[Samba] samba + slave OpenLdap (read-only)
This is a discussion on [Samba] samba + slave OpenLdap (read-only) within the Samba forums, part of the Networking and Network Related category; Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-02-2008
|
|||
|
|||
[Samba] samba + slave OpenLdap (read-only)
Hello,
I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) is read-only, so this operation fails. Openldap can return a REFERRAL when a client (samba) try to do a modification on a slave database and this already is happening. But samba can't understand this referral return by the slave openldap. I saw in the man that this is possible and samba should understand this by default. This is correct ? Or I should change something in smb.conf? I'm using samba 3.0.24 (Debian Etch). Regards, Joćo Alfredo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
07-02-2008
|
|||
|
|||
|
RE: [Samba] samba + slave OpenLdap (read-only)
i suggest setting up ldap syncrepl
if needed you can use it in multi master mode. ( im running also etch, with pdc and bdc + 1 ldap master and 4 slaves. ) Louis >-----Oorspronkelijk bericht----- >Van: samba-bounces+belle=bazuin.nl@lists.samba.org >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens jakjr >Verzonden: woensdag 2 juli 2008 15:08 >Aan: samba@lists.samba.org >Onderwerp: [Samba] samba + slave OpenLdap (read-only) > >Hello, > >I'm trying to config samba to use a openldap replica (slave) base. > >Every thing is working, except when I try to join a machine to >a domain. > >Samba try to write some attributes in openldap, but this >database (slave) is >read-only, so this operation fails. > >Openldap can return a REFERRAL when a client (samba) try to do a >modification on a slave database and this already is happening. > >But samba can't understand this referral return by the slave openldap. > >I saw in the man that this is possible and samba should >understand this by >default. > >This is correct ? Or I should change something in smb.conf? > >I'm using samba 3.0.24 (Debian Etch). > >Regards, > >Joćo Alfredo >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote:
> Hello, > > I'm trying to config samba to use a openldap replica (slave) base. > > Every thing is working, except when I try to join a machine to a domain. > > Samba try to write some attributes in openldap, but this database (slave)is > read-only, so this operation fails. > > Openldap can return a REFERRAL when a client (samba) try to do a > modification on a slave database and this already is happening. > > But samba can't understand this referral return by the slave openldap. Hmmm. I've got this running in many customer installations. The fact that we do referrals is one reason why the "ldap replication sleep" parameter exist at all. What is the exact failure you're seeing? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIa4NhUzqjrWwMRl0RAvl/AKCMXlXuk/re14aEmJa9HuYmwBPC+ACfapiH wx7jx2CSnCwjcA5yIKE+eiA= =CuIq -----END PGP SIGNATURE-----
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
Hey,
When I try to join a new machine on a domain, it's simple fail. I already set the "ldap replication sleep" to a higher value, but this do not work. I'm using synrepl on ldap (refreshAndPersist) and this is working. Including the referral return if the updateref config on slapd.conf. Thanks On Wed, Jul 2, 2008 at 10:32 AM, Volker Lendecke <Volker.Lendecke@sernet.de> wrote: > On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote: > > Hello, > > > > I'm trying to config samba to use a openldap replica (slave) base. > > > > Every thing is working, except when I try to join a machine to a domain. > > > > Samba try to write some attributes in openldap, but this database (slave) > is > > read-only, so this operation fails. > > > > Openldap can return a REFERRAL when a client (samba) try to do a > > modification on a slave database and this already is happening. > > > > But samba can't understand this referral return by the slave openldap. > > Hmmm. I've got this running in many customer installations. > The fact that we do referrals is one reason why the "ldap > replication sleep" parameter exist at all. What is the exact > failure you're seeing? > > Volker > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
jakjr schrieb:
> Hey, > > When I try to join a new machine on a domain, it's simple fail. > > I already set the "ldap replication sleep" to a higher value, but this do > not work. > > I'm using synrepl on ldap (refreshAndPersist) and this is working. Including > the referral return if the updateref config on slapd.conf. What do you use to add new accounts? smbldap-tools can be configured to use different LDAP servers (master and slave). -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
I'm using a thitd-party software to create the accounts in the ldap.
But the problem is when I try to include this machine (the entry of this machine already exist in ldap) in my samab domain using a ldap-replica (read-only). Samba try to modify some atributes in the slave (read-only), the slave return a referral and samba is not following the referral to the master ldap (when the samba has right to modify this atributes). Thanks. On Wed, Jul 2, 2008 at 11:29 AM, Tomasz Chmielewski <mangoo@wpkg.org> wrote: > jakjr schrieb: > >> Hey, >> >> When I try to join a new machine on a domain, it's simple fail. >> >> I already set the "ldap replication sleep" to a higher value, but this do >> not work. >> >> I'm using synrepl on ldap (refreshAndPersist) and this is working. >> Including >> the referral return if the updateref config on slapd.conf. >> > > What do you use to add new accounts? > > smbldap-tools can be configured to use different LDAP servers (master and > slave). > > > -- > Tomasz Chmielewski > http://wpkg.org > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
jakjr schrieb:
> I'm using a thitd-party software to create the accounts in the ldap. > > But the problem is when I try to include this machine (the entry of this > machine already exist in ldap) in my samab domain using a ldap-replica > (read-only). > > Samba try to modify some atributes in the slave (read-only), the slave > return a referral and samba is not following the referral to the master ldap > (when the samba has right to modify this atributes). Is it Samba that really creates the accounts? Can you paste your smb.conf? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
No. Samba does not create any account in ldap (users or machines).
This accounts are created by another software, like (phpSambaAdmin). smb.conf: [global] workgroup = caresl netbios name = scaresmb03 ldap admin dn = uid=smb--admin,dc****** ldap suffix = ou=test,dc=***** ldap passwd sync = No passdb backend = ldapsam:ldap://10.1***** dns proxy = No name resolve order = wins bcast server string = unix charset = iso8859-1 ldap timeout = 45 enable privileges = Yes admin users = @smb-administrators veto files = /.Trash-%U/ oplocks = No level 2 oplocks = No time server = Yes kernel oplocks = No preferred master = Yes local master = Yes domain master = Yes os level = 65 ldap replication sleep = 5000 domain logons = Yes wins support = Yes logon drive = u logon path = logon home = \\\%U$ logon script = %U.bat #### Debugging/Accounting #### log level = 10 Log from ldap when trying include a machine to domain: Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY dn="uid=vmtest11201$,ou=test,********" Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD dn="uid=vmtest11201$,ou=*****" Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text= This error code from ldap means that ldap return a referral to samba. Samba should follow this referral until the master ldap. Some many thanks. Joćo Alfredo On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski <mangoo@wpkg.org> wrote: > jakjr schrieb: > >> I'm using a thitd-party software to create the accounts in the ldap. >> >> But the problem is when I try to include this machine (the entry of this >> machine already exist in ldap) in my samab domain using a ldap-replica >> (read-only). >> >> Samba try to modify some atributes in the slave (read-only), the slave >> return a referral and samba is not following the referral to the master >> ldap >> (when the samba has right to modify this atributes). >> > > Is it Samba that really creates the accounts? > > Can you paste your smb.conf? > > > > -- > Tomasz Chmielewski > http://wpkg.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
Hey,
Here another log: Samba try to change some atributes, like sambaNTPassword (gree) and ldap return an error (red) and a referral for the mastes ldap. But samba do not follow this referral. Why samba try to change this atributes ?? Thanks. [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaNTPassword| values |4619D0EB563CB8FAE84FF83A11AB50A4| [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaNTPassword| value |3F320F8E58CD749B1A6A9333A9E77E02| [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 34: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 21: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(222) element 21: CHANGED [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaPwdLastSet| values |2147483647| [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1215027392| [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 27: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 20: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 29: SET [2008/07/02 16:36:32, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn => [uid=vmcelepar11201$,ou=TEST,dc********] [2008/07/02 16:36:32, 11] lib/smbldap.c:smbldap_open(1043) smbldap_open: already connected to the LDAP server [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_modify(1377) Failed to modify dn: uid=vmcelepar11201$,ou=TEST,dc=**********, error: Referral () [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_set_init_flags(425) element 35 -> now CHANGED On Wed, Jul 2, 2008 at 11:51 AM, jakjr <joao.alfredo@gmail.com> wrote: > No. Samba does not create any account in ldap (users or machines). > > This accounts are created by another software, like (phpSambaAdmin). > > smb.conf: > [global] > workgroup = caresl > netbios name = scaresmb03 > ldap admin dn = uid=smb--admin,dc****** > ldap suffix = ou=test,dc=***** > ldap passwd sync = No > passdb backend = ldapsam:ldap://10.1***** > dns proxy = No > name resolve order = wins bcast > server string = > unix charset = iso8859-1 > ldap timeout = 45 > enable privileges = Yes > admin users = @smb-administrators > veto files = /.Trash-%U/ > oplocks = No > level 2 oplocks = No > time server = Yes > kernel oplocks = No > preferred master = Yes > local master = Yes > domain master = Yes > os level = 65 > ldap replication sleep = 5000 > > domain logons = Yes > wins support = Yes > logon drive = u > logon path = > logon home = \\\%U$ > logon script = %U.bat > > #### Debugging/Accounting #### > > log level = 10 > > > Log from ldap when trying include a machine to domain: > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY > dn="uid=vmtest11201$,ou=test,********" > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD > dn="uid=vmtest11201$,ou=*****" > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD > attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword > sambaPwdLastSet sambaPwdLastSet > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text= > > This error code from ldap means that ldap return a referral to samba. > > Samba should follow this referral until the master ldap. > > Some many thanks. > > Joćo Alfredo > > > On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski <mangoo@wpkg.org> > wrote: > >> jakjr schrieb: >> >>> I'm using a thitd-party software to create the accounts in the ldap. >>> >>> But the problem is when I try to include this machine (the entry of this >>> machine already exist in ldap) in my samab domain using a ldap-replica >>> (read-only). >>> >>> Samba try to modify some atributes in the slave (read-only), the slave >>> return a referral and samba is not following the referral to the master >>> ldap >>> (when the samba has right to modify this atributes). >>> >> >> Is it Samba that really creates the accounts? >> >> Can you paste your smb.conf? >> >> >> >> -- >> Tomasz Chmielewski >> http://wpkg.org >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
07-02-2008
|
|||
|
|||
|
Re: [Samba] samba + slave OpenLdap (read-only)
On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
> Hey, > > Here another log: > > Samba try to change some atributes, like sambaNTPassword (gree) > and ldap return an error (red) and a referral for the mastes ldap. But samba > do not follow this referral. > > Why samba try to change this atributes ?? Because the machine vmcelepar11201 tried to change its password. A sniff of the LDAP traffic might help a bit towards finding the failure to follow the referral. But please beware that this traffic contains password equivalents or even passwords. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFIa/SUUzqjrWwMRl0RAtdDAJ4i33G+80BxyqiI9Hd4A2vxaxc2SQCf aoEb pBg3gkTFz+tw36AeKOv759o= =faO7 -----END PGP SIGNATURE-----
|
Linear Mode
