[Samba] LDAP Timeout
mallapadi niranjan
niranjan.ashok at gmail.com
Thu Jan 25 05:04:55 GMT 2007
Hi all
I have a running samba 3.0.21c with OpenLDAP 2.3 configured as PDC, and also
one BDC with same version of samba and openldap.
It was working fine far the past few months. There are about 400 users on
the domain and 600 groups.
There 2 file servers [Domain Member server]( linux system RHEL 4.0 update3
with samba version 3.0.21c joined to the domain) which provides shares. All
the users get access to shares using logon script.
But recently all my users are unable to access to shares as when the logon
script runs , it waits for lot of time and gives
semaphore errors. The shares are not mapped at all.
what our guess it that recently we increased idletimeout value in slapd.conf
i am not sure because of this we are experiencing this problem
before idletimeout value in slapd.conf was 50 , we changed it to 70
but again changing back to the old value did not solve the problem , rather
it created a lot
of problems like more and more users are experiencing the problem
My query is this
Is idletimeout value necessary in slapd.conf ?
is ldap timeout value necessary in smb.conf ?
should the value "ldap timeout" in smb.conf and "idletimeout" in
slapd.confbe same.
I have 3 Domain member servers , should all the servers smb.conf should have
the same
ldap timeout value.
Please suggest me
Below is PDC smb.conf
###################################################################################
[global]
workgroup = msdpl.com
netbios name = medhapdc
passdb backend = ldapsam:ldap://msdpl.com
server string = Domain Controller
hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0,lo
printing = cups
disable spoolss = Yes
printcap name = cups
max print jobs = 100
enable privileges = yes
log level = 2
password level = 8
username level = 8
bind interfaces only = yes
local master = Yes
os level = 65
domain master = yes
preferred master = yes
remote browse sync = 192.168.130.3
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = %u.bat
logon path =
logon drive = X:
logon home =
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/%m.log
max log size = 50
nt acl support = yes
ldap passwd sync = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
ldap delete dn = Yes
ldap ssl = no
ldap suffix = dc=msdpl,dc=com
ldap admin dn = cn=manager,dc=msdpl,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap timeout = 50
idmap backend = ldap:ldap://msdpl.com
idmap uid = 10000-20000
idmap gid = 10000-20000
check password script = /usr/local/bin/crackcheck -s
map acl inherit = yes
winbind use default domain = yes
template shell = /bin/false
######################################################[Share
Definations]###########################################
[homes]
comment = Home Directories
valid users = %S, root
browseable = no
read only = no
nt acl support = Yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /netlogon/scripts
guest ok = yes
browseable = yes
write list = root, kr1233
#Profiles Share
[profiles]
comment = Profiles Share
path = /profiles/%U
read only = No
browseable = yes
writeable = yes
veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/desktop.ini
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = yes
use client driver = Yes
browseable = no
###################################################################################
my Domain member server configuration smb.conf
###################################################################################
[global]
unix charset = LOCALE
workgroup = msdpl.com
netbios name = prjsrv01
server string = Project Server 1
printcap name = /etc/printcap
load printers = yes
cups options = raw
log level = 2
log file = /usr/local/samba-3c2/var/%U.%m.log
syslog = 0
max log size = 1000
smb ports = 139
security = domain
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#ldapsam:trusted = yes
#ldap server = 192.168.129.20
deadtime = 15
name resolve order = wins bcasts hosts
wins server = 192.168.129.20
ldap suffix = dc=msdpl,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=msdpl,dc=com
idmap backend = ldap:ldap://192.168.129.20
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap ssl = no
ldap timeout = 30
template shell = /bin/false
winbind use default domain = Yes
inherit permissions = yes
inherit acls = yes
nt acl support = yes
hide dot files = yes
map acl inherit = yes
#######################################Share
Definations########################################
[homes]
comment = Home Directories
valid users = %S
browseable = no
writable = yes
veto files =
/.bash_history/.bash_logout/.bash_profile/.bashrc/.canna/.emacs/.gtkrc/.kde/.viminfo/.xemacs/.zshrc/
hide dot files = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[projects]
comment = All Projects
path = /projects
browseable = no
guest ok = no
writeable = yes
printable = no
veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/
create mode = 2700
# force create mode = 0700
# force directory mode = 0700
inherit permissions = yes
inherit acls = yes
vfs objects = recycle
dos filemode = yes
store dos attributes = yes
hide dot files = yes
[datalib]
comment = DataLib
path = /datalib
browseable = no
writeable = yes
vfs objects = recycle
veto files = lost+found
inherit permissions = yes
inherit acls = yes
veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/
dos filemode = yes
store dos attributes =yes
#dos filemode = yes
[softdumps$]
Comment = Soft Dumps
Path = /dumps/softdumps
browseable = no
writeable = yes
inherit permissions = yes
inherit acls = yes
veto files = lost+found/.Trash-root/*.sh/*.scr/.recycle/
write list = @nns, root, @codesec
vfs objects = recycle
dos filemode = yes
store dos attributes =yes
[dumps]
Comment = Dumps
Path = /dumps/dumps
browseable = yes
inherit permissions = yes
inherit acls = yes
read only = yes
vfs objects = recycle
veto files = desktop.ini/lost+found/.Trash-root/*.sh/*.scr/.recycle/
dos filemode = yes
store dos attributes =yes
[hdrive$]
path = /home
browseable = no
public = no
writable = yes
create mask = 0765
veto files = desktop.ini
valid users = kr1233, root
force create mode = 0770
force directory mode = 0770
inherit permissions = yes
inherit acls = yes
hide dot files = yes
[mas696]
Comment = New Projects
path = /MAS696
browseable = no
public = no
writeable = yes
create mask = 0765
veto files = desktop.ini/lost+found/.Trash-root/*.sh/*.scr/.recycle/
vfs objects = recycle
dos filemode = yes
store dos attributes =yes
#force create mode = 0770
#force directory mode = 0770
inherit permissions = yes
inherit acls = yes
hide dot files = yes
[backup]
path = /optdata/backup
browseable = yes
public = no
writable = yes
create mask = 0765
veto files = desktop.ini
valid users = kr1233, root
inherit permissions = yes
inherit acls = yes
hide dot files = yes
###################################################################################
slapd.conf
##################################################################################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/ldap-2.3/etc/openldap/schema/core.schema
include /usr/local/ldap-2.3/etc/openldap/schema/cosine.schema
include /usr/local/ldap-2.3/etc/openldap/schema/inetorgperson.schema
include /usr/local/ldap-2.3/etc/openldap/schema/nis.schema
include /usr/local/ldap-2.3/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/ldap-2.3/var/run/slapd.pid
argsfile /usr/local/ldap-2.3/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/ldap-2.3/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=msdpl,dc=com"
rootdn "cn=manager,dc=msdpl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
idletimeout 50
timelimit 70
cachesize 2000
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/ldap-2.3/var/openldap-data
checkpoint 128 15
# Indices to maintain
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index loginShell eq,pres
index nisMapName,nisMapEntry eq,pres,sub
index displayName eq,pres,sub
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index default sub
index sambaGroupType eq,pres
index uniqueMember eq,pres
index sambaDomainName eq,pres
index uid eq,pres,sub
index sambaSIDList eq,pres
access to
attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdCanChange,sambaPwdMustChange,sambaKickoffTime,sambaKickoffTime,sambaLogoffTime
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Users,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Guests,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Print Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Backup Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Replicators,ou=Groups,dc=msdpl,dc=com" write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by * read
# somme attributes can be writable by users themselves
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by * read
# some attributes need to be writable for samba
access to dn.base="dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new users account
access to dn="ou=People,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
access to * by * read
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
replogfile /usr/local/ldap-2.3/var/openldap-slurp/openldap-master-replog
replica host=192.168.129.18:389
suffix="dc=msdpl,dc=com"
binddn="cn=manager,dc=msdpl,dc=com"
credentials=secret
bindmethod=simple
replica host=192.168.128.3:389
suffix="dc=msdpl,dc=com"
binddn="cn=horeplica,dc=msdpl,dc=com"
credentials=secret
bindmethod=simple
replica host=192.168.130.3:389
suffix="dc=msdpl,dc=com"
binddn="cn=foreplica,dc=msdpl,dc=com"
credentials=secret
bindmethod=simple
##################################################################################
Regards
Niranjan
More information about the samba
mailing list