samba_2_2 sambatest (security=server) and ldap performance
Andrew Bartlett
abartlet at samba.org
Thu Oct 31 12:01:00 GMT 2002
On Thu, Oct 31, 2002 at 12:20:25PM +0100, Ignacio Coupeau wrote:
> Andrew Bartlett wrote:
> > On Thu, Oct 31, 2002 at 11:33:15AM +0100, Ignacio Coupeau wrote:
> >
> >>We have several samba printservers and fileservers with
> >>"security=server" validating against several PDC with ldap (samba 2.2.6).
> >>
> >>I found a lot of ldap request like:
> >> (uid=SAMBATESTPSERVER04)
> >>beating the ldap servers: one before *each* validation in every print
> >>job or share session.
> >>
> >>I found this is related with a security issue as Jeremy says in the
> >>server_validate() function.
> >>
> >>To avoid this I tried to use security=domain because server_validate()
> >>is called by check_server_security(), but our servers joined to the
> >>domain-asigned likes very much ask to the neighborn PDC as
> >>"security=server" than their domain-asigned-server (perhaps the
> >>subneting, or so... is a big and complex network).
> >>
> >>The question is if I can skip the code around
> >>"if(!tested_password_server) {"
> >>to avoid the calls to ldap and if it is safe.
> >>
> >>We are using only samba servers.
> >
> >
> > You could, but you really don't want to. Security=server
> > is really nasty. Fix whatever is causing Samba to pick the
> > wrong DC for secruity=domain. You can still specify the
> > server to use.
>
> I'm tracking it, but is amazing...
> for example
> ../bin/smbpasswd -r ENIGMA -j CTI-SMB-2
> joins the pserver01 to ENIGMA perfectly.
>
> pserver01 has "security server=enigma", but resolve in every PDC (of
> course the ldap base is te same), like "security server=*" but in server
> mode (for example in the PDC3 or PDC1) instead domain mode in ENIGMA...
> it looks like if a broadcast is performed and the winner is the nearest
> PDC because the trusted pdc (ENIGMA) is in other subnet... amazing!
Try running 'testparm' - you want 'password server', not 'security server'...
Andrew Bartlett
More information about the samba-technical
mailing list