Please remove [EMAIL PROTECTED] from your contact lists----- Original Message ----- From: "rruegner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, August 19, 2004 5:41 PM Subject: Re: [Samba] LDAP Master/Slave
> Hi John, > let me explain....if you have conected smb ldap master pdc with > a vpn ( ie. Openvpn ) to a bdc smb ldap slave and if the vpn > brakes , win clients from the vpn network are working with > the last entries from the slave ldap. > As in the blackout period the pdc isnt exist and the bdc ldap slave is > not writeable , you cant make any changes ( like bringing up new > machines on the fly, chnage passwords etc )until the vpn is up again to > the pdc ldap master. > This belongs to the fact that a bdc is read only. > This is my understanding....and practised...or do you now something > other workaround? ( which might be possible with ldap in principal, but > will end in heavly syncing the ldap directory in network blackout periods ) > Best Regards > > > > John H Terpstra schrieb: > > On Wednesday 18 August 2004 16:11, rruegner wrote: > > > >>thats right > > > > > > I am not sure if I understand what is being said here. Samba should refer > > password changes to the PDC and it should apply the changes to the LDAP > > directory. > > > > - John T. > > > > > >>regards > >> > >>Jason C. Waters schrieb: > >> > >>>I don't think this is a solution. If I understand what you were saying, > >>>on the BDC I should have this as the passwd backend: > >>> > >>>passwd backend = ldapsam:"ldaps://ldap.server2 ldaps://ldap.server1" > >>> > >>>server2 - the BDC and ldap slave which is read only > >>>server1 - is the PDB and has the ldap master which users can read/write, > >>>so they could update their passwords. > >>> > >>>If I have it setup this way, the users that on the other side will never > >>>be able to update their passwords, at least on that leg of the VPN. Or > >>>maybe I just thinking about this the wrong way. > >>> > >>>Jason > >>> > >>>rruegner wrote: > >>> > >>>>Hi, > >>>>if you want to stay bdc stay alive, in cases > >>>>when vpn broke so on your bdc smb.conf > >>>>your slave ldap should be the first entry in the passwd backend, > >>>>so if vpn brake , the slave ldap operates with its last > >>>>entries from the master and will give the win clients any chance > >>>>to operate just like if the pdc is alive. > >>>>If vpn is up again it the ldap should refresh the slave automatic. > >>>>But note, a bdc is read only so changes can olny be made to the master > >>>>ldap on the pdc.So no changes can be made to the domain during the > >>>>blackout period. > >>>>If you want a full functional bdc you also should setup user clients > >>>>homes and profiles in your outside ( vpn ) office hosted on the bdc. > >>>>( a seperate dhcp server and an bind slave with longtime zone caching > >>>>is very usefull, too ) > >>>> > >>>>Regards > >>>> > >>>>Jason C. Waters schrieb: > >>>> > >>>>>Is anyone using this? My smb.conf file has this line in > >>>>>server1(master) > >>>>> > >>>>>passwd backend = ldapsam:"ldaps://ldap.server1 ldaps://ldap.server2" > >>>>> > >>>>>and this is what server2(slave ldap, BDC) looks like: > >>>>> > >>>>>passwd backend = ldapsam:"ldaps://ldap.server1 ldap.server2" > >>>>> > >>>>>This is what happens. When I take down server 1's ldap server, > >>>>>server2 just starts using its local ldap server. But if I take down > >>>>>the VPN between the two, I try the same test, pdbedit -L, it works > >>>>>but it take about 6 seconds for it to timeout on server1. Is this > >>>>>normal or do I need to change some DNS setting? Thanks for your help. > >>>>> > >>>>>Jason > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
