[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
McKeever Chris
tech-mail at prupref.com
Fri Jun 18 13:47:41 GMT 2004
On Fri, 18 Jun 2004 15:38 , Michael Gasch <gasch at eva.mpg.de> sent:
> > Isn't the slave ldap directory suppose to be only read only?
>if it's readonly, slurpd can't update the slave (i've tested it,
>possibly i missed something ?)
>
>the problem is: machines regularly change their passwords and if these
>changes are not done on the master, they're lost, if master comes back
>-> clients can't logon anymore and so on....
maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be
(and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC
ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with
3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information
If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER
back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have
your system running again....
but like I said, maybe I am missing something
>
> >I'm having some troubles
> > getting the failover to work
>what problems are you talking about?
>
>these are my config files (/etc/ldap.conf for all machines not included
>but also very important in case of fail-over)
>
>##### Samba PDC #####
># smb.conf
>
>[global]
>
> workgroup = NEVAN
> netbios name = nevanpdc
> server string = NevanPDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://localhost:389
>ldap://nevanbdc.eva.mpg.de:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = yes
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
># slapd.conf
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/samba.schema
>
>pidfile /var/run/slapd/slapd.pid
>argsfile /var/run/slapd/slapd.args
>loglevel 7
>
>database ldbm
>suffix "dc=eva,dc=mpg,dc=de"
>rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
>password-hash {MD5}
>rootpw {MD5}++++++++++++++++++++++++
>
>replogfile /var/lib/ldap/replog
>
>replica host=nevanbdc.eva.mpg.de:389
> binddn=cn=manager,dc=eva,dc=mpg,dc=de
> bindmethod=simple credentials="+++++++++"
>
>directory /var/lib/ldap
>index objectClass eq
>index sambaSID eq
>index uid eq
>index sambaPrimaryGroupSID eq
>
>lastmod on
>
>access to attrs=userPassword
> by self write
> by * auth
>
>access to *
> by * read
>
>
>
>##### Samba BDC #####
># smb.conf
>
>[global]
>
> workgroup = NEVAN
> netbios name = nevanbdc
> server string = NevanBDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
>ldap://localhost:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = no
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
>[netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
># slapd.conf
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/samba.schema
>
>pidfile /var/run/slapd/slapd.pid
>argsfile /var/run/slapd/slapd.args
>loglevel 2
>
>database ldbm
>suffix "dc=eva,dc=mpg,dc=de"
>rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
>password-hash {MD5}
>rootpw {MD5}++++++++++++++++++++++++
>
>updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
>updateref "nevanpdc.eva.mpg.de"
>
>directory /var/lib/ldap
>index objectClass eq
>index sambaSID eq
>index uid eq
>index sambaPrimaryGroupSID eq
>
>lastmod on
>
>access to attrs=userPassword
> by self write
> by * auth
>
>access to *
> by * read
>
>
>
>Jason C. Waters schrieb:
>> Isn't the slave ldap directory suppose to be only read only? So when
>> the master is down the users can't change their passwords, but
>> everything else should work. What do you smb.conf and slapd.conf files
>> look like for the master and the slave? I'm having some troubles
>> getting the failover to work, so I wouldn't mind a peek. Thanks
>>
>> Jason
>>
>> Michael Gasch wrote:
>>
>>> hi
>>>
>>> i'm looking for hints/experiences concering samba v3, openldap AND
>>> redundancy
>>>
>>> my setup is:
>>>
>>> Samba PDC with LDAP Master
>>> Samba BDC with LDAP Slave
>>> Samba Member Server, contacting first PDC, then BDC if the first fails
>>>
>>> if all instances are working properly, everything is okay
>>> replication is also fine (from Master -> Slave)
>>>
>>> and now imagine:
>>>
>>> LDAP Master dies
>>> all smbd are contacting LDAP Slave and make their changes in the Slave
>>> directory
>>> cause replication only works from Master->Slave, if Master comes up
>>> again, i have inconsistency in my LDAP Backends
>>> e.g. a machine changes its machine password in Slave directory and
>>> can't logon anymore cause the password change isn't replicated on Master
>>>
>>> we also tried to setup slurpd (LDAP replication) on both LDAP Servers
>>> - if both are up, everything is okay, if one is down, changes are made
>>> in one directory, samba tells me it fails (e.g. changing passwords),
>>> allthough it changes the attributes and so on....
>>>
>>> so the problem is: if Slave dies, everything should go on working,
>>> because PDC/BDC use at first LDAP Master
>>> if slave comes up, replication is done properly
>>>
>>> but if Master dies, i get an inconsistent domain
>>>
>>> how do you get redundancy in your LDAP backend?
>>> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>>>
>>> thx
>>
-------------------------------------------
Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref.com
<A href="http://www.prupref.com">Prudential</A><A href="http://www.prupref.com">Chicago Real Estate</A>
---- Prudential Preferred Properties www.prupref.com
Success Driven By Results
Results Driven By Commitment
Commitment Driven By Integrity
We Are Prudential Preferred Properties
More information about the samba
mailing list