[Samba] Domain Logins across VPN

Duncan Brannen dbb at st-andrews.ac.uk
Tue May 30 16:23:50 GMT 2006

rob at desynched.net wrote:
> ----- Original Message -----
> From: "Duncan Brannen" <dbb at st-andrews.ac.uk>
> Cc: <samba at lists.samba.org>
> Sent: Friday, May 26, 2006 4:12 AM
> Subject: Re: [Samba] Domain Logins across VPN
>>> This configuration works. If I change passdb to instead of
>>> the Master LDAP's IP, this pops up in samba.smbd:
>>> [2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198)
>>>  failed to add domain dn=
>>> sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com with: Server is
>>> unwilling to perform
>>>        shadow context; no update referral
>>> [2006/05/24 14:53:30, 0]
>>> lib/smbldap_util.c:smbldap_search_domain_info(258)
>>>  Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL
>>> That's the only error I see popping up. Ideas?
>> Has the entry dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com
>> replicated across to your slave
>> ldap server successfully?
>> Check your ldap logs on the slave, I think samba does a lookup for the
>> domain and adds it if it doesn't exist, otherwise
>> is the updateref set in your slaves slapd.conf file?  If the slave ldap
>> server is telling samba it doesn't accept changes but
>> not telling it where to send changes ( no update referral) you might get
>> this problem.
>> Hope this helps
>>       Duncan
> Hi Duncan,
> I'm not using slurpd for replication; I'm using syncrepl. The database
> exists and is updated fine (if I add a user on the master, it exists on the
> slave, etc).
> I'm using the smbldap tools for samba, and on the slave machines, they
> generate an error any time I try to use them (unless I point them at the
> Master LDAP).
> for example, if I try this:
> smbldap-useradd -a testuser
> it returns:
> Error: shadow context; no update referral at
> /usr/local/sbin//smbldap_tools.pm line 1005.
> I believe this has something to do with the issue.
> --
> Rob

Hi Rob,
         The replication method shouldn't matter.  updateref is used for 
both slurpd and syncrepl and tells the slave
where to send clients who try to make changes.

Samba -> ldap slave "Add/Update this entry"
ldap slave -> samba "I don't accept changes, please write to the master 
at <updateref> "

If you don't have updateref set, the slave will refuse the change but 
not tell the client where to make the change.

If you do have updateref set and it still doesn't work,

I'd try to add an entry using the (I assume openldap) client tools to 
the slave, check the slave logs, turning up logging if necessary
and the master logs.  You should see the client connect to the slave, 
get an error and an updateref, then the change
should show up in the logs of the master. 

If the slave returns the updateref but the client does not then contact 
the master, the client doesn't understand update references
and you'll need to update your clients or make changes to the master 

If it works using the openldap tools, try it again with the samba ldap 
tools, you should see the same thing,
client connects to slave, slave provides update ref, client connects to 
and updates master.

I'm fairly sure my BDC's didn't try to write to the ldap servers after 
the PDC had written the domain info in.
(Though I wouldn't swear I checked)
Can the samba user can pull out the complete domain info using ldapsearch?

Any joy?


More information about the samba mailing list