Где-то год назад встал вопрос поднятие сети полностью с нуля(Контролер домена, файл сервер етс)...Недолго думая, на базе своего роутера с файлсервером в одном флаконе(финансирование было крайне ограничено) поднял ldap и настроил Samba как PDC. До недавнего времени проблем было очень мало, и в основном все быстро решаемые(но были, в связи с неочень сильной машинкой и ограниченного обьема винтов), но недавно подвалило счастье ввиде большого кол-ва нового железа, опять же недолго думая решил поднять второй ldap(в конфиге мастер-мастер) и BDC на нем же. перед этим настроил полное дублирование сервисов DNS и DHCP. Проблем опять таки не возникло. Но вот когда начал подымать связку ldap+ldap в mirrormode TRUE посредством syncrepl пришлось переходить с ldbm на bdb и у меня начались грабли...
Продолжу конфигами(пробовал в двух вариантах):
Вариант №1(syncrepl включен):
ldap.conf PDC
Код: Выделить всё
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/postfix.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=c-es,dc=ru"
rootdn "cn=root,dc=c-es,dc=ru"
rootpw {SSHA}многа букав
directory /var/db/openldap-data
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uniqueMember eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Права доступа по умолчанию
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=sambaLMPassword,sambaNTPassword
by self write
by * none
access to *
by anonymous read
by * read
serverID 001
syncrepl rid=123
provider=ldap://192.168.217.253:389
type=refreshAndPersist
retry="5 10 300 +"
searchbase="dc=c-es,dc=ru"
attrs="*,+"
bindmethod=simple
binddn="cn=root,dc=c-es,dc=ru"
credentials=*********
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 100 5
Код: Выделить всё
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/postfix.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=c-es,dc=ru"
rootdn "cn=root,dc=c-es,dc=ru"
rootpw {SSHA}многа букав
directory /var/db/openldap-data
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uniqueMember eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Права доступа по умолчанию
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=sambaLMPassword,sambaNTPassword
by self write
by * none
access to *
by anonymous read
by * read
serverID 002
syncrepl rid=123
provider=ldap://192.168.217.254:389
type=refreshAndPersist
retry="5 10 300 +"
searchbase="dc=c-es,dc=ru"
attrs="*,+"
bindmethod=simple
binddn="cn=root,dc=c-es,dc=ru"
credentials=*******
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 100 5
Код: Выделить всё
dos charset = 866
unix charset = KOI8-R
netbios name = pdc
workgroup = c-es.ru
server string = Файловый сервер
interfaces = re0
security = user
encrypt passwords = YES
passdb backend = ldapsam:ldap://127.0.0.1/
log level = 0 vfs:1
log file = /var/log/samba/samba.log
max log size = 50000
load printers = No
os level = 8
admin users = kron
ldap suffix = dc=c-es,dc=ru
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap admin dn = "cn=root,dc=c-es,dc=ru"
ldap delete dn = no
ldap ssl = off
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = @
winbind use default domain = Yes
hosts allow = 192.168.217. 127.
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 192
domain master = yes
preferred master = yes
domain logons = yes
case sensitive = No
hide unreadable = Yes
logon path =
logon home = \\%L\homes
logon drive = H:
add machine script = /usr/local/sbin/ldapaddmachine '%u' computers
add user script = /usr/local/sbin/ldapadduser '%u' users
add group script = /usr/local/sbin/ldapaddgroup '%g'
add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g'
delete user script = /usr/local/sbin/ldapdeleteuser '%u'
delete group script = /usr/local/sbin/ldapdeletegroup '%g'
delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g'
rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew
wins support = yes
wins proxy = yes
dns proxy = no
time server = yes
[homes]
comment = Home Directories
path = /fs/samba/homes/%U
browseable = no
writable = yes
public = no
read only = no
create mask = 0600
directory mask = 0700
valid users = %S
[netlogon]
comment = Network Logon Service
path = /usr/local/etc/samba/netlogon
browseable = no
guest ok = yes
writable = no
share modes = no
volume = NETLOGON
[profiles]
comment = profiles
create mode = 0600
directory mode = 700
path = /fs/samba/profiles/%u
browseable = yes
guest ok = yes
writeable = yes
[Общая]
comment = Обменник
path = /fs/change
valid users = @users
admin users = @c-es.ru\\Anisimov_AD
read only = No
create mask = 0777
directory mask = 0777
inherit acls = Yes
inherit owner = Yes
veto files = /quota.*/.snap/
hide files = .snap
map archive = No
vfs objects = recycle full_audit
recycle:repository = /fs/lost_n_found
recycle:keeptree = yes
recycle:versions = yes
recycle:exclude = *.tmp | *.TMP | ~$* | ~WRL*
recycle:excludedir = /fs/temp
recycle:maxsize = 104805760
full_audit:facility=LOCAL5
full_audit:priority=INFO
full_audit:failure = mkdir rmdir write unlink rename
full_audit:success = mkdir rmdir write unlink rename
full_audit:prefix = %m|%U
[db]
comment = Базы данных
path = /fs/bd
valid users = @users
admin users = @anisimov_ad
read only = No
create mask = 0777
directory mask = 0777
inherit acls = Yes
inherit owner = Yes
veto files = /quota.*/.snap/
hide files = .snap
map archive = No
[Эдванс]
comment = Обменник Эдванс
path = /fs/edvance
valid users = @users
admin users = @Anisimov_AD
read only = No
create mask = 0777
directory mask = 0777
inherit acls = Yes
inherit owner = Yes
veto files = /quota.*/.snap/
hide files = .snap
map archive = No
vfs objects = recycle full_audit
recycle:repository = /fs/lost_n_found
recycle:keeptree = yes
recycle:versions = yes
recycle:exclude = *.tmp | *.TMP | ~$* | ~WRL*
recycle:excludedir = /fs/temp
recycle:maxsize = 104805760
full_audit:facility=LOCAL5
full_audit:priority=INFO
full_audit:failure = mkdir rmdir write unlink rename
full_audit:success = mkdir rmdir write unlink rename
full_audit:prefix = %m|%U
[Consultant]
comment = Консультант
path = /fs/cons
valid users = @users
admin users = @Anisimov_AD
read only = No
create mask = 0777
directory mask = 0777
inherit acls = Yes
inherit owner = Yes
veto files = /quota.*/.snap/
hide files = .snap
map archive = No
vfs objects = recycle full_audit
recycle:repository = /fs/lost_n_found
recycle:keeptree = yes
recycle:versions = yes
recycle:exclude = *.tmp | *.TMP | ~$* | ~WRL*
recycle:excludedir = /fs/temp
recycle:maxsize = 104805760
full_audit:facility=LOCAL5
full_audit:priority=INFO
full_audit:failure = mkdir rmdir write unlink rename
full_audit:success = mkdir rmdir write unlink rename
full_audit:prefix = %m|%U
[IPC$]
path = /tmp
hosts allow = 192.168.217.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
Ну так как синхрона нет, то разница тока в конфиге ldap.conf PDC(BDC не задействован)
ldap.conf PDC
Код: Выделить всё
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/postfix.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=c-es,dc=ru"
rootdn "cn=root,dc=c-es,dc=ru"
rootpw {SSHA}многа букав
directory /var/db/openldap-data
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uniqueMember eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Права доступа по умолчанию
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=sambaLMPassword,sambaNTPassword
by self write
by * none
access to *
by anonymous read
by * read
Код: Выделить всё
LDAP_UNWILLING_TO_PERFORM
Additional Text:Shadow context; no update referral
Код: Выделить всё
LDAP_UNWILLING_TO_PERFORM 53 (x'35) The DSA is unwilling to perform the operation. Additional text: no global superior knowledge - the name that is being added or modified does not exist in any naming context or does not have a valid referral.
Possible cause: no suffix directive in slapd.conf for the DIT
Additional Text:Shadow context; no update referral - the DIT being updated is a replica in read only mode and the absence of an updateref directive means a referral cannot be returned.
Possible Causes:
1. A write had been attempted to a read-only replica (the consumer in a syncrepl configuration is always read-only).
2. In a multi-master syncrepl configuration mirrormode true may be missing from the slapd.conf file.
А вторая трабла, что после переезда базы с lbdm на bdb в обоих случаях slapd валится если пользователи пытаються загрузить Консультант или 1С, консультант лежит на файлсервер и базы 1С тоже. Есть предположение, что просто идет очень много запросов, только что с этим делать я не знаю, раньше оно работало нормально. Такое предположение возникло в связи с тем, что если спамить старт слапда, и то и то загружаеться.
И в логе ldapa при его вылете ничего об ошибках, просто лог обрываеться на стандартных запросах.