Hello List, i have a Samba Problem that is related to Sambas ldap behaviour. Problem: The standalone server ( no DC !!) tries to write an attribute to an write only ldap Slave is sent via WAN to the master write ldap. The problem results from the fact that samba never goes back to the "local" slave ldap to the "local" slave ldap so each samba request goes over an international slow interconnect. Result: local samba server very slow any hints if it is possible to implement an workaround ? -to avoid the write access to ldap -or to get samba back to local ldap slave after accessing the master For the interested the cause of the try to write an Attribute seems to be documented here and in the source:-) http://web.archiveorange.com/archive/v/WEFLnYpTeFATWth7brhv Server role: ROLE_STANDALONE here is the rebind:> [2012/04/16 18:05:45.972476, 5] lib/smbldap.c:1556(smbldap_modify) > smbldap_modify: dn => [sambaDomainName=KAIRO,l=Kairo,dc=org,o=ABC]that triggers an LDAP WAN connect: 26020 17:00:58.034331 connect(26, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("10.128.9.44")}, 16) = 0 head of samba.conf because of Workgroup / Standalone Server global] netbios name = Kairo server string = ABC Kairo workgroup = kai interfaces = em1 127.0.0.1 bind interfaces only = Yes local master = yes preferred master = yes domain master = yes domain logons = no wins support = yes i ask on this list, because customer statement is, that with the "old" samba this behaviour was different / better, no performance problem whatsoever. due to different reasons i cannot easily verifiy this statement by reactivatin / tracing the "old version" for same issue version new: samba-3.5.10-114.el6.x86_64 version old: samba-3.0.20b-3.3 thx for tips Micha
Why is the LDAP server write-only? On 04/16/12 14:48, Michael Arndt wrote:> Hello List, > > i have a Samba Problem that is related to Sambas ldap behaviour. > > > Problem: > > The standalone server ( no DC !!) > tries to write an attribute to an write only ldap Slave > is sent via WAN to the master write ldap. The problem results from the fact > that samba never goes back to the "local" slave ldap to the "local" slave ldap > so each samba request goes over an international slow interconnect. > > Result: local samba server very slow > > any hints if it is possible to implement an workaround ? > > -to avoid the write access to ldap > -or to get samba back to local ldap slave after accessing the master > > For the interested the cause of the try to write an Attribute seems to > be documented here and in the source:-) > > http://web.archiveorange.com/archive/v/WEFLnYpTeFATWth7brhv > > Server role: ROLE_STANDALONE > > here is the rebind: > >> [2012/04/16 18:05:45.972476, 5] lib/smbldap.c:1556(smbldap_modify) >> smbldap_modify: dn => [sambaDomainName=KAIRO,l=Kairo,dc=org,o=ABC] > that triggers an LDAP WAN connect: > > 26020 17:00:58.034331 connect(26, {sa_family=AF_INET, sin_port=htons(636), > sin_addr=inet_addr("10.128.9.44")}, 16) = 0 > > > > head of samba.conf because of Workgroup / Standalone Server > > global] > netbios name = Kairo > server string = ABC Kairo > workgroup = kai > interfaces = em1 127.0.0.1 > bind interfaces only = Yes > local master = yes > preferred master = yes > domain master = yes > domain logons = no > wins support = yes > > i ask on this list, because customer statement is, that with the "old" > samba this behaviour was different / better, no performance problem > whatsoever. > > due to different reasons i cannot easily verifiy this statement by reactivatin > / tracing the "old version" for same issue > > version new: samba-3.5.10-114.el6.x86_64 > version old: samba-3.0.20b-3.3 > > thx for tips > Micha >
Does your smb.conf file only point to the local read-only server? Does the read-only LDAP server redirect the samba to the write-only LDAP server? Or is the samba server configure for to try both LDAP servers? Can you show the ldap section of your smb.conf file ? If I understand correctly, your local site has both a read-only LDAP server and a write-only LDAP server? Is it trying to modify "sambaDomainName=KAIRO,l=Kairo,dc=org,o=ABC]" itself? Or is this triggered by things like user's changing passwords? What are you using for an LDAP server? If your central office LDAP server has data for multiple offices, I understand why they want to make sure that one remote office cannot make changes that would cause problems for every other remote office. I think with access control entries in LDAP you could still have a read-write server in your office that sync's with the server in the central office. ACL's would restrict access to the "Kairo" branch of the tree so that your server could make changes to its own branch. Alternately, you could make your LDAP server the primary "Kairo" server. On the the central server,the "kairo" branch would merely be a referal entry. This means though that the central office looses control for any backups or changes. On 04/16/12 15:55, Michael Arndt wrote:> r LDAP Issue > Date: Mo 16 Apr 2012 21:45:47 CEST > From: Gaiseric Vandal<gaiseric.vandal at gmail.com> > To: samba at lists.samba.org > > Why is the LDAP server write-only? > > its the customers setup, they have world wide locations in many countries and a central write > ldap and decentral read only slaves > > Unfortunately as part of their legacy samba setup there was made use of the fact that a patch of Idealx > that is now not anymore availeable in the web probabably was SuSE Builtin > > An actual samba uses first the read ldap, is sent to the master for a write > and never comes back to the read ldap > > only solutions i can see for a fast resolution > > -convince customer to make local ldap write ldap > ( very improbable due to internal customer issues ) > > -try to recompile an legacy SuSE SRC rpm ( yes i know, but they need to acess a big storage > and thats not really working with the actual slowdown > > -try to identify the patch sources in "SuSE build code" and port to "redhat samba build" > > i can yee no "ldap way of resolution" except your proposal: why write onyl > but customer actually can not follow this advice > > Micha > > > > > > > >
Seemingly Similar Threads
- Problems adding a NTSp6a machine to a SAMBA PDC Domain + LDAP: sambaPrimaryGroupSID
- Error when changing domain password in Windows XP
- Failed to allocate new gidNumber. smbldap_modify() failed.
- Samba 3.0.24 handling LDAP responses incorrectly
- Migration from 3.6.25-0ubuntu0.12.04.10 to 4.x with passdb backend = ldapsam