Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) is read-only, so this operation fails. Openldap can return a REFERRAL when a client (samba) try to do a modification on a slave database and this already is happening. But samba can't understand this referral return by the slave openldap. I saw in the man that this is possible and samba should understand this by default. This is correct ? Or I should change something in smb.conf? I'm using samba 3.0.24 (Debian Etch). Regards, Jo?o Alfredo
On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote:> Hello, > > I'm trying to config samba to use a openldap replica (slave) base. > > Every thing is working, except when I try to join a machine to a domain. > > Samba try to write some attributes in openldap, but this database (slave) is > read-only, so this operation fails. > > Openldap can return a REFERRAL when a client (samba) try to do a > modification on a slave database and this already is happening. > > But samba can't understand this referral return by the slave openldap.Hmmm. I've got this running in many customer installations. The fact that we do referrals is one reason why the "ldap replication sleep" parameter exist at all. What is the exact failure you're seeing? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080702/ae399da0/attachment.bin
i suggest setting up ldap syncrepl if needed you can use it in multi master mode. ( im running also etch, with pdc and bdc + 1 ldap master and 4 slaves. ) Louis>-----Oorspronkelijk bericht----- >Van: samba-bounces+belle=bazuin.nl@lists.samba.org >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens jakjr >Verzonden: woensdag 2 juli 2008 15:08 >Aan: samba@lists.samba.org >Onderwerp: [Samba] samba + slave OpenLdap (read-only) > >Hello, > >I'm trying to config samba to use a openldap replica (slave) base. > >Every thing is working, except when I try to join a machine to >a domain. > >Samba try to write some attributes in openldap, but this >database (slave) is >read-only, so this operation fails. > >Openldap can return a REFERRAL when a client (samba) try to do a >modification on a slave database and this already is happening. > >But samba can't understand this referral return by the slave openldap. > >I saw in the man that this is possible and samba should >understand this by >default. > >This is correct ? Or I should change something in smb.conf? > >I'm using samba 3.0.24 (Debian Etch). > >Regards, > >Jo?o Alfredo >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba >
I looked at samba code and I found this: while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) { rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; int ld_errno; ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_NUMBER, &ld_errno); ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) " "(%s)\n", dn, ld_errno, ldap_err2string(rc), ld_error ? ld_error : "unknown")); SAFE_FREE(ld_error); if (ld_errno == LDAP_SERVER_DOWN) { ldap_unbind(ldap_state->ldap_struct); ldap_state->ldap_struct = NULL; } } } Samba does NOT follow the referral return by openldap server. At least in this situation (join machines). Samba only will try another server, if the first one is DOWN. In my option, it should try another server if any error occur during any ldap operation. So many thanks. Jo?o Alfredo On Wed, Jul 2, 2008 at 6:35 PM, Volker Lendecke <Volker.Lendecke@sernet.de> wrote:> On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote: > > Hey, > > > > Here another log: > > > > Samba try to change some atributes, like sambaNTPassword (gree) > > and ldap return an error (red) and a referral for the mastes ldap. But > samba > > do not follow this referral. > > > > Why samba try to change this atributes ?? > > Because the machine vmcelepar11201 tried to change its > password. A sniff of the LDAP traffic might help a bit > towards finding the failure to follow the referral. But > please beware that this traffic contains password > equivalents or even passwords. > > Volker >
On Thu, Jul 03, 2008 at 10:18:58AM -0300, jakjr wrote:> Yes! rebind_proc should be call if the error return by openldap was > "Referral".Then if you don't provide the sniff I have asked for the developers can not be of much help. Please also check your /etc/ldap.conf (or so) for the setting of REFERRAL. It must be set to yes which is the default. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20080703/820d748e/attachment.bin
Possibly Parallel Threads
- RPC: Problem Deleting LDAP-Entries in pdb_ldap.c
- Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
- Stymied with samba vs openldap SSL ("Failed to issue the StartTLS instruction...")
- Samba 2.2.8 compile failure - Solaris 8, SunCC, LDAP
- Segmentation Fault when trying to set root samba password, IPA as a backend