Hi, Redhat 4, Samba server 3.0.22. We are testing LDAP redundancy. We have 2 LDAP servers. If we stop LDAP services on the first LDAP server, everything works fine : the samba server detects the failed ldap server and switch to the available LDAP server. Clients can be authenticated, everything works fine. But, if the first LDAP server is unavailable (does not respond to ping), the samba server does not switch to the second LDAP server : [2007/04/20 09:36:46, 0] lib/smbldap.c:smbldap_search_suffix(1346) smbldap_search_suffix: Problem during the LDAP search: (Time limit exceeded) [2007/04/20 09:36:46, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [adminocs] -> [adminocs] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/20 09:36:46, 2] smbd/server.c:exit_server(614) Closing connections We have tried using smaller and greater values of ldap timeout in smb.conf but it does not help. ( from 5 to 600) We have tried using smaller and greater values in the /etc/ldap.conf for bind_timelimit and timelimit (30 by default, from 5 to 300), but it does not help. Here is our smb.conf related to ldap : passdb backend = ldapsam:"ldap://itdsd1l1.altissemiconductor.com ldap://itdsd2l2.altissemiconductor.com" ldap passwd sync = Yes ldap admin dn = cn=samba,ou=DSA,ou=manuf,o=altissemiconductor.com,cn=mfg ldap suffix = ou=manuf,o=altissemiconductor.com,cn=mfg ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap timeout = 15 ldap ssl = start_tls Is there a way to change the bind/connect/network timeout for samba server to switch to the available ldap server node before the "search time limit exceeded" ? Do I miss something ?
Created attachment 2412 [details] ethereal traces with LDAP timeout = 15 test : using smblcient from the samba server 10.240.47.35 : Samba server 10.112.8.130 : Master LDAP server (stopped: does not respond to ping) 10.240.65.238 : Slave secondary LDAP server
Taking some ethereal traces, we see that there are multiple network TCP retries before TCP timeout is reached. As TCP timeout is much more longer than ldap timeout (default : 15 seconds), the samba server says : time limit exceeded. If we increase the ldap timeout (from 15 to 300), then the TCP timeout (about 3 minutes) is reached and the connection to the slave ldap server seems to be done, but too late : smb clients timeouts are smaller..... and 3 minutes is too much. Is there a way to setup ldap client librairies to use smaller "network timeout" ? (we have used timelimit and bind_timelimit with no success for Samba server).
yes, the timeouts do not work very well together. This problem is also handled by the latest patch from bug #3504.
Björn, any updates on the discussion we had regarding defaults? Do you have a new patch available? Volker
Created attachment 3304 [details] patch adding ldap connection timeout feature as requested on samba-techincal this is the extracted piece that just adds the ldap connection timeout without anything else. The "ldap connection timeout" is actualy a feature that was not covered by the "ldap timeout" parameter before. For that reason the default of the new "ldap connection timeout" is unrelated to the old "ldap timeout".
Patch is now in v3-3-test, v3-2-test and v3-2-stable (4307701b6ca3ac953 and 539210ea8e023afe7189). Will be included in 3.2.0rc2 and higher. Closing out bug report. Please reopen if it is still an issue.