Samba and ldap troubles.
Scott J. Henson
scotth at csee.wvu.edu
Fri Sep 2 13:38:48 CDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
George Farris wrote:
> On Fri, 2005-09-02 at 13:45 -0400, Scott J. Henson wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>
>>Yes, this sounds like libnss-ldap being crappy. It happens whenever
>>libnss cannot contact the ldap server. I would suggest not using
>>libnss-ldap on your ldap servers. It would seem to me that there may be
>>a race in there somewhere or a dead lock. Remove libnss-ldap from the
>>ldap servers and I think your problems should be resolved.
>>
>>This should have nothing to do with the backend of choice. Its all
>>about slapd using some libc function that somehow accesses nss, which
>>then must poll ldap, but the ldap server is waiting on its original
>>request to be fulfilled, which causes the lock. I'm not positive that
>>this is what is happening, but it seems logical. Possibly you could use
>>nscd to reduce the frequency of the locks, but I would think it would
>>just delay the inevitable.
>
>
> Sigh! Isn't that one of the points behind running ldap though, so I can
> replace NIS etc? Yes I want it to work with Samba but I also want local
> account support with ssh. Without the nsswitch stuff I can't login.
>
Yes and no. ldap is more of a distributed thing. What we do is run the
ldap servers(we have multiple and use lvs, but thats another show) and
only allow root ssh-key logins from a selected number of individuals to
the ldap servers. Then we have libnss-ldap on our other machines. I
would really recommend configuring nscd on all client machines, as it
reduces the load on the ldap server by a significant amount, and this
can make or break your setup if your using ldbm.
I agree it kinda sucks that you can't use it on your ldap servers, but
if you really want to maintain sudo and logins, you can configure
libpam-ldap on the ldap servers and maintain an /etc/passwd with only
those users you need. You would still need libnss-ldap installed, but
in your nssswitch.conf, only configure it to look up shadow in ldap.
I'm pretty sure that passwd and hosts would cause the lock that your
seeing. This is of course a hack and I would recommend the use of
ssh-keys as described above.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDGJw4r2exNrjonJARAgyWAJ0deZBBIvxbh5cqhDKevPAw0NSDyACeMeq7
pIA388uFuuvsPK1eq77FZwo=
=PyYQ
-----END PGP SIGNATURE-----
More information about the ubuntu-devel
mailing list