[Samba] samba + slave OpenLdap (read-only)

jakjr joao.alfredo at gmail.com
Thu Jul 3 13:05:07 GMT 2008

I looked at samba code and I found this:

        while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
                rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
                if (rc != LDAP_SUCCESS)
                        char *ld_error = NULL;
                        int ld_errno;

                                        LDAP_OPT_ERROR_NUMBER, &ld_errno);

                                        LDAP_OPT_ERROR_STRING, &ld_error);

                        DEBUG(10, ("Failed to modify dn: %s, error: %d (%s)
                                   "(%s)\n", dn, ld_errno,
                                   ld_error ? ld_error : "unknown"));

                        if (ld_errno == LDAP_SERVER_DOWN)
                                ldap_state->ldap_struct = NULL;

Samba does NOT follow the referral return by openldap server. At least in
this situation (join machines).

Samba only will try another server, if the first one is DOWN.

In my option, it should try another server if any error occur during any
ldap operation.

So many thanks.

João Alfredo

On Wed, Jul 2, 2008 at 6:35 PM, Volker Lendecke <Volker.Lendecke at sernet.de>

> On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
> > Hey,
> >
> > Here another log:
> >
> > Samba try to change some atributes, like sambaNTPassword (gree)
> > and ldap return an error (red) and a referral for the mastes ldap. But
> samba
> > do not follow this referral.
> >
> > Why samba try to change this atributes ??
> Because the machine vmcelepar11201 tried to change its
> password. A sniff of the LDAP traffic might help a bit
> towards finding the failure to follow the referral. But
> please beware that this traffic contains password
> equivalents or even passwords.
> Volker

More information about the samba mailing list