Re: RE : RE : RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAPserversfails
On Wed, 2003-10-15 at 16:50, jean-marc pouchoulon wrote: It is quite possible that your LDAP libs do not support that syntax. What exactly is the version are you using? Netscape Directory server 4.16. I mean on the client - the libraries that Samba links against. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : RE : RE : RE : [Samba] samba-3 PDC BDC fail-over with 2LDAPserversfails
Rpm found : openldap-2.0.27-8 nss_ldap-202-5 ldd /usr/sbin/smbd libcom_err.so.3 = /usr/kerberos/lib/libcom_err.so.3 (0x40027000) libk5crypto.so.3 = /usr/kerberos/lib/libk5crypto.so.3 (0x40029000) libkrb5.so.3 = /usr/kerberos/lib/libkrb5.so.3 (0x40039000) libgssapi_krb5.so.2 = /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40098000) liblber.so.2 = /usr/lib/liblber.so.2 (0x400ab000) libldap.so.2 = /usr/lib/libldap.so.2 (0x400b6000) libcups.so.2 = /usr/lib/libcups.so.2 (0x400e1000) libssl.so.4 = /lib/libssl.so.4 (0x400fb000) libcrypto.so.4 = /lib/libcrypto.so.4 (0x4013) libnsl.so.1 = /lib/libnsl.so.1 (0x40222000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x40237000) libpam.so.0 = /lib/libpam.so.0 (0x40264000) libresolv.so.2 = /lib/libresolv.so.2 (0x4026c000) libdl.so.2 = /lib/libdl.so.2 (0x4027e000) libpopt.so.0 = /usr/lib/libpopt.so.0 (0x40282000) libc.so.6 = /lib/tls/libc.so.6 (0x4200) libsasl.so.7 = /usr/lib/libsasl.so.7 (0x4028b000) libz.so.1 = /usr/lib/libz.so.1 (0x40296000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libgdbm.so.2 = /usr/lib/libgdbm.so.2 (0x402a4000) ldd /usr/sbin/nmbd libcrypt.so.1 = /lib/libcrypt.so.1 (0x40027000) libresolv.so.2 = /lib/libresolv.so.2 (0x40054000) libnsl.so.1 = /lib/libnsl.so.1 (0x40066000) libdl.so.2 = /lib/libdl.so.2 (0x4007c000) libpopt.so.0 = /usr/lib/libpopt.so.0 (0x4008) libcom_err.so.3 = /usr/kerberos/lib/libcom_err.so.3 (0x40088000) libk5crypto.so.3 = /usr/kerberos/lib/libk5crypto.so.3 (0x4008a000) libkrb5.so.3 = /usr/kerberos/lib/libkrb5.so.3 (0x4009a000) libgssapi_krb5.so.2 = /usr/kerberos/lib/libgssapi_krb5.so.2 (0x400f8000) liblber.so.2 = /usr/lib/liblber.so.2 (0x4010b000) libldap.so.2 = /usr/lib/libldap.so.2 (0x40117000) libc.so.6 = /lib/tls/libc.so.6 (0x4200) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) libsasl.so.7 = /usr/lib/libsasl.so.7 (0x40142000) libssl.so.4 = /lib/libssl.so.4 (0x4014d000) libcrypto.so.4 = /lib/libcrypto.so.4 (0x40182000) libgdbm.so.2 = /usr/lib/libgdbm.so.2 (0x40274000) libpam.so.0 = /lib/libpam.so.0 (0x4027b000) libz.so.1 = /usr/lib/libz.so.1 (0x40283000) Does this give you what you want ? -Message d'origine- De : Andrew Bartlett [mailto:[EMAIL PROTECTED] Envoyé : mercredi 15 octobre 2003 8:55 À : jean-marc pouchoulon Cc : 'Andrew Bartlett'; [EMAIL PROTECTED] Objet : Re: RE : RE : RE : [Samba] samba-3 PDC BDC fail-over with 2LDAPserversfails On Wed, 2003-10-15 at 16:50, jean-marc pouchoulon wrote: It is quite possible that your LDAP libs do not support that syntax. What exactly is the version are you using? Netscape Directory server 4.16. I mean on the client - the libraries that Samba links against. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails
Bonsoir Andrew, I've just tried to test failover with the two syntax. I use ssh tunnel to connect to ldapserver ( using 127.0.0.1 ) With passdb backend = ldapsam:ldap://127.0.0.1:10389/, ldapsam:ldap://127.0.0.1:13389, guest it works after more slowly but it works. I think after 8 times as I can see in log: Connection to LDAP Server failed for the 8 try! [2003/10/13 17:53:36, 0] lib/smbldap.c:smbldap_search(924) smbldap_search: LDAP server is down! [2003/10/13 17:53:36, 0] lib/smbldap.c:smbldap_search_suffix(1075) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Can't contact LDAP server) [2003/10/13 17:53:36, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(939) ldapsam_setsampwent: LDAP search failed: Can't contact LDAP server [2003/10/13 17:53:36, 2] lib/smbldap.c:smbldap_search_suffix(1066) smbldap_search_suffix: searching for:[((uid=*)(objectclass=sambaSamAccount))] [2003/10/13 17:53:39, 2] passdb/pdb_ldap.c:ldapsam_setsampwent(948) ldapsam_setsampwent: 1388 entries in the base! As I can see in the log , samba try to connect at every stage to the first ldapserver ( there is multiple 'Connection to LDAP Server failed for the 8 try!' ) with this syntax : passdb backend = ldapsam:ldap://127.0.0.1:10389 ldap://127.0.0.1:13389;, guest I am not able to connect to the domain second ldap if I stop the first one. I try to search '8 try' in my old cvs samba code without success. The rpm source is different. Thanks for your previous answers. Jean-Marc. -Message d'origine- De : Andrew Bartlett [mailto:[EMAIL PROTECTED] Envoyé : vendredi 10 octobre 2003 10:12 À : jean-marc pouchoulon Cc : 'Rauno Tuul'; [EMAIL PROTECTED] Objet : Re: RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails On Tue, 2003-10-07 at 19:58, jean-marc pouchoulon wrote: PDC (also master-ldap) smb.conf passdb backend = ldapsam:ldaps://master-ldap.lan ldapsam:ldaps://slave-ldap.lan Beware of the comma : use passdb backend = ldapsam:ldaps://master-ldap.lan, ldapsam:ldaps://slave-ldap.lan, guest Nope. The comma doesn't matter. passdb backend = ldapsam:ldaps://ldap1 ldaps://ldap2 is what you want. That way, OpenLDAP gets to process the 'ldap url' in whatever way they like - which is how we get this support. BTW, the first ldap server in that list should be the 'closest' server, as OpenLDAP will bind it that first. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: RE : RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails
On Tue, 2003-10-14 at 16:18, jean-marc pouchoulon wrote: Bonsoir Andrew, I've just tried to test failover with the two syntax. I use ssh tunnel to connect to ldapserver ( using 127.0.0.1 ) With passdb backend = ldapsam:ldap://127.0.0.1:10389/, ldapsam:ldap://127.0.0.1:13389, guest it works after more slowly but it works. I think after 8 times as passdb backend = ldapsam:ldap://127.0.0.1:10389 ldap://127.0.0.1:13389;, guest I am not able to connect to the domain second ldap if I stop the first one. Thanks for your previous answers. It is quite possible that your LDAP libs do not support that syntax. What exactly is the version are you using? -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP servers fails
On Tue, 2003-10-07 at 19:58, jean-marc pouchoulon wrote: PDC (also master-ldap) smb.conf passdb backend = ldapsam:ldaps://master-ldap.lan ldapsam:ldaps://slave-ldap.lan Beware of the comma : use passdb backend = ldapsam:ldaps://master-ldap.lan, ldapsam:ldaps://slave-ldap.lan, guest Nope. The comma doesn't matter. passdb backend = ldapsam:ldaps://ldap1 ldaps://ldap2 is what you want. That way, OpenLDAP gets to process the 'ldap url' in whatever way they like - which is how we get this support. BTW, the first ldap server in that list should be the 'closest' server, as OpenLDAP will bind it that first. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails
I can't test it very well in a prod env, but if i stop one ( the first in order ) ldap server and I made a research with my xp PC , I have no result. But I use nestcape directory server. Jean-Marc -Message d'origine- De : Andrew Bartlett [mailto:[EMAIL PROTECTED] Envoyé : vendredi 10 octobre 2003 10:12 À : jean-marc pouchoulon Cc : 'Rauno Tuul'; [EMAIL PROTECTED] Objet : Re: RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails On Tue, 2003-10-07 at 19:58, jean-marc pouchoulon wrote: PDC (also master-ldap) smb.conf passdb backend = ldapsam:ldaps://master-ldap.lan ldapsam:ldaps://slave-ldap.lan Beware of the comma : use passdb backend = ldapsam:ldaps://master-ldap.lan, ldapsam:ldaps://slave-ldap.lan, guest Nope. The comma doesn't matter. passdb backend = ldapsam:ldaps://ldap1 ldaps://ldap2 is what you want. That way, OpenLDAP gets to process the 'ldap url' in whatever way they like - which is how we get this support. BTW, the first ldap server in that list should be the 'closest' server, as OpenLDAP will bind it that first. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: RE : RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP serversfails
On Fri, 2003-10-10 at 20:03, jean-marc pouchoulon wrote: I can't test it very well in a prod env, but if i stop one ( the first in order ) ldap server and I made a research with my xp PC , I have no result. But I use nestcape directory server. This is using exactly what syntax? This is expected behaviour, if you don't put the quotes in there... (We will time out looking for the LDAP server). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : [Samba] samba-3 PDC BDC fail-over with 2 LDAP servers fails
PDC (also master-ldap) smb.conf passdb backend = ldapsam:ldaps://master-ldap.lan ldapsam:ldaps://slave-ldap.lan Beware of the comma : use passdb backend = ldapsam:ldaps://master-ldap.lan, ldapsam:ldaps://slave-ldap.lan, guest Jean-Marc -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 as BDC
On Wed, 2002-11-20 at 21:14, Kristyan Osborne wrote: Hi, I was wondering what is the current state of play with samba 3 being a BDC?? Is there any documentation anywhere? It should work, once you get the SIDs right, for users at least (assuming ldap or rsynced smbpasswd). Other things are harder to get synced across correctly. There is some (slightly out date) documentation in the source disto. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [Samba] Samba 3 as BDC
On November 20, [EMAIL PROTECTED] said: It should work, once you get the SIDs right, for users at least (assuming ldap or rsynced smbpasswd). Other things are harder to get synced across correctly. There is some (slightly out date) documentation in the source disto. I'm fighting with this at the moment. net rpc vampire isn't documented in the source distro (that I can find, anyway) but for anyone else playing with it, it does take a bit of fiddling to make it work. I presume there's a way to make all this work without creating Unix accounts (LDAP or winbindd) but since I'm trying not to go too far out on a limb, I will note that the use-unix-accounts option requires you to have working add machine, add user, and add group scripts. It will fail non-obviously if you don't have these (for example, it claims to be creating the groups, but doesn't do so, because you've not defined the script - this had me stumped for a while). The question I'd have, since it's pertinent to what I'm trying to do: Is it possible to net rpc vampire a PDC, then promote Samba to the PDC and demote the Windows box to the BDC? I don't care if syncing doesn't work after I've done that, I just need to be able to force every machine in the domain to recognise that the PDC is, er, not the PDC any more, but I can't take the PDC out of the domain entirely because there are other things running on it. Cheers, Waider. -- [EMAIL PROTECTED] / Yes, it /is/ very personal of me. A one question geek test. If you think it's funny, you're a geek. Seen on a California license plate on a VW Beetle: Feature - Joshua D. Wachs -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 as BDC
On Wed, 2002-11-20 at 22:53, Ronan Waide wrote: On November 20, [EMAIL PROTECTED] said: It should work, once you get the SIDs right, for users at least (assuming ldap or rsynced smbpasswd). Other things are harder to get synced across correctly. There is some (slightly out date) documentation in the source disto. I'm fighting with this at the moment. net rpc vampire isn't documented in the source distro (that I can find, anyway) but for anyone else playing with it, it does take a bit of fiddling to make it work. I presume there's a way to make all this work without creating Unix accounts (LDAP or winbindd) but since I'm trying not to go too far out on a limb, I will note that the use-unix-accounts option requires you to have working add machine, add user, and add group scripts. It will fail non-obviously if you don't have these (for example, it claims to be creating the groups, but doesn't do so, because you've not defined the script - this had me stumped for a while). If you want to contribute some doco or simply a discussion of what you did and how you did it, it would be most appreciated. You must use the 'add user' scripts etc - because we don't automatically create these users, and we don't allow users without a unix id to be represented. I might add some more LDAP magic toward this, but that's how it is for now. The question I'd have, since it's pertinent to what I'm trying to do: Is it possible to net rpc vampire a PDC, then promote Samba to the PDC and demote the Windows box to the BDC? I don't care if syncing doesn't work after I've done that, I just need to be able to force every machine in the domain to recognise that the PDC is, er, not the PDC any more, but I can't take the PDC out of the domain entirely because there are other things running on it. You can't demote to BDC - it will try and sync the passwords, and that will fail badly. However, if demoted all the way to domain member, it should work. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: [Samba] Samba 3 as BDC
On November 20, [EMAIL PROTECTED] said: If you want to contribute some doco or simply a discussion of what you did and how you did it, it would be most appreciated. Certainly will do. Once I get it working and all :) You must use the 'add user' scripts etc - because we don't automatically create these users, and we don't allow users without a unix id to be represented. I might add some more LDAP magic toward this, but that's how it is for now. So basically there is currently no way around the requirement for a Unix ID and/or group? You can't demote to BDC - it will try and sync the passwords, and that will fail badly. However, if demoted all the way to domain member, it should work. Okay. Demonstrating my ignorance, how the hell do I demote it all the way to a domain member without reinstalling NT? Cheers, Waider. -- We are experiencing MVS processor spin loops, the programs are running while holding a disabled CPU. This is causing XCF communication delays to the point where we are losing VTAM RTP routing, are suffering OSPF adjacency failures on TCP/IP dynamic routing and MIM VCF failures. - Reported via Slashdot -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba