samba - May 2004 - ldap replication

Hello,
I have two ldapservers with Samba PDC and BDC. I started with the PDC i
use Suse 9.0 with ldap "out of the box" and Samba 3.0.2a. Everything
is
working fine with only the PDC running. Now i configured replication. In
my slapd.conf file on the master server i added the following lines

#permission
access to * by dn="cn=repl,dc=felix,dc=local" write
# database definition
replogfile	/var/lib/ldap/slurpd/slurpd.log
replica uri=ldap://felixols01.felix.local:389
binddn="cn=repl,dc=felix,dc=local"
bindmethod=simple
credentials=topsecret
tls=no

In slapd.conf of my slave server i added:

updatedn	"cn=repl,dc=felix,dc=local"
updateref	ldap://felixsch01.felix.local

I copied all database files from master to slave. Then i started all
services in the following order:
- ldapserver on slave
- ldapserver on master
- slurpd on master

I checked replication. Everything was working i added some new objects
on my master server and with the ldap-browser i could see the new object
on my master and slave server. I can change all attributes on all
objects and i can browse throug the whole ldap-tree.
But now my problem started. It is no longer possible to log in to the
system :-(. With login over ssh i got the message "permission denied"
when i login as root everything works, then i try "su my-name" i got
the
message "no such user my-name". Also an "ldapsearch -x -h
localhost
(cn=my-name)" woun't bring up any results.
Is there someone who can help me, im totally lost?


Stefan

-- 
K?sliner Stra?e 75
48147 M?nster
Tel. 0251 / 3835950
www.kania-online.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url :
http://lists.samba.org/archive/samba/attachments/20040511/3a1071c8/attachment.bin

On Tue, 2004-05-11 at 15:58, Stefan Kania wrote:
> But now my problem started. It is no longer possible to log in to the
> system :-(. With login over ssh i got the message "permission
denied"
What are the entries in following files:

nsswitch.conf
ldap.conf
libnssldap.conf
libpamldap.conf
> when i login as root everything works, then i try "su my-name" i
got the
> message "no such user my-name". Also an "ldapsearch -x -h
localhost
> (cn=my-name)" woun't bring up any results.
This is because root exists in /etc/passwd file but my-name is in LDAP
database. You need to add following line in your slapd.conf in
permission section to be able to search anonymously:

access to * by * read

Also are you able to get the full user list by issuing this:

# getent passwd

regards,
Nishant
-- 
Nishant Sharma <nishant@deeproot.co.in> 
Support - Enterprise Server Systems 
DeepRoot Linux, Bangalore
India. Ph: +91-80-28565624 

-- 
=== ALL CSH USERS PLEASE NOTE ======================== Set the variable
$LOSERS to all the people that you think are losers. This will cause all
said losers to have the variable $PEOPLE-WHO-THINK-I-AM-A-LOSER updated
in their .login file. Should you attempt to execute a job on a machine
with poor response time and a machine on your local net is currently
populated by losers, that machine will be freed up for your job through
a cold boot process.

Stefan Kania schrieb:
> Hello,
> I have two ldapservers with Samba PDC and BDC. I started with the PDC i
> use Suse 9.0 with ldap "out of the box" and Samba 3.0.2a.
Everything is
> working fine with only the PDC running. Now i configured replication. In
> my slapd.conf file on the master server i added the following lines
> 
> #permission
> access to * by dn="cn=repl,dc=felix,dc=local" write
> # database definition
> replogfile	/var/lib/ldap/slurpd/slurpd.log
> replica uri=ldap://felixols01.felix.local:389
> binddn="cn=repl,dc=felix,dc=local"
> bindmethod=simple
> credentials=topsecret
> tls=no
> 
> In slapd.conf of my slave server i added:
> 
> updatedn	"cn=repl,dc=felix,dc=local"
> updateref	ldap://felixsch01.felix.local
> 
> I copied all database files from master to slave. Then i started all
> services in the following order:
> - ldapserver on slave
> - ldapserver on master
> - slurpd on master
> 
> I checked replication. Everything was working i added some new objects
> on my master server and with the ldap-browser i could see the new object
> on my master and slave server. I can change all attributes on all
> objects and i can browse throug the whole ldap-tree.
> But now my problem started. It is no longer possible to log in to the
> system :-(. With login over ssh i got the message "permission
denied"
> when i login as root everything works, then i try "su my-name" i
got the
> message "no such user my-name". Also an "ldapsearch -x -h
localhost
> (cn=my-name)" woun't bring up any results.
> Is there someone who can help me, im totally lost?
> 
> 
> Stefan
> 
> 
Hi Stefan , i forgot something
last week i set up a suse 9.1 in my internal smb dns net.
i had a internal dns domain called .local too.
Suse 9.1 one does the lookup for internal .local domain anymore
Suse now implements .local Domains as mdns , for sure without any need
and there is no fallback to dns,
so if you have later a suse 9.1 machine and a local domain
you will get into big troubles.
I had to change my internal .loacl domain trough many hours. ( i have a 
big intranet )
Suse writes a small note about this in the release note of 9.1
and the support was not really helpfull, to this ( bug / feature )
see this link ( sorry german )
http://www.linux-club.de/viewtopic.php?t=6067
so for .local domains there is no
fallback to dns planned, only resolution is done with multicast. In my 
opinion this breaks every rfc i read,
and i will go away from suse in the future .
You can fix this behavior in suse 9.1 by compile a new glibc
and or copy created new libresolv to /lib.
So this is only a warning for you , if your just starting with your dns
and you want use suse in the future dont use a internal .local dns 
domain, cause suse is not willing to fix their special glibc version
Best Regards