[Samba] 3.0: machine trust accounts & ldap servers

Andrew Bartlett abartlet at samba.org
Sun Nov 24 19:56:00 GMT 2002


On Mon, 2002-11-25 at 06:29, Dariush Forouher wrote:
> Am Son, 2002-11-24 um 19.35 schrieb Yura Pismerov:
> > Dariush Forouher wrote:
> > > does 3.0 still need unix accounts for machine trust accounts? This would
> > > be nice, because AFAIR in LDAP they can be placed into another
> > > directory. If no, must there be some magic options present in smb.conf?

With ldapsam_nua, machine accounts are not required to exist in getpw*()
calls, but with LDAP, it isn't much pain either way.  

> > > 
> > > Another question: Is it possible to give samba 3.0 more than one ldap
> > > servers to get more redundance? If yes, works this with 2.2 too?
> > 
> > Have you ever thought that Samba needs read/write access to the
> > directory, not just read only ? In this case, how would you synchronize
> > multiple LDAP replicas ?
> > Usually LDAP uses one way replication mechanism. That means you always
> > do changes (writings) to the master replica, then the changes are being
> > propagated to other (read-only) replicas. Many LDAP implementations
> > support referral mechanism, so 
> > writing can be directed to any replica including read-only and they will
> > be automatically redirected to the master server. So LDAP redundancy has
> > usually nothing to do with client implementation - it is up to a system
> > administrator to create proper redundant LDAP farm using either software
> > solutions (various VRRP implementations), or
> > real (hardware) load balaning devices.
> > 
> > If you propose built-in redundancy feature for Samba it should imply
> > read-only operations only. For read-write ones you still need to use
> > master replica LDAP instance.
> > So IMHO it does not make much sense at this point. 
> 
> I had the idea to set up two/three LDAP servers that should be used by
> one samba PDC, several BDCs and by samba fileservers as well. If I give
> every samba server only one LDAP server as password backend and if a
> LDAP server goes down, every samba server that depends on this specific
> LDAP server will be down as well. That's not very redundant. I know that
> there won't be any changes to the directory possible any longer, if the
> LDAP master goes down. But samba should still be able to act as a
> read-only BDC or as a fileserver. Is this possible? The DCs aren't that
> important, because there will be several of them, but the samba
> fileservers must not depend on one LDAP server.

This is all quite possible.  BDCs should never write to the LDAP
directory, and when they do, the slave ldap server issues a 'redirect'
and the master LDAP server is contacted.

Making one Samba server use a second ldap server should also be possible
- play with the 'passdb backend' paramater, and try to put more than one
URL in the 'location' for ldapsam.  I'm told that the ldap libs take
care of the rest.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021124/4e15a0fd/attachment.bin


More information about the samba mailing list