samba - Jun 2004 - [EXPERIENCES] with OpenLDAP and Samba and Redundancy ???

hi

i'm looking for hints/experiences concering samba v3, openldap AND 
redundancy

my setup is:

Samba PDC with LDAP Master
Samba BDC with LDAP Slave
Samba Member Server, contacting first PDC, then BDC if the first fails

if all instances are working properly, everything is okay
replication is also fine (from Master -> Slave)

and now imagine:

LDAP Master dies
all smbd are contacting LDAP Slave and make their changes in the Slave 
directory
cause replication only works from Master->Slave, if Master comes up 
again, i have inconsistency in my LDAP Backends
e.g. a machine changes its machine password in Slave directory and can't 
logon anymore cause the password change isn't replicated on Master

we also tried to setup slurpd (LDAP replication) on both LDAP Servers - 
if both are up, everything is okay, if one is down, changes are made in 
one directory, samba tells me it fails (e.g. changing passwords), 
allthough it changes the attributes and so on....

so the problem is: if Slave dies, everything should go on working, 
because PDC/BDC use at first LDAP Master
if slave comes up, replication is done properly

but if Master dies, i get an inconsistent domain

how do you get redundancy in your LDAP backend?
PDC/BDC redundancy works well, the single-point-of-failure is LDAP

thx
-- 


          "Matrix - more than a vision"

**************************************************
                  Michael Gasch

            - Central IT Department -

Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig

Germany
**************************************************

Isn't the slave ldap directory suppose to be only read only?  So when 
the master is down the users can't change their passwords, but 
everything else should work.  What do you smb.conf and slapd.conf files 
look like for the master and the slave?  I'm having some troubles 
getting the failover to work, so I wouldn't mind a peek.  Thanks

Jason

Michael Gasch wrote:
> hi
>
> i'm looking for hints/experiences concering samba v3, openldap AND 
> redundancy
>
> my setup is:
>
> Samba PDC with LDAP Master
> Samba BDC with LDAP Slave
> Samba Member Server, contacting first PDC, then BDC if the first fails
>
> if all instances are working properly, everything is okay
> replication is also fine (from Master -> Slave)
>
> and now imagine:
>
> LDAP Master dies
> all smbd are contacting LDAP Slave and make their changes in the Slave 
> directory
> cause replication only works from Master->Slave, if Master comes up 
> again, i have inconsistency in my LDAP Backends
> e.g. a machine changes its machine password in Slave directory and 
> can't logon anymore cause the password change isn't replicated on
Master
>
> we also tried to setup slurpd (LDAP replication) on both LDAP Servers 
> - if both are up, everything is okay, if one is down, changes are made 
> in one directory, samba tells me it fails (e.g. changing passwords), 
> allthough it changes the attributes and so on....
>
> so the problem is: if Slave dies, everything should go on working, 
> because PDC/BDC use at first LDAP Master
> if slave comes up, replication is done properly
>
> but if Master dies, i get an inconsistent domain
>
> how do you get redundancy in your LDAP backend?
> PDC/BDC redundancy works well, the single-point-of-failure is LDAP
>
> thx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| hi
|
| i'm looking for hints/experiences concering samba v3, openldap AND
redundancy
|
| my setup is:
|
| Samba PDC with LDAP Master
| Samba BDC with LDAP Slave
| Samba Member Server, contacting first PDC, then BDC if the first fails
|
| if all instances are working properly, everything is okay
| replication is also fine (from Master -> Slave)
|
| and now imagine:
|
| LDAP Master dies
| all smbd are contacting LDAP Slave and make their changes in the Slave
directory

They won't be making changes, since you can't make changes against a
slave. The slave will return an error and a referral to the master
(which is down), so your changes will fail, but existing accounts will work.

| cause replication only works from Master->Slave, if Master comes up
again, i have inconsistency in my LDAP Backends

No you don't, unless your slave is misconfigured.

| e.g. a machine changes its machine password in Slave directory and
can't logon anymore cause the password change isn't replicated on Master
|

It's password change attempt will fail.

| we also tried to setup slurpd (LDAP replication) on both LDAP Servers
- - if both are up, everything is okay, if one is down, changes are made
in one directory, samba tells me it fails (e.g. changing passwords),
allthough it changes the attributes and so on....
|

Your configuration is broken.

| so the problem is: if Slave dies, everything should go on working,
because PDC/BDC use at first LDAP Master
| if slave comes up, replication is done properly
|
| but if Master dies, i get an inconsistent domain
|

You have a serious problem if your slave is accepting changes.

| how do you get redundancy in your LDAP backend?
| PDC/BDC redundancy works well, the single-point-of-failure is LDAP

Only if you've mis-configured it.

Note that these questions don't really have anything to do with samba,
you may want to ask on the openldap list.

Do you *really* need such a waste-of-bandwidth sig?

|
|          "Matrix - more than a vision"
|
| **************************************************
|                  Michael Gasch
|
|            - Central IT Department -
|
| Max Planck Institute for Evolutionary Anthropology
| Deutscher Platz 6
| 04103 Leipzig
|
| Germany
| **************************************************
|
|

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA0xWYrJK6UGDSBKcRAglDAJwL/+Rvr9c6LB4V7U2+cr7tHAHH0QCgg7Jd
SfcAdrspn+ut+YJuhO/ZWpQ=XRV3
-----END PGP SIGNATURE-----

Hi there & big thanks for your response

i studied some information and i'm still confused (a little bit)
>>and now tell me please how the master can replicate his LDAP tree to the
>>slave to get a 1:1 copy and a backup of my LDAP tree, if it's
readonly
>>?!?!?!
> 
> ----
> <http://www.openldap.org/doc/admin22/replication.html>
okay, nowhere in this doc they tell me to set the slave to readonly
if i even try, slurpd on master fails to replicate data to the slave

the second problem is: ldap slave sends referral to the clients pointing 
them to ldap master
if ldap master is dead, no changes can be made
okay, some people in this list tell me, that's okay, but if no changes 
can be made if master is dead, i don't really need an backup/slave 
(ldap) server, because there's still some work to do, to get the team 
"ldap+samba" go on working again

it's no failover solution in case of emergency and no admin is around

 >From bgmilne@obsidian.co.za:
 >They won't be making changes, since you can't make changes against
a
 >slave. The slave will return an error and a referral to the master
 >(which is down), so your changes will fail, but existing accounts will 
work.
but what about machine passwords? what if the windows machine tries to 
change its machine password and master is dead?
is the password changed locally on the workstation or is the change 
scheduled (for another try)?

if the smbd on the BDC tries to contact its ldap server (=ldap slave) 
will it also be referred (by referrals) to the master?

thanks
greez

-- 


          "Matrix - more than a vision"

**************************************************
                  Michael Gasch

            - Central IT Department -

Max Planck Institute for Evolutionary Anthropology
Deutscher Platz 6
04103 Leipzig

Germany
**************************************************

Or you could buy a couple of $/?1000 Sun Sparc servers and use SunONE LDAP with
multi master support???
Depends if you already have and OpenLDAP environment and don't object to
using Solaris instead of
Linux... (can still run Samba on whatever platform you want)



On Thu, 2004-06-24 at 21:53, Thomas Rei? wrote:
> Hello Buchan Milne, 
> 
> [..]
> 
> > No you don't, unless your slave is misconfigured.
> > 
> > | e.g. a machine changes its machine password in Slave directory and
> > can't logon anymore cause the password change isn't replicated
on Master
> > |
> > 
> > It's password change attempt will fail.
> 
> [...]
> 
> > 
> > Only if you've mis-configured it.
> > 
> > Note that these questions don't really have anything to do with
samba,
> > you may want to ask on the openldap list.
> 
> Sorry about when i ask too.
> But i think this on Topic on this List.
> 
> The Question is:
> What happens in Samba when the Master LDAP Server ist down and a Change- 
> Request for the Workstation-Machine-Account-Passwort comes?
The request is failed, and life continues.
> - Is it possible that a User can't Logon on this Workstation?
Not in my experience, but my PDC isn't down often.
> - Or falls the Workstation out of the Domain? 
> (Nevermore a Member of the Domain)?
I can't see any reason why the client would assume 'ok' if we said
'no'...
> - When nothing happens, why is there a Mechanism for changes of Machine
>   Passworts (Security, or what else)?
Because it is not a good idea to keep the same password forever. 
Prevents somebody else who had a copy using it...  (why do you ask your
users to change their passwords).
> - When i right understand, then is in this Szenario no Changes of
>   Passwort's, LastLogonTime usw. possible, right?
This doesn't make any sense (then again, very little of your post did).

Andrew Bartlett


This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

PS fyi SunONE LDAP server is free upto 200,000 records when running on Solaris
OS, Solaris is free
with Sun hardware :-).


Or you could buy a couple of $/?1000 Sun Sparc servers and use SunONE LDAP with
multi master support???
Depends if you already have and OpenLDAP environment and don't object to
using Solaris instead of
Linux... (can still run Samba on whatever platform you want)



On Thu, 2004-06-24 at 21:53, Thomas Rei? wrote:
> Hello Buchan Milne, 
> 
> [..]
> 
> > No you don't, unless your slave is misconfigured.
> > 
> > | e.g. a machine changes its machine password in Slave directory and
> > can't logon anymore cause the password change isn't replicated
on Master
> > |
> > 
> > It's password change attempt will fail.
> 
> [...]
> 
> > 
> > Only if you've mis-configured it.
> > 
> > Note that these questions don't really have anything to do with
samba,
> > you may want to ask on the openldap list.
> 
> Sorry about when i ask too.
> But i think this on Topic on this List.
> 
> The Question is:
> What happens in Samba when the Master LDAP Server ist down and a Change- 
> Request for the Workstation-Machine-Account-Passwort comes?
The request is failed, and life continues.
> - Is it possible that a User can't Logon on this Workstation?
Not in my experience, but my PDC isn't down often.
> - Or falls the Workstation out of the Domain? 
> (Nevermore a Member of the Domain)?
I can't see any reason why the client would assume 'ok' if we said
'no'...
> - When nothing happens, why is there a Mechanism for changes of Machine
>   Passworts (Security, or what else)?
Because it is not a good idea to keep the same password forever. 
Prevents somebody else who had a copy using it...  (why do you ask your
users to change their passwords).
> - When i right understand, then is in this Szenario no Changes of
>   Passwort's, LastLogonTime usw. possible, right?
This doesn't make any sense (then again, very little of your post did).

Andrew Bartlett


This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.


This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.