[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Jason C. Waters
jwaters at h2os.com
Fri Jun 18 15:00:32 GMT 2004
I'm using Samba 3.0.4, and I can't seem to get passdb backend =
ldapsam:"ldaps://master.ldap ldaps://slave.ldap" to work. What version
of samba are you running? If I use either or, it works fine. So
instead of having two servers I would just have
ldapsam:"ldaps://slave.ldap" Any ideas?
Jason
Michael Gasch wrote:
> > Isn't the slave ldap directory suppose to be only read only?
> if it's readonly, slurpd can't update the slave (i've tested it,
> possibly i missed something ?)
>
> the problem is: machines regularly change their passwords and if these
> changes are not done on the master, they're lost, if master comes back
> -> clients can't logon anymore and so on....
>
> >I'm having some troubles
> > getting the failover to work
> what problems are you talking about?
>
> these are my config files (/etc/ldap.conf for all machines not included
> but also very important in case of fail-over)
>
> ##### Samba PDC #####
> # smb.conf
>
> [global]
>
> workgroup = NEVAN
> netbios name = nevanpdc
> server string = NevanPDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://localhost:389
> ldap://nevanbdc.eva.mpg.de:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = yes
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
> # slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 7
>
> database ldbm
> suffix "dc=eva,dc=mpg,dc=de"
> rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
> password-hash {MD5}
> rootpw {MD5}++++++++++++++++++++++++
>
> replogfile /var/lib/ldap/replog
>
> replica host=nevanbdc.eva.mpg.de:389
> binddn=cn=manager,dc=eva,dc=mpg,dc=de
> bindmethod=simple credentials="+++++++++"
>
> directory /var/lib/ldap
> index objectClass eq
> index sambaSID eq
> index uid eq
> index sambaPrimaryGroupSID eq
>
> lastmod on
>
> access to attrs=userPassword
> by self write
> by * auth
>
> access to *
> by * read
>
>
>
> ##### Samba BDC #####
> # smb.conf
>
> [global]
>
> workgroup = NEVAN
> netbios name = nevanbdc
> server string = NevanBDC on Samba Version: %v
>
> username map = /etc/samba/username.map
>
> log level = 5
> log file = /var/lib/samba/log.%m
> max log size = 10000
>
> passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389
> ldap://localhost:389"
> ldap passwd sync = yes
> ldap suffix = dc=eva,dc=mpg,dc=de
> ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de
> ldap machine suffix = ou=machines
> ldap user suffix = ou=users
> ldap group suffix = ou=groups
> ldap replication sleep = 2000
> ldap idmap suffix = ou=users
>
> guest ok = no
> guest account = Guest
>
> security = user
> local master = yes
> os level = 65
> domain master = no
> domain logons = yes
>
> logon path =
> logon home =
>
> encrypt passwords = yes
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>
> wins support = yes
> dns proxy = no
>
> display charset = UTF8
> unix charset = UTF8
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> writable = no
> share modes = no
>
>
> # slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 2
>
> database ldbm
> suffix "dc=eva,dc=mpg,dc=de"
> rootdn "cn=manager,dc=eva,dc=mpg,dc=de"
>
> password-hash {MD5}
> rootpw {MD5}++++++++++++++++++++++++
>
> updatedn "cn=manager,dc=eva,dc=mpg,dc=de"
> updateref "nevanpdc.eva.mpg.de"
>
> directory /var/lib/ldap
> index objectClass eq
> index sambaSID eq
> index uid eq
> index sambaPrimaryGroupSID eq
>
> lastmod on
>
> access to attrs=userPassword
> by self write
> by * auth
>
> access to *
> by * read
>
>
>
> Jason C. Waters schrieb:
>
>> Isn't the slave ldap directory suppose to be only read only? So when
>> the master is down the users can't change their passwords, but
>> everything else should work. What do you smb.conf and slapd.conf
>> files look like for the master and the slave? I'm having some
>> troubles getting the failover to work, so I wouldn't mind a peek. Thanks
>>
>> Jason
>>
>> Michael Gasch wrote:
>>
>>> hi
>>>
>>> i'm looking for hints/experiences concering samba v3, openldap AND
>>> redundancy
>>>
>>> my setup is:
>>>
>>> Samba PDC with LDAP Master
>>> Samba BDC with LDAP Slave
>>> Samba Member Server, contacting first PDC, then BDC if the first fails
>>>
>>> if all instances are working properly, everything is okay
>>> replication is also fine (from Master -> Slave)
>>>
>>> and now imagine:
>>>
>>> LDAP Master dies
>>> all smbd are contacting LDAP Slave and make their changes in the
>>> Slave directory
>>> cause replication only works from Master->Slave, if Master comes up
>>> again, i have inconsistency in my LDAP Backends
>>> e.g. a machine changes its machine password in Slave directory and
>>> can't logon anymore cause the password change isn't replicated on Master
>>>
>>> we also tried to setup slurpd (LDAP replication) on both LDAP Servers
>>> - if both are up, everything is okay, if one is down, changes are
>>> made in one directory, samba tells me it fails (e.g. changing
>>> passwords), allthough it changes the attributes and so on....
>>>
>>> so the problem is: if Slave dies, everything should go on working,
>>> because PDC/BDC use at first LDAP Master
>>> if slave comes up, replication is done properly
>>>
>>> but if Master dies, i get an inconsistent domain
>>>
>>> how do you get redundancy in your LDAP backend?
>>> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>>>
>>> thx
>>
>>
>>
>>
>
More information about the samba
mailing list