Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
On Thu, 2004-06-24 at 21:53, Thomas Rei wrote: Hello Buchan Milne, [..] No you don't, unless your slave is misconfigured. | e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master | It's password change attempt will fail. [...] Only if you've mis-configured it. Note that these questions don't really have anything to do with samba, you may want to ask on the openldap list. Sorry about when i ask too. But i think this on Topic on this List. The Question is: What happens in Samba when the Master LDAP Server ist down and a Change- Request for the Workstation-Machine-Account-Passwort comes? The request is failed, and life continues. - Is it possible that a User can't Logon on this Workstation? Not in my experience, but my PDC isn't down often. - Or falls the Workstation out of the Domain? (Nevermore a Member of the Domain)? I can't see any reason why the client would assume 'ok' if we said 'no'... - When nothing happens, why is there a Mechanism for changes of Machine Passworts (Security, or what else)? Because it is not a good idea to keep the same password forever. Prevents somebody else who had a copy using it... (why do you ask your users to change their passwords). - When i right understand, then is in this Szenario no Changes of Passwort's, LastLogonTime usw. possible, right? This doesn't make any sense (then again, very little of your post did). Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Or you could buy a couple of $/1000 Sun Sparc servers and use SunONE LDAP with multi master support??? Depends if you already have and OpenLDAP environment and don't object to using Solaris instead of Linux... (can still run Samba on whatever platform you want) On Thu, 2004-06-24 at 21:53, Thomas Rei wrote: Hello Buchan Milne, [..] No you don't, unless your slave is misconfigured. | e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master | It's password change attempt will fail. [...] Only if you've mis-configured it. Note that these questions don't really have anything to do with samba, you may want to ask on the openldap list. Sorry about when i ask too. But i think this on Topic on this List. The Question is: What happens in Samba when the Master LDAP Server ist down and a Change- Request for the Workstation-Machine-Account-Passwort comes? The request is failed, and life continues. - Is it possible that a User can't Logon on this Workstation? Not in my experience, but my PDC isn't down often. - Or falls the Workstation out of the Domain? (Nevermore a Member of the Domain)? I can't see any reason why the client would assume 'ok' if we said 'no'... - When nothing happens, why is there a Mechanism for changes of Machine Passworts (Security, or what else)? Because it is not a good idea to keep the same password forever. Prevents somebody else who had a copy using it... (why do you ask your users to change their passwords). - When i right understand, then is in this Szenario no Changes of Passwort's, LastLogonTime usw. possible, right? This doesn't make any sense (then again, very little of your post did). Andrew Bartlett This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
On Wed, 2004-06-30 at 20:19, ww m-pubsyssamba wrote: Or you could buy a couple of $/1000 Sun Sparc servers and use SunONE LDAP with multi master support??? Depends if you already have and OpenLDAP environment and don't object to using Solaris instead of Linux... (can still run Samba on whatever platform you want) Samba doesn't expect a multi-master OpenLDAP backend. It expects that when it changes a record, that upon success the record is finally modified. It will probably work quite well, but I'm worried about things like conflicting password changes. Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy???
I can't say I've tested this in any depth. Where multiple LDAP servers are listed as the LDAP backend is the behaviour of Samba that if it fails to contact the first listed server it will try the second and so on? If that's the case Samba should only ever try and update the password on a single LDAP server which would then replicate the change to any other master and slave LDAP servers in the environment. This should work pretty well no? Are my assumptions on Samba correct? cheers Andy. On Wed, 2004-06-30 at 20:19, ww m-pubsyssamba wrote: Or you could buy a couple of $/1000 Sun Sparc servers and use SunONE LDAP with multi master support??? Depends if you already have and OpenLDAP environment and don't object to using Solaris instead of Linux... (can still run Samba on whatever platform you want) Samba doesn't expect a multi-master OpenLDAP backend. It expects that when it changes a record, that upon success the record is finally modified. It will probably work quite well, but I'm worried about things like conflicting password changes. Andrew Bartlett This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
PS fyi SunONE LDAP server is free upto 200,000 records when running on Solaris OS, Solaris is free with Sun hardware :-). Or you could buy a couple of $/1000 Sun Sparc servers and use SunONE LDAP with multi master support??? Depends if you already have and OpenLDAP environment and don't object to using Solaris instead of Linux... (can still run Samba on whatever platform you want) On Thu, 2004-06-24 at 21:53, Thomas Rei wrote: Hello Buchan Milne, [..] No you don't, unless your slave is misconfigured. | e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master | It's password change attempt will fail. [...] Only if you've mis-configured it. Note that these questions don't really have anything to do with samba, you may want to ask on the openldap list. Sorry about when i ask too. But i think this on Topic on this List. The Question is: What happens in Samba when the Master LDAP Server ist down and a Change- Request for the Workstation-Machine-Account-Passwort comes? The request is failed, and life continues. - Is it possible that a User can't Logon on this Workstation? Not in my experience, but my PDC isn't down often. - Or falls the Workstation out of the Domain? (Nevermore a Member of the Domain)? I can't see any reason why the client would assume 'ok' if we said 'no'... - When nothing happens, why is there a Mechanism for changes of Machine Passworts (Security, or what else)? Because it is not a good idea to keep the same password forever. Prevents somebody else who had a copy using it... (why do you ask your users to change their passwords). - When i right understand, then is in this Szenario no Changes of Passwort's, LastLogonTime usw. possible, right? This doesn't make any sense (then again, very little of your post did). Andrew Bartlett This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy???
On Wed, 2004-06-30 at 21:32, ww m-pubsyssamba wrote: I can't say I've tested this in any depth. Where multiple LDAP servers are listed as the LDAP backend is the behaviour of Samba that if it fails to contact the first listed server it will try the second and so on? If that's the case Samba should only ever try and update the password on a single LDAP server which would then replicate the change to any other master and slave LDAP servers in the environment. This should work pretty well no? Are my assumptions on Samba correct? My worry is if two independent client update to two independent, disconnected LDAP peers. This particularly applies when we are doing an atomic increment in LDAP, like we do in IDMAP, and like a good 'add user script' should do. Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy???
Mmm, you mean if two master replica's are disconnected by a network failure? Guess this might cause some problems, but if you simply have a master replica down for the duration of a password update as soon as it restarts it should sync up with it's peer?? This should cater for server redundency but maybe leaves some issues open with relation to network connectivity... Andy. On Wed, 2004-06-30 at 21:32, ww m-pubsyssamba wrote: I can't say I've tested this in any depth. Where multiple LDAP servers are listed as the LDAP backend is the behaviour of Samba that if it fails to contact the first listed server it will try the second and so on? If that's the case Samba should only ever try and update the password on a single LDAP server which would then replicate the change to any other master and slave LDAP servers in the environment. This should work pretty well no? Are my assumptions on Samba correct? My worry is if two independent client update to two independent, disconnected LDAP peers. This particularly applies when we are doing an atomic increment in LDAP, like we do in IDMAP, and like a good 'add user script' should do. Andrew Bartlett This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Hello Buchan Milne, [..] No you don't, unless your slave is misconfigured. | e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master | It's password change attempt will fail. [...] Only if you've mis-configured it. Note that these questions don't really have anything to do with samba, you may want to ask on the openldap list. Sorry about when i ask too. But i think this on Topic on this List. The Question is: What happens in Samba when the Master LDAP Server ist down and a Change- Request for the Workstation-Machine-Account-Passwort comes? - Is it possible that a User can't Logon on this Workstation? - Or falls the Workstation out of the Domain? (Nevermore a Member of the Domain)? - When nothing happens, why is there a Mechanism for changes of Machine Passworts (Security, or what else)? - When i right understand, then is in this Szenario no Changes of Passwort's, LastLogonTime usw. possible, right? Thank You Thomas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ??? [SOLVED]
okay, this is what i did after your recommendations: PDC owns/hosts LDAP MASTER BDC owns/hosts LDAP SLAVE created manager account for SAMBA (uid=sambamanager) - all changes on MASTER are done under this identity cn=manager is used very seldom just for administrative tasks on the directory (like replication) slurpd is responsible for replication to slave changes are done only on MASTER if owe of the LDAP SERVERs dies, samba processes and NSS are configured to fall back to another one samba redundancy is done by PDC/BDC processes ACLs on SLAVE deny changes by uid=sambamanager only cn=manager can write by this way, no SAMBA/NSS process can change the SLAVE directory if MASTER is dead this doesn't solve the problem of changing machine account passwords but ensures a consistent directory thanks to all for pointing me to the right direction greez -- Matrix - more than a vision ** Michael Gasch - Central IT Department - Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig Germany ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Hi there big thanks for your response i studied some information and i'm still confused (a little bit) and now tell me please how the master can replicate his LDAP tree to the slave to get a 1:1 copy and a backup of my LDAP tree, if it's readonly ?!?!?! http://www.openldap.org/doc/admin22/replication.html okay, nowhere in this doc they tell me to set the slave to readonly if i even try, slurpd on master fails to replicate data to the slave the second problem is: ldap slave sends referral to the clients pointing them to ldap master if ldap master is dead, no changes can be made okay, some people in this list tell me, that's okay, but if no changes can be made if master is dead, i don't really need an backup/slave (ldap) server, because there's still some work to do, to get the team ldap+samba go on working again it's no failover solution in case of emergency and no admin is around From [EMAIL PROTECTED]: They won't be making changes, since you can't make changes against a slave. The slave will return an error and a referral to the master (which is down), so your changes will fail, but existing accounts will work. but what about machine passwords? what if the windows machine tries to change its machine password and master is dead? is the password changed locally on the workstation or is the change scheduled (for another try)? if the smbd on the BDC tries to contact its ldap server (=ldap slave) will it also be referred (by referrals) to the master? thanks greez -- Matrix - more than a vision ** Michael Gasch - Central IT Department - Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig Germany ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
hi i'm looking for hints/experiences concering samba v3, openldap AND redundancy my setup is: Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails if all instances are working properly, everything is okay replication is also fine (from Master - Slave) and now imagine: LDAP Master dies all smbd are contacting LDAP Slave and make their changes in the Slave directory cause replication only works from Master-Slave, if Master comes up again, i have inconsistency in my LDAP Backends e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master if slave comes up, replication is done properly but if Master dies, i get an inconsistent domain how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP thx -- Matrix - more than a vision ** Michael Gasch - Central IT Department - Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig Germany ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
wouldn't mind a peek. Thanks Jason Michael Gasch wrote: hi i'm looking for hints/experiences concering samba v3, openldap AND redundancy my setup is: Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails if all instances are working properly, everything is okay replication is also fine (from Master - Slave) and now imagine: LDAP Master dies all smbd are contacting LDAP Slave and make their changes in the Slave directory cause replication only works from Master-Slave, if Master comes up again, i have inconsistency in my LDAP Backends e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master if slave comes up, replication is done properly but if Master dies, i get an inconsistent domain how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP thx -- Matrix - more than a vision ** Michael Gasch - Central IT Department - Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig Germany ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
maybe I am missing something here - but why does your master ldap fail so often? it doesn't - i'm just building the worst case szenario =) I agree with the other poster, the slave LDAPS should be (and I would almost move to _need_ to be) read only .. and now tell me please how the master can replicate his LDAP tree to the slave to get a 1:1 copy and a backup of my LDAP tree, if it's readonly ?!?!?! I am also curious as to why you have a samba server contacting either the PDC/BDC ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information if each smbd has it's own ldap instance running (DMs too), i have to ensure, that all LDAP instances have the same information before i can't solve the replication problem (MASTER=dead, changes are made to SLAVE, MASTER comes back = inconsistency in LDAP trees) in case of the MASTER dies and information has to be written to one of the SLAVEs, i won't give each smbd his own passdb backend it's my plan to have one PDC, one BDC, x DMs and one LDAP instance on both DCs If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have your system running again this is my temporary solution bye -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
schrieb: Isn't the slave ldap directory suppose to be only read only? So when the master is down the users can't change their passwords, but everything else should work. What do you smb.conf and slapd.conf files look like for the master and the slave? I'm having some troubles getting the failover to work, so I wouldn't mind a peek. Thanks Jason Michael Gasch wrote: hi i'm looking for hints/experiences concering samba v3, openldap AND redundancy my setup is: Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails if all instances are working properly, everything is okay replication is also fine (from Master - Slave) and now imagine: LDAP Master dies all smbd are contacting LDAP Slave and make their changes in the Slave directory cause replication only works from Master-Slave, if Master comes up again, i have inconsistency in my LDAP Backends e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master if slave comes up, replication is done properly but if Master dies, i get an inconsistent domain how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP thx -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | hi | | i'm looking for hints/experiences concering samba v3, openldap AND redundancy | | my setup is: | | Samba PDC with LDAP Master | Samba BDC with LDAP Slave | Samba Member Server, contacting first PDC, then BDC if the first fails | | if all instances are working properly, everything is okay | replication is also fine (from Master - Slave) | | and now imagine: | | LDAP Master dies | all smbd are contacting LDAP Slave and make their changes in the Slave directory They won't be making changes, since you can't make changes against a slave. The slave will return an error and a referral to the master (which is down), so your changes will fail, but existing accounts will work. | cause replication only works from Master-Slave, if Master comes up again, i have inconsistency in my LDAP Backends No you don't, unless your slave is misconfigured. | e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master | It's password change attempt will fail. | we also tried to setup slurpd (LDAP replication) on both LDAP Servers - - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on | Your configuration is broken. | so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master | if slave comes up, replication is done properly | | but if Master dies, i get an inconsistent domain | You have a serious problem if your slave is accepting changes. | how do you get redundancy in your LDAP backend? | PDC/BDC redundancy works well, the single-point-of-failure is LDAP Only if you've mis-configured it. Note that these questions don't really have anything to do with samba, you may want to ask on the openldap list. Do you *really* need such a waste-of-bandwidth sig? | | Matrix - more than a vision | | ** | Michael Gasch | |- Central IT Department - | | Max Planck Institute for Evolutionary Anthropology | Deutscher Platz 6 | 04103 Leipzig | | Germany | ** | | Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.EngRHCE (803004789010797) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA0xWYrJK6UGDSBKcRAglDAJwL/+Rvr9c6LB4V7U2+cr7tHAHH0QCgg7Jd SfcAdrspn+ut+YJuhO/ZWpQ= =XRV3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
Ok, let me see If I can help here: Let me see: Your clients are updating data on the slave ldap server?, Ok, you should not allow that (unless you try the experimental multi-master replication code, wich can fail). You should use other ldap user, like this: cn=adminmaster,dc=cosa,dc=int Wich have write permitions to the master, but read-only access on slaves (by using different access statements in the master and the slave). I use something like this in the master: access to * by dn=cn=ldapadmin,dc=merkurio,dc=int write by * read And the updatedn would be the rootdn of the slave (so, it has write access to the slave). Ok, hope this can help, Sincerely, Ildefonso Camargo [EMAIL PROTECTED] McKeever Chris wrote: On Fri, 18 Jun 2004 15:38 , Michael Gasch [EMAIL PROTECTED] sent: Isn't the slave ldap directory suppose to be only read only? if it's readonly, slurpd can't update the slave (i've tested it, possibly i missed something ?) the problem is: machines regularly change their passwords and if these changes are not done on the master, they're lost, if master comes back - clients can't logon anymore and so on maybe I am missing something here - but why does your master ldap fail so often? I agree with the other poster, the slave LDAPS should be (and I would almost move to _need_ to be) read only .. I am also curious as to why you have a samba server contacting either the PDC/BDC ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have your system running again but like I said, maybe I am missing something I'm having some troubles getting the failover to work what problems are you talking about? these are my config files (/etc/ldap.conf for all machines not included but also very important in case of fail-over) ... removed ... Jason C. Waters schrieb: Isn't the slave ldap directory suppose to be only read only? So when the master is down the users can't change their passwords, but everything else should work. What do you smb.conf and slapd.conf files look like for the master and the slave? I'm having some troubles getting the failover to work, so I wouldn't mind a peek. Thanks Jason Michael Gasch wrote: hi i'm looking for hints/experiences concering samba v3, openldap AND redundancy my setup is: Samba PDC with LDAP Master Samba BDC with LDAP Slave Samba Member Server, contacting first PDC, then BDC if the first fails if all instances are working properly, everything is okay replication is also fine (from Master - Slave) and now imagine: LDAP Master dies all smbd are contacting LDAP Slave and make their changes in the Slave directory cause replication only works from Master-Slave, if Master comes up again, i have inconsistency in my LDAP Backends e.g. a machine changes its machine password in Slave directory and can't logon anymore cause the password change isn't replicated on Master we also tried to setup slurpd (LDAP replication) on both LDAP Servers - if both are up, everything is okay, if one is down, changes are made in one directory, samba tells me it fails (e.g. changing passwords), allthough it changes the attributes and so on so the problem is: if Slave dies, everything should go on working, because PDC/BDC use at first LDAP Master if slave comes up, replication is done properly but if Master dies, i get an inconsistent domain how do you get redundancy in your LDAP backend? PDC/BDC redundancy works well, the single-point-of-failure is LDAP thx --- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref.com A href=http://www.prupref.com;Prudential/AA href=http://www.prupref.com;Chicago Real Estate/A Prudential Preferred Properties www.prupref.com Success Driven By Results Results Driven By Commitment Commitment Driven By Integrity We Are Prudential Preferred Properties -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???
On Fri, 18 Jun 2004 16:08 , Michael Gasch [EMAIL PROTECTED] sent: maybe I am missing something here - but why does your master ldap fail so often? it doesn't - i'm just building the worst case szenario =) I agree with the other poster, the slave LDAPS should be (and I would almost move to _need_ to be) read only .. and now tell me please how the master can replicate his LDAP tree to the slave to get a 1:1 copy and a backup of my LDAP tree, if it's readonly ?!?!?! becuase you configure your slave to accept changes that are pushed from the master . I am also curious as to why you have a samba server contacting either the PDC/BDC ldap servers when it could just be running a replicated LDAP DB itself...which is how all the docs say to do it - maybe this is something new with 3.xx - not sure, but it alwyas seemed more logical to have all your samba boxes be thier own DC in terms of login/user information if each smbd has it's own ldap instance running (DMs too), i have to ensure, that all LDAP instances have the same information this is the main point of ldap replication - they do all have the same info - and why you make the slaves readonly before i can't solve the replication problem (MASTER=dead, changes are made to SLAVE, MASTER comes back = inconsistency in LDAP trees) in case of the MASTER dies and information has to be written to one of the SLAVEs, i won't give each smbd his own passdb backend it's my plan to have one PDC, one BDC, x DMs and one LDAP instance on both DCs If your master does fail - and I mean dead, need to rebuild, etc..I would make one of the slaves the write/master get the original MASTER back on line, but not in production until you can do a slapcat of the LDAP to it, change the everything back to what it needs to be, and have your system running again this is my temporary solution bye --- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref.com A href=http://www.prupref.com;Prudential/AA href=http://www.prupref.com;Chicago Real Estate/A Prudential Preferred Properties www.prupref.com Success Driven By Results Results Driven By Commitment Commitment Driven By Integrity We Are Prudential Preferred Properties -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
