[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???

Jason C. Waters jwaters at h2os.com
Fri Jun 18 15:00:32 GMT 2004 

I'm using Samba 3.0.4, and I can't seem to get passdb backend = 
ldapsam:"ldaps://master.ldap ldaps://slave.ldap" to work.  What version 
of samba are you running?  If I use either or, it works fine.  So 
instead of having two servers I would just have 
ldapsam:"ldaps://slave.ldap"  Any ideas?

Jason

Michael Gasch wrote:
>  > Isn't the slave ldap directory suppose to be only read only?
> if it's readonly, slurpd can't update the slave (i've tested it, 
> possibly i missed something ?)
> 
> the problem is: machines regularly change their passwords and if these 
> changes are not done on the master, they're lost, if master comes back 
> -> clients can't logon anymore and so on....
> 
>  >I'm having some troubles
>  > getting the failover to work
> what problems are you talking about?
> 
> these are my config files (/etc/ldap.conf for all machines not included 
> but also very important in case of fail-over)
> 
> ##### Samba PDC #####
> # smb.conf
> 
> [global]
> 
>    workgroup = NEVAN
>    netbios name = nevanpdc
>    server string = NevanPDC on Samba Version: %v
> 
>    username map = /etc/samba/username.map
> 
>    log level = 5
>    log file = /var/lib/samba/log.%m
>    max log size = 10000
> 
>    passdb backend = ldapsam:"ldap://localhost:389 
> ldap://nevanbdc.eva.mpg.de:389"
>    ldap passwd sync = yes
>    ldap suffix = dc=eva,dc=mpg,dc=de
>    ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
>    ldap machine suffix = ou=machines
>    ldap user suffix  = ou=users
>    ldap group suffix = ou=groups
>    ldap replication sleep = 2000
>    ldap idmap suffix = ou=users
> 
>    guest ok = no
>    guest account = Guest
> 
>    security = user
>    local master = yes
>    os level = 65
>    domain master = yes
>    domain logons = yes
> 
>    logon path =
>    logon home =
> 
>    encrypt passwords = yes
>    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> 
>    wins support = yes
>    dns proxy = no
> 
>    display charset = UTF8
>    unix charset = UTF8
> 
> [netlogon]
>    comment = Network Logon Service
>    path = /var/lib/samba/netlogon
>    guest ok = yes
>    writable = no
>    share modes = no
> 
> 
> # slapd.conf
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/samba.schema
> 
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> loglevel        7
> 
> database        ldbm
> suffix          "dc=eva,dc=mpg,dc=de"
> rootdn          "cn=manager,dc=eva,dc=mpg,dc=de"
> 
> password-hash   {MD5}
> rootpw          {MD5}++++++++++++++++++++++++
> 
> replogfile /var/lib/ldap/replog
> 
> replica host=nevanbdc.eva.mpg.de:389
>     binddn=cn=manager,dc=eva,dc=mpg,dc=de
>     bindmethod=simple credentials="+++++++++"
> 
> directory       /var/lib/ldap
> index   objectClass             eq
> index   sambaSID                eq
> index   uid                     eq
> index   sambaPrimaryGroupSID    eq
> 
> lastmod         on
> 
> access to attrs=userPassword
>        by self write
>        by * auth
> 
> access to *
>        by * read
> 
> 
> 
> ##### Samba BDC #####
> # smb.conf
> 
> [global]
> 
>    workgroup = NEVAN
>    netbios name = nevanbdc
>    server string = NevanBDC on Samba Version: %v
> 
>    username map = /etc/samba/username.map
> 
>    log level = 5
>    log file = /var/lib/samba/log.%m
>    max log size = 10000
> 
>    passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389 
> ldap://localhost:389"
>    ldap passwd sync = yes
>    ldap suffix = dc=eva,dc=mpg,dc=de
>    ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
>    ldap machine suffix = ou=machines
>    ldap user suffix  = ou=users
>    ldap group suffix = ou=groups
>    ldap replication sleep = 2000
>    ldap idmap suffix = ou=users
> 
>    guest ok = no
>    guest account = Guest
> 
>    security = user
>    local master = yes
>    os level = 65
>    domain master = no
>    domain logons = yes
> 
>    logon path =
>    logon home =
> 
>    encrypt passwords = yes
>    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> 
>    wins support = yes
>    dns proxy = no
> 
>    display charset = UTF8
>    unix charset = UTF8
> 
> [netlogon]
>    comment = Network Logon Service
>    path = /var/lib/samba/netlogon
>    guest ok = yes
>    writable = no
>    share modes = no
> 
> 
> # slapd.conf
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/samba.schema
> 
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> loglevel        2
> 
> database        ldbm
> suffix          "dc=eva,dc=mpg,dc=de"
> rootdn          "cn=manager,dc=eva,dc=mpg,dc=de"
> 
> password-hash   {MD5}
> rootpw          {MD5}++++++++++++++++++++++++
> 
> updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
> updateref "nevanpdc.eva.mpg.de"
> 
> directory       /var/lib/ldap
> index   objectClass             eq
> index   sambaSID                eq
> index   uid                     eq
> index   sambaPrimaryGroupSID    eq
> 
> lastmod         on
> 
> access to attrs=userPassword
>        by self write
>        by * auth
> 
> access to *
>        by * read
> 
> 
> 
> Jason C. Waters schrieb:
> 
>> Isn't the slave ldap directory suppose to be only read only?  So when 
>> the master is down the users can't change their passwords, but 
>> everything else should work.  What do you smb.conf and slapd.conf 
>> files look like for the master and the slave?  I'm having some 
>> troubles getting the failover to work, so I wouldn't mind a peek.  Thanks
>>
>> Jason
>>
>> Michael Gasch wrote:
>>
>>> hi
>>>
>>> i'm looking for hints/experiences concering samba v3, openldap AND 
>>> redundancy
>>>
>>> my setup is:
>>>
>>> Samba PDC with LDAP Master
>>> Samba BDC with LDAP Slave
>>> Samba Member Server, contacting first PDC, then BDC if the first fails
>>>
>>> if all instances are working properly, everything is okay
>>> replication is also fine (from Master -> Slave)
>>>
>>> and now imagine:
>>>
>>> LDAP Master dies
>>> all smbd are contacting LDAP Slave and make their changes in the 
>>> Slave directory
>>> cause replication only works from Master->Slave, if Master comes up 
>>> again, i have inconsistency in my LDAP Backends
>>> e.g. a machine changes its machine password in Slave directory and 
>>> can't logon anymore cause the password change isn't replicated on Master
>>>
>>> we also tried to setup slurpd (LDAP replication) on both LDAP Servers 
>>> - if both are up, everything is okay, if one is down, changes are 
>>> made in one directory, samba tells me it fails (e.g. changing 
>>> passwords), allthough it changes the attributes and so on....
>>>
>>> so the problem is: if Slave dies, everything should go on working, 
>>> because PDC/BDC use at first LDAP Master
>>> if slave comes up, replication is done properly
>>>
>>> but if Master dies, i get an inconsistent domain
>>>
>>> how do you get redundancy in your LDAP backend?
>>> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>>>
>>> thx
>>
>>
>>
>>
>

More information about the samba mailing list