is there a way to change the bind timeout for samba server to switch to the available node before the "search time limit exceeded" ? Do I miss something ? Regards, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
