samba - Jan 2006 - Samba LDAP caching when LDAP server unavailable - possible?

I've been using Samba with OpenLDAP with great success on normal servers.

Recently however, it appeared to us that for remote locations it is more 
economically viable to replace Samba servers with Samba running on 
little routers like ASUS WL-500g with openwrt firmware/software.
It has a broadcom/mipsel CPU, and thanks to openwrt 
(http://openwrt.org), it is possible to run lots of software on it.

Pretty nice for small offices - small, no fan, no hard disk etc. other 
moving parts (you can connect a USB stick to it if you want to store 
files/profiles).

There is one glitch however - no OpenLDAP port.

So a Samba domain controller running on these tiny routers would have to 
authenticate users users against an external OpenLDAP server (probably 
in the company headquaters).

My experience shows that a company with several branches located 
throughout the city/country/world have connectivity problems from time 
to time (especiall when there is no IT staff in the branches).

With no local LDAP server this would mean users not able to work (as 
they can't authenticate).

Is it possible to set up Samba to "cache" credentials retrieved from
the
LDAP, and when LDAP is unavailable, to use these cached credentials?


-- 
Tomasz Chmielewski
http://wpkg.org

nscd?

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Tue, 17 Jan 2006, Tomasz Chmielewski wrote:
> I've been using Samba with OpenLDAP with great success on normal
servers.
>
> Recently however, it appeared to us that for remote locations it is more
> economically viable to replace Samba servers with Samba running on little
> routers like ASUS WL-500g with openwrt firmware/software.
> It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org),
it is
> possible to run lots of software on it.
>
> Pretty nice for small offices - small, no fan, no hard disk etc. other
moving
> parts (you can connect a USB stick to it if you want to store
files/profiles).
>
> There is one glitch however - no OpenLDAP port.
>
> So a Samba domain controller running on these tiny routers would have to
> authenticate users users against an external OpenLDAP server (probably in
the
> company headquaters).
>
> My experience shows that a company with several branches located throughout
the
> city/country/world have connectivity problems from time to time (especiall
when
> there is no IT staff in the branches).
>
> With no local LDAP server this would mean users not able to work (as they
can't
> authenticate).
>
> Is it possible to set up Samba to "cache" credentials retrieved
from the LDAP,
> and when LDAP is unavailable, to use these cached credentials?
>
>
> -- 
> Tomasz Chmielewski
> http://wpkg.org
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Tomasz:

I had heard that some people were interested in caching passwords (which 
could be stored in NIS, or LDAP) on linux laptops so that a user could 
log in even when disconnected from their LDAP or NIS domain.
The theory was that the nss (name service switch) and nscd (name service 
cache daemon) system(s) could be tuned/modified to cache this information.

As far as I know, this has not been done/tested for use w/ samba the way 
you describe.

See section: 2.1.4 The Name Service Caching Daemon
http://www.saas.nsw.edu.au/solutions/ldap-auth-pam.html

-Bill

Tomasz Chmielewski wrote:
> I've been using Samba with OpenLDAP with great success on normal
servers.
>
> Recently however, it appeared to us that for remote locations it is 
> more economically viable to replace Samba servers with Samba running 
> on little routers like ASUS WL-500g with openwrt firmware/software.
> It has a broadcom/mipsel CPU, and thanks to openwrt 
> (http://openwrt.org), it is possible to run lots of software on it.
>
> Pretty nice for small offices - small, no fan, no hard disk etc. other 
> moving parts (you can connect a USB stick to it if you want to store 
> files/profiles).
>
> There is one glitch however - no OpenLDAP port.
>
> So a Samba domain controller running on these tiny routers would have 
> to authenticate users users against an external OpenLDAP server 
> (probably in the company headquaters).
>
> My experience shows that a company with several branches located 
> throughout the city/country/world have connectivity problems from time 
> to time (especiall when there is no IT staff in the branches).
>
> With no local LDAP server this would mean users not able to work (as 
> they can't authenticate).
>
> Is it possible to set up Samba to "cache" credentials retrieved
from
> the LDAP, and when LDAP is unavailable, to use these cached credentials?
>
>

On Tue, 17 Jan 2006, Chris St. Pierre wrote:
> nscd?
nscd is known to cause problems with Samba.

Regards,
--martin

could you set up a small instance of an ldap server along with samba on 
this small box and have it act like a bdc?  you could set up openldap to 
do syncrepl and have a full copy of your samba domain stuff that's in 
ldap.  if the connection goes down, the ldap stuff is there and if you 
have it set up like a bdc, you can still login, etc.

just a thought, i'm fairly new at all this stuff.

-anthony


My Website: http://messinet.com
My Online Gallery: 
http://messinet.com/modules.php?name=Web_Links&l_op=visit&lid=3


Tomasz Chmielewski wrote:
> I've been using Samba with OpenLDAP with great success on normal
servers.
> 
> Recently however, it appeared to us that for remote locations it is more 
> economically viable to replace Samba servers with Samba running on 
> little routers like ASUS WL-500g with openwrt firmware/software.
> It has a broadcom/mipsel CPU, and thanks to openwrt 
> (http://openwrt.org), it is possible to run lots of software on it.
> 
> Pretty nice for small offices - small, no fan, no hard disk etc. other 
> moving parts (you can connect a USB stick to it if you want to store 
> files/profiles).
> 
> There is one glitch however - no OpenLDAP port.
> 
> So a Samba domain controller running on these tiny routers would have to 
> authenticate users users against an external OpenLDAP server (probably 
> in the company headquaters).
> 
> My experience shows that a company with several branches located 
> throughout the city/country/world have connectivity problems from time 
> to time (especiall when there is no IT staff in the branches).
> 
> With no local LDAP server this would mean users not able to work (as 
> they can't authenticate).
> 
> Is it possible to set up Samba to "cache" credentials retrieved
from the
> LDAP, and when LDAP is unavailable, to use these cached credentials?
> 
>