[Samba] Samba LDAP Failover
Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
The matter is that, since the manual indicates so, it should be supported and delegated to the ldap api in use... The openldap api supports rebinding. The proof of it is that if in /etc/ldap.conf I put in the uri 2 ldap servers everything works fine. The matter seems that samba, even using such an infrastructure, doesn't work. I'd like at least to know if it is some mistake I do or it is just deprecated/never supported, just to go in other directions implementing other failover-by-hand systems. Thanks! Il 31 marzo 2012 14:37, Gaiseric Vandal gaiseric.van...@gmail.com ha scritto: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 roaming profiles
On 2012-03-30 3:18 AM, steve st...@steve-ss.com wrote: El 29/03/12 22:36, Miguel Medalha escribió: Charles wrote: The stuff in t he roaming profiles (very little) is copied back/forth at login/out, the stuff in t he redirected folders is *synchronized* at all times using the Offline Files technology that has long existed in Microsofts products. I create a file and store it on my desktop. roaming profile It is stored locally until I log off whereupon it is synced to the server. Correct... desktop folder redirected The file is only ever stored at the destination. Incorrect (again, unless you have changed the default, and again, I am not even sure this is possible, and definitely it is most likely not recommended). Edits are instantaneously synced, not only when I log off. Correct... they are *synced*... which means they exist in *both* locations, *not* '*only* on the destination/redirected folder'... -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 7 roaming profiles
On 2012-03-30 12:35 PM, Charles Marcus cmar...@media-brokers.com wrote: I was simply pointing out that the *default* behavior was to always cache all data in redirected folders on the local client using the tried and true 'offline files' technology, but in a different way with respect to Redirected Folders (with Windows 7, which, in case you hadn't noticed, is the subject being discussed) - it synchronizes *as changes are made*, *in the background*, not at logon/logoff. And of course, all of my replies also 'assume' that Samba behaves the same way as Windows Server with Win 7 Clients - meaning, the default behavior is to *always* *cache* (and sync in the background) all redirected folder data on the local client. Can anyone with *definitive* knowledge please comment on whether or not this is true (it will affect my decision on replacing our Windows Servers with Samba sometime in the next year or so)? Also, I am curious if it is even possible to disable the local caching on the client (although as I have said, I personally cannot think of *any* reason/scenario where that would be a good idea - if you truly never want *any* data residing on the local client, use THIN clients, that is what they are for). -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I'm exactly using that, without luck... -- Massimiliano Perantoni site: http://www.perantoni.net Il 31 marzo 2012 15:35, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? Il 31 marzo 2012 19:04, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7d3c26e Make sure we claim that a DACL or SACL is present if the SD says so from 786cb13 Fix an IPv6 breakage I introduced by adding an strlcpy truncation check. Found by Matthieu Patou m...@samba.org. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7d3c26e8cfcffb519990d5d2d70af3307e34c15f Author: Richard Sharpe realrichardsha...@gmail.com Date: Fri Mar 30 22:02:25 2012 -0700 Make sure we claim that a DACL or SACL is present if the SD says so Autobuild-User: Richard Sharpe sha...@samba.org Autobuild-Date: Sat Mar 31 09:34:36 CEST 2012 on sn-devel-104 --- Summary of changes: source3/libsmb/clisecdesc.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clisecdesc.c b/source3/libsmb/clisecdesc.c index aef3432..04f661c 100644 --- a/source3/libsmb/clisecdesc.c +++ b/source3/libsmb/clisecdesc.c @@ -92,9 +92,9 @@ NTSTATUS cli_set_secdesc(struct cli_state *cli, uint16_t fnum, SIVAL(param, 0, fnum); - if (sd-dacl) + if (sd-dacl || (sd-type SEC_DESC_DACL_PRESENT)) sec_info |= SECINFO_DACL; - if (sd-sacl) + if (sd-sacl || (sd-type SEC_DESC_SACL_PRESENT)) sec_info |= SECINFO_SACL; if (sd-owner_sid) sec_info |= SECINFO_OWNER; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0aacdbf s3-aio-fork: Fix a segfault in vfs_aio_fork via 7f7c2d7 s3-aio-fork: Fix aio_suspend event hierarchy via aef8698 s3-aio-fork: Fix an alignment warning on OS/X from 7d3c26e Make sure we claim that a DACL or SACL is present if the SD says so http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0aacdbfada46329e0ad9dacfa90041a1c7dbf3e8 Author: Volker Lendecke v...@samba.org Date: Sat Mar 31 13:37:20 2012 +0200 s3-aio-fork: Fix a segfault in vfs_aio_fork aio_suspend does not signal the main process with a signal, it just waits. The aio_fork module does not use the signal at all, it directly calls back into the main smbd by calling smbd_aio_complete_aio_ex. This is an abstraction violation, but the alternative would have been to use signals where they are not needed. However, in wait_for_aio_completion this bites us: With aio_fork we call handle_aio_completed twice on the same aio_ex struct: Once from the call to handle_aio_completion within the aio_fork module and once from the code in wait_for_aio_completion. This patch fixes it in a pretty bad way by introducing flag variables and more state. But the mid-term plan is to replace the posix aio calls from the vfs and do pread_send/recv and pwrite_send/recv at the vfs layer, so this will significantly change anyway. Thanks to Kirill Malkin kirill.mal...@starboardstorage.com for reporting this crash! Autobuild-User: Volker Lendecke v...@samba.org Autobuild-Date: Sat Mar 31 15:25:55 CEST 2012 on sn-devel-104 commit 7f7c2d721d1e336a86b29fecc81f5c0e28d105dc Author: Volker Lendecke v...@samba.org Date: Sat Mar 31 13:34:42 2012 +0200 s3-aio-fork: Fix aio_suspend event hierarchy We end up here multiple times. There's no real point putting the events into the child struct, at the end of this routine we need to free them anyway. commit aef86982b845072d8624294f5c557eb315740467 Author: Volker Lendecke v...@samba.org Date: Sat Mar 31 10:37:15 2012 +0200 s3-aio-fork: Fix an alignment warning on OS/X --- Summary of changes: source3/modules/vfs_aio_fork.c | 36 ++-- 1 files changed, 18 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_fork.c b/source3/modules/vfs_aio_fork.c index 27f7116..fa3db93 100644 --- a/source3/modules/vfs_aio_fork.c +++ b/source3/modules/vfs_aio_fork.c @@ -101,6 +101,8 @@ struct aio_child { bool dont_delete; /* Marked as in use since last cleanup */ bool cancelled; bool read_cmd; + bool called_from_suspend; + bool completion_done; }; struct aio_child_list { @@ -165,7 +167,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) errno = EINVAL; return -1; } - *recvfd = *((int *) CMSG_DATA(cmptr)); + memcpy(recvfd, CMSG_DATA(cmptr), sizeof(*recvfd)); } else { *recvfd = -1; /* descriptor was not passed */ } @@ -203,7 +205,7 @@ static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) cmptr-cmsg_len = CMSG_LEN(sizeof(int)); cmptr-cmsg_level = SOL_SOCKET; cmptr-cmsg_type = SCM_RIGHTS; - *((int *) CMSG_DATA(cmptr)) = sendfd; + memcpy(CMSG_DATA(cmptr), sendfd, sizeof(sendfd)); #else ZERO_STRUCT(msg); msg.msg_accrights = (caddr_t) sendfd; @@ -432,6 +434,10 @@ static void handle_aio_completion(struct event_context *event_ctx, child-retval.size); } + if (child-called_from_suspend) { + child-completion_done = true; + return; + } aio_ex = (struct aio_extra *)child-aiocb-aio_sigevent.sigev_value.sival_ptr; smbd_aio_complete_aio_ex(aio_ex); TALLOC_FREE(aio_ex); @@ -827,6 +833,8 @@ static int aio_fork_suspend(struct vfs_handle_struct *handle, */ for (child = children-children; child != NULL; child = child-next) { + struct tevent_fd *event; + if (child-aiocb == NULL) { continue; } @@ -841,18 +849,16 @@ static int aio_fork_suspend(struct vfs_handle_struct *handle, continue; } - /* We're never using this event on the -* main event context again... */ - TALLOC_FREE(child-sock_event); + event = event_add_fd(ev, +frame, +