Hi, I have a quite "simple" setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend = ldapsam:"ldap://ldap1" or passdb backend = ldapsam:"ldap://ldap2" to passdb backend = ldapsam:"ldap://ldap1 ldap://ldap2" I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XXXXXX].... everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano
I don't think Samba (depending on the version) supports multiple ldap backends. You should have samba_server_1 using ldap_server_1 and samba_server_2 using ldap_server_2. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Massimiliano Perantoni Sent: Saturday, March 31, 2012 6:12 AM To: samba at lists.samba.org Subject: [Samba] Samba LDAP Failover Hi, I have a quite "simple" setup for a particular customer that loves redundancy and failover. PDC + BDC with LDAP Passwords on two 389-ds in multimaster node + several samba member servers Actually pointing singularly on both the systems everything works great. As soon as I modify my passdb backend line from the single form to the form containing both backends that is from passdb backend ldapsam:"ldap://ldap1" or passdb backend = ldapsam:"ldap://ldap2" to passdb backend = ldapsam:"ldap://ldap1 ldap://ldap2" I still authenticate on the first LDAP, but as soon I shut this off with iptables -I OUTPUT -p tcp --dport 389 -d ldap1 -j REJECT #Simulates, from the samba machine a failure in the service and, yes it is simple plain ol' LDAP, no TLS I get a timeout and an auth failure. This is the way I reproduce the problem #with the first ldap reachable smbclient -L pdc-01 -U maxper Password: Domain: [XXXXXX].... everything works fine iptables -I OUTPUT -p tcp --dport 389 -j DROP smbclient -L pdc-01 -U maxper answers session setup failed: NT_STATUS_LOGON_FAILURE getent passwd works OK, gives both local and ldap users after the timeout set in ldap.conf, while samba just drops the authentication after the committed param ldap timeout = 8 after 8 secs, samba drops and gives that error. Samba is version 3.4.15, while the distro is CentOS 5.4 any help would be appreciated! Ciao Massimiliano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Am 31.03.2012 20:56, schrieb Steve Thompson:> On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: > >> Well, did not try, but guess it happens the same. >> Just for completeness, which version of samba did you use for ldap >> failover? > > I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which > revision of CentOS; it was a while ago. > > SteveMy samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just tried (shut down the first LDAP server in the list) and it works as expected. Regards Stephan
Hi, could you send me the setup? Which lines did you add? Whici distro do you run? Thanks! Il 31 marzo 2012 22:11, Stephan <steffo76 at gmx.de> ha scritto:> Am 31.03.2012 20:56, schrieb Steve Thompson: > >> On Sat, 31 Mar 2012, Massimiliano Perantoni wrote: >> >>> Well, did not try, but guess it happens the same. >>> Just for completeness, which version of samba did you use for ldap >>> failover? >> >> >> I was using 3.0.33 at the time, on CentOS 5 x86_64. Not sure which >> revision of CentOS; it was a while ago. >> >> Steve > > > My samba 3.5.9 DCs are pointed at a bunch of LDAP servers as well. I just > tried (shut down the first LDAP server in the list) and it works as > expected. > > Regards > Stephan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba-- Massimiliano Perantoni http://www.perantoni.net tw: maxper75