[Samba] LDAP Timeout
Luis Daniel Lucio Quiroz
dlucio at okay.com.mx
Thu Jan 25 07:20:28 GMT 2007
Maybe if you post ldap logs?? Duno if it is OT.
Did you try rebuilding index? LDAP could be corrupted.
LD
Le mercredi 24 janvier 2007 23:04, mallapadi niranjan a écrit :
> Hi all
>
> I have a running samba 3.0.21c with OpenLDAP 2.3 configured as PDC, and
> also one BDC with same version of samba and openldap.
> It was working fine far the past few months. There are about 400 users on
> the domain and 600 groups.
>
> There 2 file servers [Domain Member server]( linux system RHEL 4.0 update3
> with samba version 3.0.21c joined to the domain) which provides shares. All
> the users get access to shares using logon script.
>
> But recently all my users are unable to access to shares as when the logon
> script runs , it waits for lot of time and gives
> semaphore errors. The shares are not mapped at all.
>
> what our guess it that recently we increased idletimeout value in
> slapd.conf i am not sure because of this we are experiencing this problem
>
> before idletimeout value in slapd.conf was 50 , we changed it to 70
> but again changing back to the old value did not solve the problem , rather
> it created a lot
> of problems like more and more users are experiencing the problem
>
>
>
> My query is this
>
> Is idletimeout value necessary in slapd.conf ?
> is ldap timeout value necessary in smb.conf ?
>
> should the value "ldap timeout" in smb.conf and "idletimeout" in
> slapd.confbe same.
> I have 3 Domain member servers , should all the servers smb.conf should
> have the same
> ldap timeout value.
>
> Please suggest me
>
> Below is PDC smb.conf
> ###########################################################################
>######## [global]
>
> workgroup = msdpl.com
> netbios name = medhapdc
> passdb backend = ldapsam:ldap://msdpl.com
> server string = Domain Controller
> hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
> security = user
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = eth0,lo
> printing = cups
> disable spoolss = Yes
> printcap name = cups
> max print jobs = 100
> enable privileges = yes
> log level = 2
> password level = 8
> username level = 8
> bind interfaces only = yes
> local master = Yes
> os level = 65
> domain master = yes
> preferred master = yes
> remote browse sync = 192.168.130.3
> null passwords = no
> hide unreadable = yes
> hide dot files = yes
> domain logons = yes
> logon script = %u.bat
> logon path =
> logon drive = X:
> logon home =
> wins support = yes
> name resolve order = wins lmhosts host bcast
> dns proxy = no
> time server = yes
> log file = /var/log/samba/%m.log
> max log size = 50
> nt acl support = yes
> ldap passwd sync = yes
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
> ldap delete dn = Yes
> ldap ssl = no
> ldap suffix = dc=msdpl,dc=com
> ldap admin dn = cn=manager,dc=msdpl,dc=com
> ldap group suffix = ou=Groups
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap
> ldap timeout = 50
> idmap backend = ldap:ldap://msdpl.com
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> check password script = /usr/local/bin/crackcheck -s
> map acl inherit = yes
> winbind use default domain = yes
> template shell = /bin/false
> ######################################################[Share
> Definations]###########################################
> [homes]
> comment = Home Directories
> valid users = %S, root
> browseable = no
> read only = no
> nt acl support = Yes
>
> # Un-comment the following and create the netlogon directory for Domain
> Logons
> [netlogon]
> comment = Network Logon Service
> path = /netlogon/scripts
> guest ok = yes
> browseable = yes
> write list = root, kr1233
>
> #Profiles Share
> [profiles]
> comment = Profiles Share
> path = /profiles/%U
> read only = No
> browseable = yes
> writeable = yes
> veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/desktop.ini
> # Un-comment the following to provide a specific roving profile share
> # the default is to use the user's home directory
> # NOTE: If you have a BSD-style print system there is no need to
> # specifically define each individual printer
> [printers]
> comment = All Printers
> path = /var/spool/samba
> create mask = 0600
> guest ok = Yes
> printable = yes
> use client driver = Yes
> browseable = no
> ###########################################################################
>########
>
> my Domain member server configuration smb.conf
> ###########################################################################
>######## [global]
>
> unix charset = LOCALE
> workgroup = msdpl.com
> netbios name = prjsrv01
> server string = Project Server 1
> printcap name = /etc/printcap
> load printers = yes
> cups options = raw
> log level = 2
> log file = /usr/local/samba-3c2/var/%U.%m.log
> syslog = 0
> max log size = 1000
> smb ports = 139
> security = domain
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> #ldapsam:trusted = yes
> #ldap server = 192.168.129.20
> deadtime = 15
> name resolve order = wins bcasts hosts
> wins server = 192.168.129.20
> ldap suffix = dc=msdpl,dc=com
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=manager,dc=msdpl,dc=com
> idmap backend = ldap:ldap://192.168.129.20
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> ldap ssl = no
> ldap timeout = 30
> template shell = /bin/false
> winbind use default domain = Yes
> inherit permissions = yes
> inherit acls = yes
> nt acl support = yes
> hide dot files = yes
> map acl inherit = yes
> #######################################Share
> Definations########################################
> [homes]
> comment = Home Directories
> valid users = %S
> browseable = no
> writable = yes
> veto files =
> /.bash_history/.bash_logout/.bash_profile/.bashrc/.canna/.emacs/.gtkrc/.kde
>/.viminfo/.xemacs/.zshrc/ hide dot files = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> [projects]
> comment = All Projects
> path = /projects
> browseable = no
> guest ok = no
> writeable = yes
> printable = no
> veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/
> create mode = 2700
> # force create mode = 0700
> # force directory mode = 0700
> inherit permissions = yes
> inherit acls = yes
> vfs objects = recycle
> dos filemode = yes
> store dos attributes = yes
> hide dot files = yes
>
>
> [datalib]
> comment = DataLib
> path = /datalib
> browseable = no
> writeable = yes
> vfs objects = recycle
> veto files = lost+found
> inherit permissions = yes
> inherit acls = yes
> veto files = /lost+found/.Trash-root/*.sh/*.scr/.recycle/
> dos filemode = yes
> store dos attributes =yes
> #dos filemode = yes
>
> [softdumps$]
> Comment = Soft Dumps
> Path = /dumps/softdumps
> browseable = no
> writeable = yes
> inherit permissions = yes
> inherit acls = yes
> veto files = lost+found/.Trash-root/*.sh/*.scr/.recycle/
> write list = @nns, root, @codesec
> vfs objects = recycle
> dos filemode = yes
> store dos attributes =yes
>
>
> [dumps]
> Comment = Dumps
> Path = /dumps/dumps
> browseable = yes
> inherit permissions = yes
> inherit acls = yes
> read only = yes
> vfs objects = recycle
> veto files = desktop.ini/lost+found/.Trash-root/*.sh/*.scr/.recycle/
> dos filemode = yes
> store dos attributes =yes
>
> [hdrive$]
> path = /home
> browseable = no
> public = no
> writable = yes
> create mask = 0765
> veto files = desktop.ini
> valid users = kr1233, root
> force create mode = 0770
> force directory mode = 0770
> inherit permissions = yes
> inherit acls = yes
> hide dot files = yes
>
> [mas696]
> Comment = New Projects
> path = /MAS696
> browseable = no
> public = no
> writeable = yes
> create mask = 0765
> veto files = desktop.ini/lost+found/.Trash-root/*.sh/*.scr/.recycle/
> vfs objects = recycle
> dos filemode = yes
> store dos attributes =yes
> #force create mode = 0770
> #force directory mode = 0770
> inherit permissions = yes
> inherit acls = yes
> hide dot files = yes
>
> [backup]
> path = /optdata/backup
> browseable = yes
> public = no
> writable = yes
> create mask = 0765
> veto files = desktop.ini
> valid users = kr1233, root
> inherit permissions = yes
> inherit acls = yes
> hide dot files = yes
> ###########################################################################
>########
>
> slapd.conf
> ###########################################################################
>####### #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /usr/local/ldap-2.3/etc/openldap/schema/core.schema
> include /usr/local/ldap-2.3/etc/openldap/schema/cosine.schema
> include /usr/local/ldap-2.3/etc/openldap/schema/inetorgperson.schema
> include /usr/local/ldap-2.3/etc/openldap/schema/nis.schema
> include /usr/local/ldap-2.3/etc/openldap/schema/samba.schema
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /usr/local/ldap-2.3/var/run/slapd.pid
> argsfile /usr/local/ldap-2.3/var/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/local/ldap-2.3/libexec/openldap
> # moduleload back_bdb.la
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database bdb
> suffix "dc=msdpl,dc=com"
> rootdn "cn=manager,dc=msdpl,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw secret
> idletimeout 50
> timelimit 70
> cachesize 2000
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /usr/local/ldap-2.3/var/openldap-data
> checkpoint 128 15
> # Indices to maintain
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index loginShell eq,pres
> index nisMapName,nisMapEntry eq,pres,sub
> index displayName eq,pres,sub
> index uidNumber eq
> index gidNumber eq
> index memberUID eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index default sub
> index sambaGroupType eq,pres
> index uniqueMember eq,pres
> index sambaDomainName eq,pres
> index uid eq,pres,sub
> index sambaSIDList eq,pres
> access to
> attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwd
>CanChange,sambaPwdMustChange,sambaKickoffTime,sambaKickoffTime,sambaLogoffTi
>me by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Users,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Guests,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Print Operators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Backup Operators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Replicators,ou=Groups,dc=msdpl,dc=com" write
> by anonymous auth
> by * none
> # some attributes need to be readable anonymously so that 'id user' can
> answer correctly
> access to
> attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
> by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by * read
> # somme attributes can be writable by users themselves
> access to
> attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,
>sn,givenname by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by * read
> # some attributes need to be writable for samba
> access to dn.base="dc=msdpl,dc=com"
> by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
> by * none
> # samba need to be able to create new users account
> access to dn="ou=People,dc=msdpl,dc=com"
> by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
> by * none
> # samba need to be able to create new groups account
> access to dn="ou=Groups,dc=msdpl,dc=com"
> by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
> by * none
> # samba need to be able to create new computers account
> access to dn="ou=Computers,dc=msdpl,dc=com"
> by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
> by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
> by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
> by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
> by * none
> access to * by * read
>
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> replogfile
> /usr/local/ldap-2.3/var/openldap-slurp/openldap-master-replog replica
> host=192.168.129.18:389
> suffix="dc=msdpl,dc=com"
> binddn="cn=manager,dc=msdpl,dc=com"
> credentials=secret
> bindmethod=simple
>
>
> replica host=192.168.128.3:389
> suffix="dc=msdpl,dc=com"
> binddn="cn=horeplica,dc=msdpl,dc=com"
> credentials=secret
> bindmethod=simple
>
>
> replica host=192.168.130.3:389
> suffix="dc=msdpl,dc=com"
> binddn="cn=foreplica,dc=msdpl,dc=com"
> credentials=secret
> bindmethod=simple
> ###########################################################################
>#######
>
>
>
>
> Regards
> Niranjan
More information about the samba
mailing list