Re: [Samba] Samba LDAP Failover
Am 02.04.2012 07:43, schrieb Massimiliano Perantoni: Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. I honestly don't know what's going on there. I just wanted to make sure that at getent is really working and doesn't just look that way because nscd masks the problem. I guess your secondary 389 server doesn't show a connection attempt in the log when you simulate the failure of your first server ? You wrote that you don't use ssl - is this also true in ldap.conf ? The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.deha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephan steff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hey, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Hi, the distribution is a Debian 6 but I compiled samba myself against a self compiled openldap 2.4.26. Actually the only difference is the openldap client libraries version, I do use 2.3 instead of 2.4, but using getent, as I stated before, works... If I do getent passwd I get, with the failure, the immediate list of local users and, after a timeout, I get the users list from the secondary LDAP. I guess that nscd is working or, at least, the service is up and running: never understood how does the system decide to use it or not... For what I know if I disable the service nothing changes, so that I do not know if nscd is working or not... If I stop the LDAP I get the failover with getent, but I have to wait for the timeout set in ldap.conf. The passdb backend line doesn't look different than yours (except the server names of course ;-)). You are not running nscd by chance ? If so does getent passwd work with a simulated ldap1 failure (via iptables) and nscd shut down ? I get a timeout seconds (actualy 5 secs) delay... Then the answer, while samba waits for the timeout set in smb.conf then fails. Ciao a grazie! Am 01.04.2012 23:47, schrieb Massimiliano Perantoni: Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephansteff...@gmx.de ha scritto: Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Massimiliano Perantoni http://www.perantoni.net tw: maxper75 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
The matter is that, since the manual indicates so, it should be supported and delegated to the ldap api in use... The openldap api supports rebinding. The proof of it is that if in /etc/ldap.conf I put in the uri 2 ldap servers everything works fine. The matter seems that samba, even using such an infrastructure, doesn't work. I'd like at least to know if it is some mistake I do or it is just deprecated/never supported, just to go in other directions implementing other failover-by-hand systems. Thanks! Il 31 marzo 2012 14:37, Gaiseric Vandal gaiseric.van...@gmail.com ha scritto: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba@lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite simple setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:ldap://ldap1; or passdb backend = ldapsam:ldap://ldap2; to passdb backend = ldapsam:ldap://ldap1 ldap://ldap2; I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XX] everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends.You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
I'm exactly using that, without luck... -- Massimiliano Perantoni site: http://www.perantoni.net Il 31 marzo 2012 15:35, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Gaiseric Vandal wrote: I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. Samba most certainly does support multiple LDAP backends. There's even an example in the smb.conf(5) man page. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? Il 31 marzo 2012 19:04, Steve Thompson s...@vgersoft.com ha scritto: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: I'm exactly using that, without luck... Not sure what to tell you; I have used multiple LDAP servers in the past with success, although these days I use a single virtual LDAP server which load balances across a set of backend servers. What happens if you actually shut down the first LDAP server rather than REJECT it? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba LDAP Failover
Am 31.03.2012 20:56, schrieb Steve Thompson: On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: Well, did not try, but guess it happens the same. Just for completeness, which version of samba did you use for ldap failover? I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which revision of CentOS; it was a while ago. Steve My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba