FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-31-2010, 09:16 PM
Rich Megginson
 
Default Strange behaviour - SAMBA is writing on a Dedicated Consumer Server

Diretorio Livre wrote:
> Hello,
> We are using FDS 1.2.0 and we are making samba integration with LDAP.
> There are two FDS servers, one (serverA) is configured as single
> master and the other (serverB) as a dedicated consumer. We're using
> the option "ldap passwd sync=yes" and pointing the ldapsam to serverB.
> When we changed the password of a user (in a Windows machine), his
> "userpassword" ldap attribute has changed in serverB(the dedicated
> consumer) instead of return referral to serverA (the master). The most
> strange is that the access log doesn't show nothing, even the correct
> error code 10 (referral). We've checked the suffix configuration in
> the serverB and the "update on referral" was selected. It seems to us
> that SAMBA found a way to ignore the "update on referral" and made the
> modifications on the consumer. //Anybody has experiencied such behaviour?
Note that the access log is buffered, so operations may take a while
before they are flushed to disk. You can change this behavior by
setting nsslapd-accesslog-logbuffering: off in cn=config (but note that
this may impact performance in production environments).

Can you post relevant excerpts from the access log of the dedicated
consumer showing the sequence of operations for the password change?
Have you checked the access log of the master?
>
> Steps to reproduce the behaviour
> - Configure two LDAP servers (one as single master and the other as
> dedicated consumer).
> - Configure replication between the two servers above.
> - Install SAMBA (we are using version 3.3.2 or 3.4.7).
> - Configure smb.conf with the following parameters:
> -- the ldapbackend pointing to the dedicated consumer server.
> -- ldap passwd sync=Only.
> -- ldap ssl = start tls (it's necessary).
>
>
> Thanks in advance,
> --
> SIEDN - Diretorio Livre
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-01-2010, 01:20 PM
Rich Megginson
 
Default Strange behaviour - SAMBA is writing on a Dedicated Consumer Server

Diretorio Livre wrote:
> **
>
> Richard,
> I set the nsslapd-accesslog-logbuffering as you recomended and
> nothing was logged on the master ldap (ServerA). So I shutdown
> the master ldap machine and repeat the test. The result was
> the same behaviour: SAMBA writes on the userpassword attribute
> of the dedicated consumer (ServerB). Analyzing the access log
> output of ServerB, there is a line that show success in an
> extended operation:
>
> - 01/Apr/2010:08:36:09 -0300] conn=553 op=18 EXT
> oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop"
> - [01/Apr/2010:08:36:09 -0300] conn=553 op=18 RESULT err=0
> tag=120 nentries=0 etime=0
>
> I'm attaching a file (access.log) with all operations logged
> during password changing.
>
> I've enabled the audit log on the serverB too. See the result:
>
> time: 20100401083609
> dn: uid=testuser,dc=lab,dc=com
> changetype: modify
> replace: userpassword
> userpassword: {SSHA}D4paM4WUays6uAY1fpuSKnhoQhOJqyl9hT5IBA==
> -
> replace: modifiersname
> modifiersname: cn=server,cn=plugins,cn=config
> -
> replace: modifytimestamp
> modifytimestamp: 20100401113609Z
> -
>
> time: 20100401083609
> dn: uid=testuser,dc=lab,dc=com
> changetype: modify
> replace: passwordgraceusertime
> passwordgraceusertime: 0
> -
> replace: passwordExpirationTime
> passwordExpirationTime: 20100630113609Z
> -
> replace: passwordExpWarned
> passwordExpWarned: 0
>
> Note that all operations above were made with the master ldap
> offline.
>
Ok. Please file a bug at
https://bugzilla.redhat.com/enter_bug.cgi?product=389
it does not appear that the password modify extop sends back a referral
>
>
>
>
> Thanks,
> SIEDN - Diretorio Livre
>
> Diretorio Livre wrote:
> > Hello,
> > We are using FDS 1.2.0 and we are making samba integration
> with LDAP.
> > There are two FDS servers, one (serverA) is configured as single
> > master and the other (serverB) as a dedicated consumer. We're
> using
> > the option "ldap passwd sync=yes" and pointing the ldapsam to
> serverB.
> > When we changed the password of a user (in a Windows
> machine), his
> > "userpassword" ldap attribute has changed in serverB(the
> dedicated
> > consumer) instead of return referral to serverA (the master).
> The most
> > strange is that the access log doesn't show nothing, even the
> correct
> > error code 10 (referral). We've checked the suffix
> configuration in
> > the serverB and the "update on referral" was selected. It
> seems to us
> > that SAMBA found a way to ignore the "update on referral" and
> made the
> > modifications on the consumer. //Anybody has experiencied
> such behaviour?
> Note that the access log is buffered, so operations may take a
> while
> before they are flushed to disk. You can change this behavior by
> setting nsslapd-accesslog-logbuffering: off in cn=config (but
> note that
> this may impact performance in production environments).
>
> Can you post relevant excerpts from the access log of the
> dedicated
> consumer showing the sequence of operations for the password
> change?
> Have you checked the access log of the master?
> >
> > Steps to reproduce the behaviour
> > - Configure two LDAP servers (one as single master and the
> other as
> > dedicated consumer).
> > - Configure replication between the two servers above.
> > - Install SAMBA (we are using version 3.3.2 or 3.4.7).
> > - Configure smb.conf with the following parameters:
> > -- the ldapbackend pointing to the dedicated consumer server.
> > -- ldap passwd sync=Only.
> > -- ldap ssl = start tls (it's necessary).
> >
> >
> > Thanks in advance,
> > --
> > SIEDN - Diretorio Livre
> > "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS
> (SERPRO), empresa pública federal regida pelo disposto na Lei
> Federal nº 5.615, é enviada exclusivamente a seu destinatário
> e pode conter informações confidenciais, protegidas por sigilo
> profissional. Sua utilizaç ão desautorizada é ilegal e sujeita
> o infrator às penas da lei. Se você a recebeu indevidamente,
> queira, por gentileza, reenviá-la ao emitente, esclarecendo o
> equívoco."
> >
> > "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS
> (SERPRO) -- a government company established under Brazilian
> law (5.615/70) -- is directed exclusively to its addressee and
> may contain confidential data, protected under professional
> secrecy rules. Its unauthorized use is illegal and may subject
> the transgressor to the law's penalties. If you're not the
> addressee, please send it back, elucidating the failure."
> >
> > ------------------------------------------------------------------------
> >
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedor aproject.org/mailman/listinfo/389-users
>
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 03:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org