[Samba] 3.0: machine trust accounts & ldap servers

Dariush Forouher dariush at forouher.de
Sun Nov 24 19:30:01 GMT 2002


Am Son, 2002-11-24 um 19.35 schrieb Yura Pismerov:
> Dariush Forouher wrote:
> > does 3.0 still need unix accounts for machine trust accounts? This would
> > be nice, because AFAIR in LDAP they can be placed into another
> > directory. If no, must there be some magic options present in smb.conf?
> > 
> > Another question: Is it possible to give samba 3.0 more than one ldap
> > servers to get more redundance? If yes, works this with 2.2 too?
> 
> 
> Have you ever thought that Samba needs read/write access to the
> directory, not just read only ? In this case, how would you synchronize
> multiple LDAP replicas ?
> Usually LDAP uses one way replication mechanism. That means you always
> do changes (writings) to the master replica, then the changes are being
> propagated to other (read-only) replicas. Many LDAP implementations
> support referral mechanism, so 
> writing can be directed to any replica including read-only and they will
> be automatically redirected to the master server. So LDAP redundancy has
> usually nothing to do with client implementation - it is up to a system
> administrator to create proper redundant LDAP farm using either software
> solutions (various VRRP implementations), or
> real (hardware) load balaning devices.
> 
> If you propose built-in redundancy feature for Samba it should imply
> read-only operations only. For read-write ones you still need to use
> master replica LDAP instance.
> So IMHO it does not make much sense at this point. 

I had the idea to set up two/three LDAP servers that should be used by
one samba PDC, several BDCs and by samba fileservers as well. If I give
every samba server only one LDAP server as password backend and if a
LDAP server goes down, every samba server that depends on this specific
LDAP server will be down as well. That's not very redundant. I know that
there won't be any changes to the directory possible any longer, if the
LDAP master goes down. But samba should still be able to act as a
read-only BDC or as a fileserver. Is this possible? The DCs aren't that
important, because there will be several of them, but the samba
fileservers must not depend on one LDAP server.

ciao
Dariush
-- 
PGP Fingerprint: 0x886C99A1




More information about the samba mailing list