[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Michael Gasch
gasch at eva.mpg.de
Fri Jun 18 13:38:51 GMT 2004
> Isn't the slave ldap directory suppose to be only read only?
if it's readonly, slurpd can't update the slave (i've tested it,
possibly i missed something ?)
the problem is: machines regularly change their passwords and if these
changes are not done on the master, they're lost, if master comes back
-> clients can't logon anymore and so on....
>I'm having some troubles
> getting the failover to work
what problems are you talking about?
these are my config files (/etc/ldap.conf for all machines not included
but also very important in case of fail-over)
##### Samba PDC #####
# smb.conf
[global]
workgroup = NEVAN
netbios name = nevanpdc
server string = NevanPDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5
log file = /var/lib/samba/log.%m
max log size = 10000
passdb backend = ldapsam:"ldap://localhost:389
ldap://nevanbdc.eva.mpg.de:389"
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no
guest account = Guest
security = user
local master = yes
os level = 65
domain master = yes
domain logons = yes
logon path =
logon home =
encrypt passwords = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes
dns proxy = no
display charset = UTF8
unix charset = UTF8
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 7
database ldbm
suffix "dc=eva,dc=mpg,dc=de"
rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5}
rootpw {MD5}++++++++++++++++++++++++
replogfile /var/lib/ldap/replog
replica host=nevanbdc.eva.mpg.de:389
binddn=cn=manager,dc=eva,dc=mpg,dc=de
bindmethod=simple credentials="+++++++++"
directory /var/lib/ldap
index objectClass eq
index sambaSID eq
index uid eq
index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword
by self write
by * auth
access to *
by * read
##### Samba BDC #####
# smb.conf
[global]
workgroup = NEVAN
netbios name = nevanbdc
server string = NevanBDC on Samba Version: %v
username map = /etc/samba/username.map
log level = 5
log file = /var/lib/samba/log.%m
max log size = 10000
passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
ldap://localhost:389"
ldap passwd sync = yes
ldap suffix = dc=eva,dc=mpg,dc=de
ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap replication sleep = 2000
ldap idmap suffix = ou=users
guest ok = no
guest account = Guest
security = user
local master = yes
os level = 65
domain master = no
domain logons = yes
logon path =
logon home =
encrypt passwords = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
wins support = yes
dns proxy = no
display charset = UTF8
unix charset = UTF8
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 2
database ldbm
suffix "dc=eva,dc=mpg,dc=de"
rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
password-hash {MD5}
rootpw {MD5}++++++++++++++++++++++++
updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
updateref "nevanpdc.eva.mpg.de"
directory /var/lib/ldap
index objectClass eq
index sambaSID eq
index uid eq
index sambaPrimaryGroupSID eq
lastmod on
access to attrs=userPassword
by self write
by * auth
access to *
by * read
Jason C. Waters schrieb:
> Isn't the slave ldap directory suppose to be only read only? So when
> the master is down the users can't change their passwords, but
> everything else should work. What do you smb.conf and slapd.conf files
> look like for the master and the slave? I'm having some troubles
> getting the failover to work, so I wouldn't mind a peek. Thanks
>
> Jason
>
> Michael Gasch wrote:
>
>> hi
>>
>> i'm looking for hints/experiences concering samba v3, openldap AND
>> redundancy
>>
>> my setup is:
>>
>> Samba PDC with LDAP Master
>> Samba BDC with LDAP Slave
>> Samba Member Server, contacting first PDC, then BDC if the first fails
>>
>> if all instances are working properly, everything is okay
>> replication is also fine (from Master -> Slave)
>>
>> and now imagine:
>>
>> LDAP Master dies
>> all smbd are contacting LDAP Slave and make their changes in the Slave
>> directory
>> cause replication only works from Master->Slave, if Master comes up
>> again, i have inconsistency in my LDAP Backends
>> e.g. a machine changes its machine password in Slave directory and
>> can't logon anymore cause the password change isn't replicated on Master
>>
>> we also tried to setup slurpd (LDAP replication) on both LDAP Servers
>> - if both are up, everything is okay, if one is down, changes are made
>> in one directory, samba tells me it fails (e.g. changing passwords),
>> allthough it changes the attributes and so on....
>>
>> so the problem is: if Slave dies, everything should go on working,
>> because PDC/BDC use at first LDAP Master
>> if slave comes up, replication is done properly
>>
>> but if Master dies, i get an inconsistent domain
>>
>> how do you get redundancy in your LDAP backend?
>> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>>
>> thx
>
>
>
--
"Matrix - more than a vision"
**************************************************
Michael Gasch
- Central IT Department -
Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig
Germany
**************************************************
More information about the samba
mailing list