On Fri, 18 Jun 2004 15:38 , Michael Gasch <[EMAIL PROTECTED]> sent:
> > Isn't the slave ldap directory suppose to be only read only? >if it's readonly, slurpd can't update the slave (i've tested it, >possibly i missed something ?) > >the problem is: machines regularly change their passwords and if these >changes are not done on the master, they're lost, if master comes back >-> clients can't logon anymore and so on.... maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be (and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have your system running again.... but like I said, maybe I am missing something > > >I'm having some troubles > > getting the failover to work >what problems are you talking about? > >these are my config files (/etc/ldap.conf for all machines not included >but also very important in case of fail-over) > >##### Samba PDC ##### ># smb.conf > >[global] > > workgroup = NEVAN > netbios name = nevanpdc > server string = NevanPDC on Samba Version: %v > > username map = /etc/samba/username.map > > log level = 5 > log file = /var/lib/samba/log.%m > max log size = 10000 > > passdb backend = ldapsam:"ldap://localhost:389 >ldap://nevanbdc.eva.mpg.de:389"; > ldap passwd sync = yes > ldap suffix = dc=eva,dc=mpg,dc=de > ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de > ldap machine suffix = ou=machines > ldap user suffix = ou=users > ldap group suffix = ou=groups > ldap replication sleep = 2000 > ldap idmap suffix = ou=users > > guest ok = no > guest account = Guest > > security = user > local master = yes > os level = 65 > domain master = yes > domain logons = yes > > logon path = > logon home = > > encrypt passwords = yes > socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY > > wins support = yes > dns proxy = no > > display charset = UTF8 > unix charset = UTF8 > >[netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = yes > writable = no > share modes = no > > ># slapd.conf >include /etc/openldap/schema/core.schema >include /etc/openldap/schema/cosine.schema >include /etc/openldap/schema/nis.schema >include /etc/openldap/schema/inetorgperson.schema >include /etc/openldap/schema/samba.schema > >pidfile /var/run/slapd/slapd.pid >argsfile /var/run/slapd/slapd.args >loglevel 7 > >database ldbm >suffix "dc=eva,dc=mpg,dc=de" >rootdn "cn=manager,dc=eva,dc=mpg,dc=de" > >password-hash {MD5} >rootpw {MD5}++++++++++++++++++++++++ > >replogfile /var/lib/ldap/replog > >replica host=nevanbdc.eva.mpg.de:389 > binddn=cn=manager,dc=eva,dc=mpg,dc=de > bindmethod=simple credentials="+++++++++" > >directory /var/lib/ldap >index objectClass eq >index sambaSID eq >index uid eq >index sambaPrimaryGroupSID eq > >lastmod on > >access to attrs=userPassword > by self write > by * auth > >access to * > by * read > > > >##### Samba BDC ##### ># smb.conf > >[global] > > workgroup = NEVAN > netbios name = nevanbdc > server string = NevanBDC on Samba Version: %v > > username map = /etc/samba/username.map > > log level = 5 > log file = /var/lib/samba/log.%m > max log size = 10000 > > passdb backend = ldapsam:"ldap://nevanpdc.eva.mpg.de:389 >ldap://localhost:389"; > ldap passwd sync = yes > ldap suffix = dc=eva,dc=mpg,dc=de > ldap admin dn = cn=manager,dc=eva,dc=mpg,dc=de > ldap machine suffix = ou=machines > ldap user suffix = ou=users > ldap group suffix = ou=groups > ldap replication sleep = 2000 > ldap idmap suffix = ou=users > > guest ok = no > guest account = Guest > > security = user > local master = yes > os level = 65 > domain master = no > domain logons = yes > > logon path = > logon home = > > encrypt passwords = yes > socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY > > wins support = yes > dns proxy = no > > display charset = UTF8 > unix charset = UTF8 > >[netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = yes > writable = no > share modes = no > > ># slapd.conf >include /etc/openldap/schema/core.schema >include /etc/openldap/schema/cosine.schema >include /etc/openldap/schema/nis.schema >include /etc/openldap/schema/inetorgperson.schema >include /etc/openldap/schema/samba.schema > >pidfile /var/run/slapd/slapd.pid >argsfile /var/run/slapd/slapd.args >loglevel 2 > >database ldbm >suffix "dc=eva,dc=mpg,dc=de" >rootdn "cn=manager,dc=eva,dc=mpg,dc=de" > >password-hash {MD5} >rootpw {MD5}++++++++++++++++++++++++ > >updatedn "cn=manager,dc=eva,dc=mpg,dc=de" >updateref "nevanpdc.eva.mpg.de" > >directory /var/lib/ldap >index objectClass eq >index sambaSID eq >index uid eq >index sambaPrimaryGroupSID eq > >lastmod on > >access to attrs=userPassword > by self write > by * auth > >access to * > by * read > > > >Jason C. Waters schrieb: >> Isn't the slave ldap directory suppose to be only read only? So when >> the master is down the users can't change their passwords, but >> everything else should work. What do you smb.conf and slapd.conf files >> look like for the master and the slave? I'm having some troubles >> getting the failover to work, so I wouldn't mind a peek. Thanks >> >> Jason >> >> Michael Gasch wrote: >> >>> hi >>> >>> i'm looking for hints/experiences concering samba v3, openldap AND >>> redundancy >>> >>> my setup is: >>> >>> Samba PDC with LDAP Master >>> Samba BDC with LDAP Slave >>> Samba Member Server, contacting first PDC, then BDC if the first fails >>> >>> if all instances are working properly, everything is okay >>> replication is also fine (from Master -> Slave) >>> >>> and now imagine: >>> >>> LDAP Master dies >>> all smbd are contacting LDAP Slave and make their changes in the Slave >>> directory >>> cause replication only works from Master->Slave, if Master comes up >>> again, i have inconsistency in my LDAP Backends >>> e.g. a machine changes its machine password in Slave directory and >>> can't logon anymore cause the password change isn't replicated on Master >>> >>> we also tried to setup slurpd (LDAP replication) on both LDAP Servers >>> - if both are up, everything is okay, if one is down, changes are made >>> in one directory, samba tells me it fails (e.g. changing passwords), >>> allthough it changes the attributes and so on.... >>> >>> so the problem is: if Slave dies, everything should go on working, >>> because PDC/BDC use at first LDAP Master >>> if slave comes up, replication is done properly >>> >>> but if Master dies, i get an inconsistent domain >>> >>> how do you get redundancy in your LDAP backend? >>> PDC/BDC redundancy works well, the single-point-of-failure is LDAP >>> >>> thx >> ------------------------------------------- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref.com <A href="http://www.prupref.com";>Prudential</A><A href="http://www.prupref.com";>Chicago Real Estate</A> ---- Prudential Preferred Properties www.prupref.com Success�Driven�By�Results ���Results�Driven�By�Commitment ������Commitment�Driven�By�Integrity ���������We�Are�Prudential�Preferred�Properties ��������������� -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
