The Samba-Bugzilla – Bug 4544
LDAP redundancy does not work
Last modified: 2008-06-05 03:45:22 UTC
Redhat 4, Samba server 3.0.22.
We are testing LDAP redundancy. We have 2 LDAP servers.
If we stop LDAP services on the first LDAP server, everything works fine :
the samba server detects the failed ldap server and switch to the
available LDAP server.
Clients can be authenticated, everything works fine.
But, if the first LDAP server is unavailable (does not respond to ping),
the samba server does not switch to the second LDAP server :
[2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346)
smbldap_search_suffix: Problem during the LDAP search: (Time limit
[2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317)
check_ntlm_password: Authentication for user [adminocs] -> [adminocs]
FAILED with error NT_STATUS_NO_SUCH_USER
[2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614)
We have tried using smaller and greater values of ldap timeout in smb.conf
but it does not help. ( from 5 to 600)
We have tried using smaller and greater values in the /etc/ldap.conf for
bind_timelimit and timelimit (30 by default, from 5 to 300), but it does
Here is our smb.conf related to ldap :
passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com
ldap passwd sync = Yes
ldap admin dn =
ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap timeout = 15
ldap ssl = start_tls
Is there a way to change the bind/connect/network timeout for samba server to switch to the available ldap server node before the "search time limit exceeded" ?
Do I miss something ?
Created attachment 2412 [details]
ethereal traces with LDAP timeout = 15
test : using smblcient from the samba server
10.240.47.35 : Samba server
10.112.8.130 : Master LDAP server (stopped: does not respond to ping)
10.240.65.238 : Slave secondary LDAP server
Taking some ethereal traces, we see that there are multiple network TCP retries before TCP timeout is reached.
As TCP timeout is much more longer than ldap timeout (default : 15 seconds), the samba server says : time limit exceeded.
If we increase the ldap timeout (from 15 to 300), then the TCP timeout (about 3 minutes) is reached and the connection to the slave ldap server seems to be done, but too late : smb clients timeouts are smaller..... and 3 minutes is too much.
Is there a way to setup ldap client librairies to use smaller "network timeout" ?
(we have used timelimit and bind_timelimit with no success for Samba server).
yes, the timeouts do not work very well together. This problem is also handled by the latest patch from bug #3504.
Björn, any updates on the discussion we had regarding defaults? Do you have a new patch available?
Created attachment 3304 [details]
patch adding ldap connection timeout feature
as requested on samba-techincal this is the extracted piece that just adds the ldap connection timeout without anything else.
The "ldap connection timeout" is actualy a feature that was not covered by the "ldap timeout" parameter before. For that reason the default of the new "ldap connection timeout" is unrelated to the old "ldap timeout".
Patch is now in v3-3-test, v3-2-test and v3-2-stable (4307701b6ca3ac953 and 539210ea8e023afe7189).
Will be included in 3.2.0rc2 and higher.
Closing out bug report. Please reopen if it is still an issue.