Replicated Failover Domain Controller and file server using LDAP: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
SAMBA 3: FAILOVER DOMAIN CONTROLLER |
|||
SAMBA 3 EXTENSIONS |
|||
'''SAMBA 3 EXTENSIONS''' |
|||
TECHNICAL CONFIGURATION |
|||
Author: Adrian Sender |
|||
Author: Adrian Sender |
|||
Supervisor: Simo Sorce |
Supervisor: Simo Sorce |
||
Objectives |
|||
Samba Active Directory Upgrade Compatible |
|||
'''Objectives''' |
|||
Set Standards |
|||
High Availability Cluster |
|||
Recommended By Developers |
|||
Overview |
|||
1.0: Configuring Samba |
|||
1.1 smb.conf PDC |
|||
1.2 smb.conf BDC |
|||
1.3 /etc/hosts |
|||
1.4 Samba Security |
|||
2.0: Configuring LDAP |
|||
2.1 slapd.conf Master |
|||
2.1.1 slapd.conf Master syncrepl Openldap2.2 |
|||
2.1.2 slapd.conf Master delta-syncrepl Openldap2.3 |
|||
2.2 slapd.conf Slave |
|||
2.2.1 slapd.conf Slave syncrepl Openldap2.2 |
|||
2.2.2 slapd.conf Slave delta-syncrepl Openldap2.3 |
|||
2.3 ldap.conf Master |
|||
2.4 ldap.conf Slave |
|||
3.0: Initialization LDAP Database |
|||
'''Samba Active Directory Upgrade Compatible''' |
|||
3.1 Provisioning Database |
|||
3.2 Preload LDIF |
|||
3.3 LDAP Population |
|||
3.4 Database Replication |
|||
4.0: User Management |
|||
4.1 smbldap-tools |
|||
4.1.1 smbldap.conf Master |
|||
4.1.2 smbldap.conf Slave |
|||
5.0: Heartbeat HA Configuration |
|||
'''Set Standards''' |
|||
5.1 Requirements |
|||
5.2 Installation |
|||
5.3 Configuration |
|||
5.3.1 ha.cf |
|||
5.3.2 haresources |
|||
5.3.3 authkeys |
|||
5.4 Testing |
|||
6.0: DRBD |
|||
6.1 Requirements |
|||
6.2 Installation |
|||
6.3 Configuration |
|||
6.3.1 drbd.conf |
|||
6.3.2 Initialization |
|||
6.4 Testing |
|||
7.0: BIND DNS |
|||
'''High Availability Cluster''' |
|||
7.1 Configuration |
|||
7.1.1 named.conf |
|||
7.1.2 zone file |
|||
'''Recommended By Developers''' |
|||
Overview |
|||
We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses. |
|||
Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted. |
|||
This is a complex setup and strict guide lines need to be followed in order to achieve stability. |
|||
We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive. |
|||
By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB. |
|||
Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering. |
|||
High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings. |
|||
The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken. |
|||
Each node will require 2 network cards. |
|||
Here is a basic configuration overview: |
|||
Configuration Details |
|||
node1.differentialdesign.org |
|||
Eth0: LAN Network Address |
|||
IP Address: 192.168.0.2 |
|||
Subnet Mast: 255.255.255.0 |
|||
Gateway: 192.168.0.1 |
|||
Eth0:1 Heartbeat LAN Address |
|||
IP Address: 192.168.0.4 |
|||
Subnet Mast: 255.255.255.0 |
|||
Eth1: DRBD Replication Network |
|||
IP Address: 10.0.0.1 |
|||
Subnet Mast: 255.255.255.0 |
|||
Gateway: None |
|||
HDC: Operating System Drive |
|||
HDD: DRBD Data Replication Drive |
|||
TTYS0: COM Port 1 |
|||
Configuration Details |
|||
node2.differentialdesign.org |
|||
Eth0: LAN Network Address |
|||
IP Address: 192.168.0.3 |
|||
Subnet Mast: 255.255.255.0 |
|||
Gateway: 192.168.0.1 |
|||
Eth1: DRBD Replication Network |
|||
IP Address: 10.0.0.2 |
|||
Subnet Mast: 255.255.255.0 |
|||
Gateway: None |
|||
HDC: Operating System Drive |
|||
HDD: DRBD Data Replication Drive |
|||
TTYS0: COM Port 1 |
|||
OVERVIEW |
|||
1.0: Configuring Samba |
1.0: Configuring Samba |
||
Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows. |
|||
1.1 smb.conf PDC |
|||
If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration. |
|||
1.2 smb.conf BDC |
|||
We are building a fault tolerant domain controller, which provides you with the following; |
|||
1.3 /etc/hosts |
|||
Samba Configuration |
|||
Primary Domain Controller |
|||
Backup Domain Controller |
|||
A master domain controller, that provides authentication through the use of LDAP |
|||
A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database. |
|||
Step1 |
|||
Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
It is essential that both the PDC and BDC are running the same version of samba. |
|||
[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
--19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz |
|||
=> `samba-latest.tar.gz' |
|||
Resolving us4.samba.org... 192.48.170.15 |
|||
Connecting to us4.samba.org|192.48.170.15|:80... connected. |
|||
HTTP request sent, awaiting response... 200 OK |
|||
Length: 17,704,221 (17M) [application/x-tar] |
|||
100%[====================================>] 17,704,221 53.01K/s ETA 00:00 |
|||
19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221] |
|||
Step2 |
|||
[root@node1 samba]# tar zxvf samba-latest.tar.gz |
|||
[root@node1 samba]# cd samba-3.0.23d/ |
|||
[root@node1 samba-3.0.23d]# |
|||
[root@node1 samba-3.0.23d]# cd packaging/ |
|||
bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ |
|||
Debian/ LSB/ README RHEL/ Solaris/ sysv/ |
|||
Step3 |
|||
This will take some time. |
|||
[root@node1 samba-3.0.23d]# cd packaging/RHEL/ |
|||
[root@node1 RHEL]# ls |
|||
makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup |
|||
[root@node1 RHEL]# chmod 777 makerpms.sh |
|||
[root@node1 RHEL]# ./makerpms.sh |
|||
Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm |
|||
Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm |
|||
makerpms.sh: Done. |
|||
[root@node1 RHEL]# |
|||
Step4 |
|||
Install the RPM files we built from source. |
|||
[root@node2]# cd /usr/src/redhat/RPMS/i386/ |
|||
[root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba-swat-3.0.23d-1.i386.rpm |
|||
Preparing... ########################################### [100%] |
|||
1:samba-common warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew |
|||
########################################### [ 17%] |
|||
2:samba ########################################### [ 33%] |
|||
ls: /var/cache/samba/eventlog/*tdb: No such file or directory |
|||
3:samba-client ########################################### [ 50%] |
|||
4:samba-debuginfo ########################################### [ 67%] |
|||
5:samba-doc ########################################### [ 83%] |
|||
6:samba-swat ########################################### [100%] |
|||
[root@node1 i386]# |
|||
Step5 |
|||
Login to node2 – the backup domain controller and repeat the above steps. |
|||
1.1: smb.conf PDC |
|||
You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful. |
|||
[root@node2 ~]# mkdir /data |
|||
[root@node1 ~]# vi /etc/samba/smb.conf |
|||
# # Primary Domain Controller smb.conf |
|||
# # Global parameters |
|||
[global] |
|||
unix charset = LOCALE |
|||
workgroup = DDESIGN |
|||
netbios name = node1 |
|||
#passdb backend = ldapsam:ldap://127.0.0.1 |
|||
#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" |
|||
passdb backend = ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" |
|||
username map = /etc/samba/smbusers |
|||
log level = 1 |
|||
syslog = 0 |
|||
log file = /var/log/samba/%m |
|||
max log size = 0 |
|||
name resolve order = wins bcast hosts |
|||
time server = Yes |
|||
printcap name = CUPS |
|||
add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' |
|||
delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' |
|||
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' |
|||
delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' |
|||
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' |
|||
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' |
|||
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' |
|||
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' |
|||
shutdown script = /var/lib/samba/scripts/shutdown.sh |
|||
abort shutdown script = /sbin/shutdown -c |
|||
logon script = %u.bat |
|||
#logon path = \\192.168.0.4\profiles\%u |
|||
logon path = \\nodes.differentialdesign.org\profiles\%u |
|||
logon drive = H: |
|||
domain logons = Yes |
|||
domain master = Yes |
|||
wins support = Yes |
|||
ldap suffix = dc=differentialdesign,dc=org |
|||
ldap machine suffix = ou=Computers,ou=Users |
|||
ldap user suffix = ou=People,ou=Users |
|||
ldap group suffix = ou=Groups |
|||
ldap idmap suffix = ou=Idmap |
|||
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org |
|||
idmap backend = ldap://127.0.0.1 |
|||
idmap uid = 10000-20000 |
|||
idmap gid = 10000-20000 |
|||
printer admin = root |
|||
printing = cups |
|||
#========================Share Definitions========================= |
|||
[homes] |
|||
comment = Home Directories |
|||
valid users = %S |
|||
browseable = yes |
|||
writable = yes |
|||
create mask = 0600 |
|||
directory mask = 0700 |
|||
[netlogon] |
|||
comment = Network Logon Service |
|||
path = /data/samba/netlogon |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
[profiles] |
|||
path = /data/samba/profiles |
|||
writeable = yes |
|||
browseable = no |
|||
read only = no |
|||
create mode = 0777 |
|||
directory mode = 0777 |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
1.2: smb.conf BDC |
|||
[root@node2 ~]# mkdir /data |
|||
[root@node2 ~]# vi /etc/samba/smb.conf |
|||
# # Global parameters |
|||
# # Backup Domain Controller |
|||
[global] |
|||
unix charset = LOCALE |
|||
workgroup = DDESIGN |
|||
netbios name = node2 |
|||
#passdb backend = ldapsam:ldap://127.0.0.1 |
|||
#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" |
|||
passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" |
|||
username map = /etc/samba/smbusers |
|||
log level = 1 |
|||
syslog = 0 |
|||
log file = /var/log/samba/%m |
|||
max log size = 50 |
|||
name resolve order = wins bcast hosts |
|||
printcap name = CUPS |
|||
show add printer wizard = No |
|||
logon script = %u.bat |
|||
#logon path = \\192.168.0.4\profiles\%u |
|||
logon path = \\nodes.differentialdesign.org\profiles\%u |
|||
logon drive = H: |
|||
domain logons = Yes |
|||
os level = 63 |
|||
domain master = No |
|||
wins server = node1.differentialdesign.org |
|||
ldap suffix = dc=differentialdesign,dc=org |
|||
ldap machine suffix = ou=Computers,ou=Users |
|||
ldap user suffix = ou=People,ou=Users |
|||
ldap group suffix = ou=Groups |
|||
ldap idmap suffix = ou=Idmap |
|||
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org |
|||
utmp = Yes |
|||
idmap backend = ldap://node1.differentialdesign.org |
|||
idmap uid = 10000-20000 |
|||
idmap gid = 10000-20000 |
|||
printing = cups |
|||
#========================Share Definitions========================= |
|||
[homes] |
|||
comment = Home Directories |
|||
valid users = %S |
|||
browseable = yes |
|||
writable = yes |
|||
create mask = 0600 |
|||
directory mask = 0700 |
|||
[netlogon] |
|||
comment = Network Logon Service |
|||
path = /data/samba/netlogon |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
[profiles] |
|||
path = /data/samba/profiles |
|||
writeable = yes |
|||
browseable = no |
|||
read only = no |
|||
create mode = 0777 |
|||
directory mode = 0777 |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
1.3: /etc/hosts |
|||
In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS. However it is desirable to have a backup feature such as entries in the /etc/hosts file. |
|||
Step1 |
|||
On node1 we will edit the hosts file to reflect our configuration. |
|||
[root@node1 ~]# vi /etc/hosts |
|||
# Do not remove the following line, or various programs |
|||
# that require network functionality will fail. |
|||
127.0.0.1 node1 localhost.localdomain localhost |
|||
192.168.0.2 node1.differentialdesign.org |
|||
192.168.0.3 node2.differentialdesign.org |
|||
192.168.0.4 nodes.differentialdesign.org |
|||
Step2 |
|||
Login to node2 and edit the /etc/hosts file. |
|||
[root@node2 ~]# vi /etc/hosts |
|||
# Do not remove the following line, or various programs |
|||
# that require network functionality will fail. |
|||
127.0.0.1 node2 localhost.localdomain localhost |
|||
192.168.0.2 node1.differentialdesign.org |
|||
192.168.0.3 node2.differentialdesign.org |
|||
192.168.0.4 nodes.differentialdesign.org |
|||
1.4: Samba Security |
|||
There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this. |
|||
One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both. |
|||
The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf. |
|||
## /etc/samba/smb.conf |
|||
## Global parameters |
|||
[global] |
|||
workgroup = DDESIGN |
|||
security = user |
|||
hosts allow = 192.168.0.0/24 |
|||
For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability. |
|||
This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses. |
|||
## /etc/samba/smb.conf |
|||
## ==== Share Definitions ===== |
|||
[Documents] |
|||
comment = share to test samba |
|||
path = /data/documents |
|||
writeable = yes |
|||
browseable = yes |
|||
read only = no |
|||
valid users = "@Domain Users" |
|||
hosts allow = 192.168.0.100/24 |
|||
1.4 Samba Security |
|||
2.0: Configuring LDAP |
2.0: Configuring LDAP |
||
It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers. |
|||
2.1 slapd.conf Master |
|||
There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master. |
|||
2.1.1 slapd.conf Master syncrepl Openldap2.2 |
|||
replica host=192.168.0.3:389 |
|||
2.1.2 slapd.conf Master delta-syncrepl Openldap2.3 |
|||
suffix="dc=differentialdesign,dc=org" |
|||
binddn="cn=syncuser,dc=differentialdesign,dc=org" |
|||
bindmethod=simple credentials=SyncUser |
|||
To bind to the database the slave replicas will need to use “upateuser’s” password defined above as “credentials=UpdateUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication. |
|||
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas. |
|||
2.2 slapd.conf Slave |
|||
2.2.1 slapd.conf Slave syncrepl Openldap2.2 |
|||
LDAP Replication Configuration |
|||
2.2.2 slapd.conf Slave delta-syncrepl Openldap2.3 |
|||
Master |
|||
Slave(s) |
|||
A master LDAP database that is replicated real time to the backup domain controller. |
|||
2.3 ldap.conf Master |
|||
A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable. |
|||
LDAP Replication Configuration |
|||
Provider |
|||
Consumers(s) |
|||
A provider LDAP database that has the most updated version of the database. |
|||
A consumer requests an update at a set interval, and provides load balancing. |
|||
The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database. |
|||
There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries. |
|||
If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode. |
|||
Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval. |
|||
2.1: slapd.conf Master |
|||
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable. |
|||
This configuration file should work on any version of Openldap. |
|||
# /etc/openldap/slapd.conf |
|||
# using slurpd |
|||
# LDAP Master |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
directory /var/lib/ldap |
|||
replica host=node2.differentialdesign.org:389 |
|||
suffix="dc=differentialdesign,dc=org" |
|||
binddn="cn=syncuser,dc=differentialdesign,dc=org" |
|||
bindmethod=simple credentials=SyncUser |
|||
replogfile /var/lib/ldap/replogfile |
|||
access to attrs=userPassword |
|||
by self write |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
access to * |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * read |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.1.1: slapd.conf Master syncrepl Openldap2.2 |
|||
This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method. |
|||
This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode. |
|||
# slapd.conf Master syncrepl Openldap2.2 |
|||
# Provider |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
directory /var/lib/ldap |
|||
access to attrs=userPassword |
|||
by self write |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
access to * |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * read |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.1.2: slapd.conf Master delta-syncrepl Openldap2.3 |
|||
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd. |
|||
The below slapd.conf will only run on Openldap 2.3. |
|||
Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located. |
|||
#slapd.conf Master delta syncrepl Openldap2.3 |
|||
#provider |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
modulepath /usr/lib/openldap2.3 |
|||
moduleload syncprov.la |
|||
moduleload accesslog.la |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
# Accesslog database definitions |
|||
database bdb |
|||
suffix cn=accesslog |
|||
directory /var/lib/ldap/accesslog |
|||
rootdn cn=accesslog |
|||
index default eq |
|||
index entryCSN,objectClass,reqEnd,reqResult,reqStart |
|||
overlay syncprov |
|||
syncprov-nopresent TRUE |
|||
syncprov-reloadhint TRUE |
|||
# Samba database |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
directory /var/lib/ldap |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
index entryCSN eq |
|||
index entryUUID eq |
|||
overlay syncprov |
|||
syncprov-checkpoint 1000 60 |
|||
# accesslog overlay definitions for primary db |
|||
overlay accesslog |
|||
logdb cn=accesslog |
|||
logops writes |
|||
logsuccess TRUE |
|||
# scan the accesslog DB every day, and purge entries older than 7 days |
|||
logpurge 07+00:00 01+00:00 |
|||
access to attrs=userPassword |
|||
by self write |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
access to * |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" read |
|||
by * read |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.2: slapd.conf Slave |
|||
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable. |
|||
This configuration file should work on any version of openldap. |
|||
# /etc/openldap/slapd.conf |
|||
# using slurpd |
|||
# LDAP Slave |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
access to attrs=userPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
access to * |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * read |
|||
updatedn cn=syncuser,dc=differentialdesign,dc=org |
|||
updateref ldap://node1.differentialdesign.org |
|||
directory /var/lib/ldap |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.2.1: slapd.conf Slave syncrepl Openldap2.2 |
|||
This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly. |
|||
This configuration file will only work with openldap version 2.2 |
|||
# slapd.conf Slave syncrepl Openldap2.2 |
|||
# LDAP Consumer |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
directory /var/lib/ldap |
|||
syncrepl |
|||
rid=0 |
|||
provider=ldap://node1.differentialdesign.org:389 |
|||
binddn="cn=syncuser,dc=differentialdesign,dc=org" |
|||
bindmethod=simple |
|||
credentials=SyncUser |
|||
searchbase="dc=differentialdesign,dc=org" |
|||
filter="(objectClass=*)" |
|||
attrs="*" |
|||
schemachecking=off |
|||
scope=sub |
|||
type=refreshOnly |
|||
interval=00:06:00:00 |
|||
access to attrs=userPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
access to * |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * read |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.2.2: slapd.conf slave delta-syncrepl Openldap2.3 |
|||
# slapd.conf delta synrepl Openldap2.3 |
|||
# LDAP Consumer |
|||
include /etc/openldap/schema/core.schema |
|||
include /etc/openldap/schema/cosine.schema |
|||
include /etc/openldap/schema/inetorgperson.schema |
|||
include /etc/openldap/schema/nis.schema |
|||
include /etc/openldap/schema/samba.schema |
|||
pidfile /var/run/slapd/slapd.pid |
|||
argsfile /var/run/slapd/slapd.args |
|||
database bdb |
|||
suffix "dc=differentialdesign,dc=org" |
|||
directory /var/lib/ldap |
|||
rootdn "cn=Manager,dc=differentialdesign,dc=org" |
|||
rootpw Manager |
|||
# syncrepl directives |
|||
syncrepl rid=0 |
|||
provider=ldap://node1.differentialdesign.org:389 |
|||
bindmethod=simple |
|||
binddn="cn=syncuser,dc=differentialdesign,dc=org" |
|||
credentials=SyncUser |
|||
searchbase="dc=differentialdesign,dc=org" |
|||
logbase="cn=accesslog" |
|||
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" |
|||
schemachecking=on |
|||
type=refreshAndPersist |
|||
retry="60 +" |
|||
syncdata=accesslog |
|||
access to attrs=userPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * auth |
|||
access to attrs=sambaLMPassword,sambaNTPassword |
|||
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
access to * |
|||
by dn="cn=syncuser,dc=differentialdesign,dc=org" write |
|||
by * read |
|||
updateref ldap://node1.differentialdesign.org |
|||
# Indices to maintain |
|||
index objectClass eq |
|||
index cn pres,sub,eq |
|||
index sn pres,sub,eq |
|||
index uid pres,sub,eq |
|||
index displayName pres,sub,eq |
|||
index uidNumber eq |
|||
index gidNumber eq |
|||
index memberUID eq |
|||
index sambaSID eq |
|||
index sambaPrimaryGroupSID eq |
|||
index sambaDomainName eq |
|||
index default sub |
|||
2.3: ldap.conf Master |
|||
You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave |
|||
#/etc/ldap.conf |
|||
# LDAP Master |
|||
host node1.differentialdesign.org node2.differentialdesign.org |
|||
base dc=differentialdesign,dc=org |
|||
binddn cn=Manager,dc=differentialdesign,dc=org |
|||
bindpw Manager |
|||
pam_password exop |
|||
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_group ou=Groups,dc=differentialdesign,dc=org?one |
|||
ssl no |
|||
2.4: ldap.conf Slave |
|||
#/etc/ldap.conf |
|||
# LDAP Slave |
|||
host node2.differentialdesign.org node1.differentialdesign.org |
|||
base dc=differentialdesign,dc=org |
|||
binddn cn=Manager,dc=differentialdesign,dc=org |
|||
bindpw Manager |
|||
pam_password exop |
|||
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one |
|||
nss_base_group ou=Groups,dc=differentialdesign,dc=org?one |
|||
ssl no |
|||
2.4 ldap.conf Slave |
|||
3.0: Initialization LDAP Database |
3.0: Initialization LDAP Database |
||
Initial LDAP database population |
|||
3.1 Provisioning Database |
|||
There are many ways to initialize the LDAP database backend for samba and many scripts to help you out; however these loose our initial control of the database and can lead to issues such as database management. |
|||
3.2 Preload LDIF |
|||
Once your server is up and running with users on it, the database can not really be manipulated without knowing the full workings of LDAP, so for many of us we are stuck with what we created. |
|||
3.3 LDAP Population |
|||
The future of Samba is changing to Active Directory; we keep this in mind when creating the database so it can be an easier upgrade path migrating to Samba4; eventually Samba4 will be able to support OpenLDAP as a modular backend. |
|||
3.4 Database Replication |
|||
3.1: Provisioning Database |
|||
We are going to manually create our initial LDAP database in a text file and be confident to use it in a full production environment. |
|||
Our LDAP database structure will look like the following if using the preload ldif as per section 3.2 Preload LDIF |
|||
: |
|||
|-Samba Base |
|||
|---Manager |
|||
|------syncuser |
|||
|------sambaadmin |
|||
|------mailadmin |
|||
|---------Users |
|||
|-----------People |
|||
|-------------------root |
|||
|-------------------asender |
|||
|-------------------simo |
|||
|-----------Computers |
|||
| |-------------------workstation1$ |
|||
|-------------------workstation2$ |
|||
|---------Groups |
|||
|-----------Domain Admin |
|||
|-------------------root |
|||
|---------- Domain Users |
|||
|-------------------root |
|||
|-------------------asender |
|||
|-------------------simo |
|||
|------------ Domain Guests |
|||
|--------------------nobody |
|||
|------------ Domain Computers |
|||
|--------------------workstation1$ |
|||
|--------------------workstation2$ |
|||
|----------Domains |
|||
|-------------sambaDomainName |
|||
Step1 |
|||
Delete all runtime files from prior Samba operation by executing; |
|||
[root@node1]# rm /etc/samba/*tdb |
|||
[root@node1]# rm /var/lib/samba/*tdb |
|||
[root@node1]# rm /var/lib/samba/*dat |
|||
[root@node1]# rm /var/log/samba/* |
|||
Step2 |
|||
Delete any previous LDAP database |
|||
[root@node1]# cd /var/lib/ldap |
|||
[root@node1]# rm –rf * |
|||
Step3 |
|||
Login to node2 - the backup domain controller, and do the same. |
|||
Step4 |
|||
[root@node1 ~]# net getlocalsid |
|||
SID for domain NODE1 is: S-1-5-21-3809161173-2687474671-1432921517 |
|||
Your SID will differ to the one above; you will need to alter the preload LDIF as per below. |
|||
Step5 |
|||
Login to your backup domain controller (node2) and type the following command using the SID obtained from step4. |
|||
[root@node2 ~]# net setlocalsid S-1-5-21-3809161173-2687474671-1432921517 |
|||
3.2: Preload LDIF |
|||
Step1 |
|||
Create a .txt file containing the following contents. |
|||
[root@node1]#vi preload-differentialdesign.ldif |
|||
Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure |
|||
to leave the SID group mapping. |
|||
Subsitute dc=differentialdesign,dc=org with your fully qualified domain name. |
|||
Subsitute sambaDomainName: DDESIGN with your Samba Domain Name |
|||
#SAMBA LDAP PRELOAD |
|||
# Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure |
|||
# to leave the SID group mapping. |
|||
# Subsitute dc=differentialdesign,dc=org with your fully qualified domain name. |
|||
# Subsitute sambaDomainName: DDESIGN with your Samba Domain Name |
|||
##The user to bind Samba to LDAP is defined in our smb.conf; |
|||
##[root@node1]# smbpasswd –w SambaAdmin) |
|||
##[root@node2]# smbpasswd –w SambaAdmin) |
|||
#SID S-1-5-21-3809161173-2687474671-1432921517 |
|||
dn: dc=differentialdesign,dc=org |
|||
objectClass: dcObject |
|||
objectClass: organization |
|||
dc: differentialdesign |
|||
o: DDESIGN |
|||
description: Posix and Samba LDAP Identity Database |
|||
dn: cn=Manager,dc=differentialdesign,dc=org |
|||
objectClass: organizationalRole |
|||
cn: Manager |
|||
description: Directory Manager |
|||
dn: cn=syncuser,dc=differentialdesign,dc=org |
|||
objectClass: person |
|||
cn: syncuser |
|||
sn: syncuser |
|||
userPassword: SyncUser |
|||
dn: cn=sambaadmin,dc=differentialdesign,dc=org |
|||
objectClass: person |
|||
cn: sambaadmin |
|||
sn: sambaadmin |
|||
userPassword: SambaAdmin |
|||
dn: cn=mailadmin,dc=differentialdesign,dc=org |
|||
objectClass: person |
|||
cn: mailadmin |
|||
sn: mailadmin |
|||
userPassword: MailAdmin |
|||
dn: ou=Users,dc=differentialdesign,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: Users |
|||
dn: ou=People,ou=Users,dc=differentialdesign,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: People |
|||
dn: ou=Computers,ou=Users,dc=differentialdesign,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: Computers |
|||
dn: ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: Groups |
|||
dn: ou=Domains,dc=differentialdesign,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: Domains |
|||
dn: sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org |
|||
objectClass: sambaDomain |
|||
objectClass: sambaUnixIdPool |
|||
uidNumber: 1000 |
|||
gidNumber: 1000 |
|||
sambaDomainName: DDESIGN |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517 |
|||
sambaAlgorithmicRidBase: 1000 |
|||
structuralObjectClass: sambaDomain |
|||
dn: cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 512 |
|||
cn: Domain Admins |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-512 |
|||
sambaGroupType: 2 |
|||
displayName: Domain Admins |
|||
description: Domain Administrators |
|||
dn: cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 513 |
|||
cn: Domain Users |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-513 |
|||
sambaGroupType: 2 |
|||
displayName: Domain Users |
|||
description: Domain Users |
|||
dn: cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 514 |
|||
cn: Domain Guests |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-514 |
|||
sambaGroupType: 2 |
|||
displayName: Domain Guests |
|||
description: Domain Guests |
|||
dn: cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 515 |
|||
cn: Domain Computers |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-515 |
|||
sambaGroupType: 2 |
|||
displayName: Domain Computers |
|||
description: Domain Computers |
|||
dn: cn=Administrators,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 544 |
|||
cn: Administrators |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-544 |
|||
sambaGroupType: 5 |
|||
displayName: Administrators |
|||
description: Administrators |
|||
dn: cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 548 |
|||
cn: Account Operators |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-548 |
|||
sambaGroupType: 5 |
|||
displayName: Account Operators |
|||
description: Account Operators |
|||
dn: cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 550 |
|||
cn: Print Operators |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-550 |
|||
sambaGroupType: 5 |
|||
displayName: Print Operators |
|||
description: Print Operators |
|||
dn: cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 551 |
|||
cn: Backup Operators |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-551 |
|||
sambaGroupType: 5 |
|||
displayName: Backup Operators |
|||
description: Backup Operators |
|||
dn: cn=Replicators,ou=Groups,dc=differentialdesign,dc=org |
|||
objectClass: posixGroup |
|||
objectClass: sambaGroupMapping |
|||
gidNumber: 552 |
|||
cn: Replicators |
|||
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-552 |
|||
sambaGroupType: 5 |
|||
displayName: Replicators |
|||
description: Replicators |
|||
3.3: LDAP population |
|||
Now its time to populate the database with our ldif that we edited to match our domain details as per section 3.2: Preload LDIF |
|||
Step1. |
|||
Make sure LDAP is not running. |
|||
[root@node1]# vi /var/lib/ldap/DB_CONFIG |
|||
#DB_CONFIG |
|||
set_cachesize 0 150000000 1 |
|||
set_lg_regionmax 262144 |
|||
set_lg_bsize 2097152 |
|||
set_flags DB_LOG_AUTOREMOVE |
|||
Step2. |
|||
This step is necessary if you are using delta-syncrepl as per section 2.1.2: slapd.conf Master delta-syncrepl Openldap2.3. |
|||
Because we are using multiple databases on the Provider it is nessassary to place an additional DB_CONFIG file insite the database directory. |
|||
[root@node1]# mkdir /var/lib/ldap/accesslog |
|||
[root@node1]# cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog |
|||
Step3. |
|||
[root@node1]# cd /ldap-scripts/ |
|||
[root@node1 scripts]# slapadd –b "dc=differentialdesign,dc=org" -v -l preload-differentialdesign.ldif |
|||
added: "dc=differentialdesign,dc=org" (00000001) |
|||
added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) |
|||
added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) |
|||
added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) |
|||
added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) |
|||
added: "ou=Users,dc=differentialdesign,dc=org" (00000006) |
|||
added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) |
|||
added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) |
|||
added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) |
|||
added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) |
|||
added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) |
|||
added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) |
|||
added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) |
|||
added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) |
|||
added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) |
|||
added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) |
|||
added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) |
|||
added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) |
|||
added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) |
|||
added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014) |
|||
Step4. |
|||
[root@node1]# chown –R ldap.ldap /var/lib/ldap |
|||
Step5. |
|||
The user to bind Samba to LDAP is defined in our smb.conf; this is sambaadmin’s password as set in samba |
|||
preload-differentialdesign.ldif. |
|||
The entry in the preload-differentialdesign.ldif sambaadmin has a password “SambaAdmin” |
|||
dn: cn=sambaadmin,dc=differentialdesign,dc=org |
|||
objectClass: person |
|||
cn: sambaadmin |
|||
sn: sambaadmin |
|||
userPassword: SambaAdmin |
|||
[root@node1 scripts]# smbpasswd -w SambaAdmin |
|||
Setting stored password for "cn=sambaadmin,dc=differentialdesign,dc=org" in secrets.tdb |
|||
[root@node1 ~]# service ldap restart |
|||
Stopping slapd: [ OK ] |
|||
Stopping slurpd: [ OK ] |
|||
Checking configuration files for slapd: config file testing succeeded |
|||
[ OK ] |
|||
Starting slapd: [ OK ] |
|||
Starting slurpd: [ OK ] |
|||
[root@node1 ~]# service smb restart |
|||
Shutting down SMB services: [ OK ] |
|||
Shutting down NMB services: [ OK ] |
|||
Starting SMB services: [ OK ] |
|||
Starting NMB services: [ OK ] |
|||
Step6. |
|||
Adding initial users with the smbldap-tools: Skip to section 4.1: smbldap-tools and install on node1. |
|||
[root@node1 scripts]# cd /opt/IDEALX/sbin/ |
|||
[root@node1 sbin]# ./smbldap-useradd -m -a root |
|||
[root@node1 sbin]# ./smbldap-passwd root |
|||
Changing password for root |
|||
New password : |
|||
Retype new password |
|||
[root@node1 ]# smbpasswd -a |
|||
New SMB password: |
|||
Retype new SMB password: |
|||
Added user root. |
|||
[root@node1 sbin]# ./smbldap-groupmod -m root Domain\ Admins |
|||
adding user root to group Domain Admins |
|||
[root@node1 ~]# cd /opt/IDEALX/sbin/ |
|||
[root@node1 sbin]# ./smbldap-useradd -m -a asender |
|||
[root@node1 sbin]# |
|||
[root@node1 sbin]# ./smbldap-passwd asender |
|||
Changing password for asender |
|||
New password : |
|||
Retype new password : |
|||
[root@node1 sbin]# |
|||
[root@node1 sbin]# smbpasswd asender |
|||
New SMB password: |
|||
Retype new SMB password: |
|||
[root@node1 sbin]# |
|||
[root@node1 sbin]# id asender |
|||
uid=1001(asender) gid=513(Domain Users) groups=513(Domain Users) |
|||
Step7 |
|||
You are now ready to join a Windows machine to the domain with user ‘root’. |
|||
We will need to setup our BDC, Heartbeat and DRBD to match our configuration. |
|||
3.4: Database Replication |
|||
If we choose to use syncrepl instead of slurpd daemon as per sections 2.2.1 slapd.conf Slave Synrepl and 2.2.1.1 slapd.conf Slave delta-syncrepl 4 Openldap2.3 there is no need to do this section, the database will be copied across initially when the consumer requests is restarted. |
|||
Step1. |
|||
Dump the LDAP database, copy it across to node2. |
|||
[root@node1 ~]# slapcat –b “dc=differentialdesign,dc=org” -v -l transfer.ldif |
|||
# id=00000001 |
|||
# id=00000002 |
|||
# id=00000003 |
|||
# id=00000004 |
|||
# id=00000005 |
|||
# id=00000006 |
|||
# id=00000007 |
|||
# id=00000008 |
|||
# id=00000009 |
|||
# id=0000000a |
|||
# id=0000000b |
|||
# id=0000000c |
|||
# id=0000000d |
|||
# id=0000000e |
|||
# id=0000000f |
|||
# id=00000010 |
|||
# id=00000011 |
|||
# id=00000012 |
|||
# id=00000013 |
|||
# id=00000014 |
|||
# id=00000015 |
|||
# id=00000017 |
|||
# id=00000018 |
|||
[root@node1 ~]# scp transfer.ldif root@node2:/root/ |
|||
Step2. |
|||
Transfer the database to node2. |
|||
[root@node2 ~]# slapadd –b “dc=differentialdesign,dc=org” -v -l transfer.ldif |
|||
added: "dc=differentialdesign,dc=org" (00000001) |
|||
added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) |
|||
added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) |
|||
added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) |
|||
added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) |
|||
added: "ou=Users,dc=differentialdesign,dc=org" (00000006) |
|||
added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) |
|||
added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) |
|||
added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) |
|||
added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) |
|||
added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) |
|||
added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) |
|||
added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) |
|||
added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) |
|||
added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) |
|||
added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) |
|||
added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) |
|||
added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) |
|||
added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) |
|||
added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014) |
|||
added: "uid=root,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000015) |
|||
added: "uid=asender,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000016) |
|||
Step3. |
|||
Make sure LDAP database is owned by LDAP |
|||
[root@node2 ~]# chown –R ldap.ldap /var/lib/ldap |
|||
Step4. |
|||
[root@node1 ~]# service ldap restart |
|||
Stopping slapd: [ OK ] |
|||
Stopping slurpd: [ OK ] |
|||
Checking configuration files for slapd: config file testing succeeded |
|||
[ OK ] |
|||
Starting slapd: [ OK ] |
|||
Starting slurpd: [ OK ] |
|||
[root@node1 ~]# service smb restart |
|||
Shutting down SMB services: [ OK ] |
|||
Shutting down NMB services: [ OK ] |
|||
Starting SMB services: [ OK ] |
|||
Starting NMB services: [ OK ] |
|||
Step5. |
|||
Login to node1 or your Primary Domain Controller and add another user as done so in section 3.6 LDAP population Step5, we will then check replication by logging onto node2 and see if the user exists on that machine. |
|||
[root@node1 sbin]# ./smbldap-useradd -m -a testuser |
|||
[root@node1 sbin]# ./smbldap-passwd testuser |
|||
Changing password for testuser |
|||
New password : |
|||
Retype new password : |
|||
[root@node1 sbin]# smbpasswd testuser |
|||
New SMB password: |
|||
Retype new SMB password: |
|||
[root@node1 sbin]# ssh node2 |
|||
root@node2's password: |
|||
Last login: Mon Dec 18 02:43:33 2006 from 192.168.0.2 |
|||
[root@node2 ~]# id testuser |
|||
uid=1009(testuser) gid=513(Domain Users) groups=513(Domain Users) |
|||
4.0: User Management |
4.0: User Management |
||
4.1 smbldap-tools |
|||
4.1 |
4.1: smbldap-tools |
||
We will not be using the smbldap-tools to populate the database; however we will use it to manage users & groups once the database has been populated. These scripts allow us to add users and machines using NT tools such as srvtools.exe, it also makes life easier to manage to add users on the fly. However it is possible to create LDIF file to add users to the database. |
|||
4.1.2 smbldap.conf Slave |
|||
Smbldap-tools give us an advantage of been able to add machine accounts on the fly through the standard windows domain join. It also gives us the ability of been able to use srvtools.exe; however these tools lack custom control that can only be obtained through manually adding accounts through ldap. |
|||
This document configuration has been tested with smbldap-tools-0.9.1-1. |
|||
5.0: Heartbeat HA Configuration |
|||
Install smbldap-tools-0.9.1-1on both nodes, this means we can add users and groups from either the PDC or BDC as long as the PDC is contactable. |
|||
5.1 Requirements |
|||
You may need to satisfy any dependencies. |
|||
5.2 Installation |
|||
5.3 Configuration |
|||
5.3.1 ha.cf |
|||
[root@node1 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm |
|||
5.3.2 haresources |
|||
Preparing... ########################################### [100%] |
|||
1:smbldap-tools ########################################### [100%] |
|||
[root@node1 smbldap-tools]# |
|||
5.3.3 authkeys |
|||
5.4 Testing |
|||
[root@node2 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm |
|||
6.0: DRBD |
|||
Preparing... ########################################### [100%] |
|||
1:smbldap-tools ########################################### [100%] |
|||
[root@node2 smbldap-tools]# |
|||
6.1 Requirements |
|||
6.2 Installation |
|||
4.1.1: smbldap.conf Master |
|||
Because we did not use smbldap-tools to populate our database, we must manually configure the smbldap.conf. This configuration file only applies to smbldap-tools-0.9.1-1. If you are using a different version alterations will need to be made. |
|||
6.3 Configuration |
|||
We will need to configure this file to suit our init |
|||
6.3.1 drbd.conf |
|||
# /etc/opt/IDEALX/sbin/smbldap.conf |
|||
6.3.2 Initialization |
|||
# smbldap-tools.conf : Q & D configuration file for smbldap-tools |
|||
6.4 Testing |
|||
# This code was developped by IDEALX (http://IDEALX.org/) and |
|||
# contributors (their names can be found in the CONTRIBUTORS file). |
|||
# |
|||
# Copyright (C) 2001-2002 IDEALX |
|||
# |
|||
# This program is free software; you can redistribute it and/or |
|||
# modify it under the terms of the GNU General Public License |
|||
# as published by the Free Software Foundation; either version 2 |
|||
# of the License, or (at your option) any later version. |
|||
# |
|||
# This program is distributed in the hope that it will be useful, |
|||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
# GNU General Public License for more details. |
|||
# |
|||
# You should have received a copy of the GNU General Public License |
|||
# along with this program; if not, write to the Free Software |
|||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
|||
# USA. |
|||
# Purpose : |
|||
7.0: BIND DNS |
|||
# . be the configuration file for all smbldap-tools scripts |
|||
############################################################################## |
|||
7.1 Configuration |
|||
# |
|||
# General Configuration |
|||
# |
|||
############################################################################## |
|||
# Put your own SID. To obtain this number do: "net getlocalsid". |
|||
7.1.1 named.conf |
|||
# If not defined, parameter is taking from "net getlocalsid" return |
|||
SID="S-1-5-21-3809161173-2687474671-1432921517" |
|||
# Domain name the Samba server is in charged. |
|||
7.1.2 zone file |
|||
# If not defined, parameter is taking from smb.conf configuration file |
|||
# Ex: sambaDomain="IDEALX-NT" |
|||
sambaDomain="DDESIGN" |
|||
############################################################################## |
|||
# |
|||
# LDAP Configuration |
|||
# |
|||
############################################################################## |
|||
# Notes: to use to dual ldap servers backend for Samba, you must patch |
|||
# Samba with the dual-head patch from IDEALX. If not using this patch |
|||
# just use the same server for slaveLDAP and masterLDAP. |
|||
# Those two servers declarations can also be used when you have |
|||
# . one master LDAP server where all writing operations must be done |
|||
# . one slave LDAP server where all reading operations must be done |
|||
# (typically a replication directory) |
|||
# Slave LDAP server |
|||
# Ex: slaveLDAP=127.0.0.1 |
|||
# If not defined, parameter is set to "127.0.0.1" |
|||
slaveLDAP="192.168.0.3" |
|||
# Slave LDAP port |
|||
Overview |
|||
# If not defined, parameter is set to "389" |
|||
slavePort="389" |
|||
# Master LDAP server: needed for write operations |
|||
# Ex: masterLDAP=127.0.0.1 |
|||
# If not defined, parameter is set to "127.0.0.1" |
|||
masterLDAP="127.0.0.1" |
|||
# Master LDAP port |
|||
We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses. |
|||
# If not defined, parameter is set to "389" |
|||
masterPort="389" |
|||
# Use TLS for LDAP |
|||
# If set to 1, this option will use start_tls for connection |
|||
# (you should also used the port 389) |
|||
# If not defined, parameter is set to "1" |
|||
ldapTLS="0" |
|||
# How to verify the server's certificate (none, optional or require) |
|||
Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted. |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
verify="" |
|||
# CA certificate |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
cafile="" |
|||
# certificate to use to connect to the ldap server |
|||
This is a complex setup and strict guide lines need to be followed in order to achieve stability. |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
clientcert="" |
|||
# key certificate to use to connect to the ldap server |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
clientkey="" |
|||
# LDAP Suffix |
|||
We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive. |
|||
# Ex: suffix=dc=IDEALX,dc=ORG |
|||
suffix="dc=differentialdesign,dc=org" |
|||
# Where are stored Users |
|||
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn |
|||
usersdn="ou=People,ou=Users,${suffix}" |
|||
# Where are stored Computers |
|||
By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB. |
|||
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn |
|||
computersdn="ou=Computers,ou=Users,${suffix}" |
|||
# Where are stored Groups |
|||
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn |
|||
groupsdn="ou=Groups,${suffix}" |
|||
# Where are stored Idmap entries (used if samba is a domain member server) |
|||
Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering. |
|||
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn |
|||
idmapdn="ou=Idmap,${suffix}" |
|||
# Where to store next uidNumber and gidNumber available for new users and groups |
|||
# If not defined, entries are stored in sambaDomainName object. |
|||
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" |
|||
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" |
|||
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}" |
|||
# Default scope Used |
|||
High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings. |
|||
scope="sub" |
|||
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) |
|||
hash_encrypt="MD5" |
|||
# if hash_encrypt is set to CRYPT, you may set a salt format. |
|||
The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken. |
|||
# default is "%s", but many systems will generate MD5 hashed |
|||
# passwords if you use "$1$%.8s". This parameter is optional! |
|||
crypt_salt_format="" |
|||
############################################################################## |
|||
# |
|||
# Unix Accounts Configuration |
|||
# |
|||
############################################################################## |
|||
# Login defs |
|||
# Default Login Shell |
|||
# Ex: userLoginShell="/bin/bash" |
|||
userLoginShell="/bin/bash" |
|||
# Home directory |
|||
# Ex: userHome="/home/%U" |
|||
userHome="/data/home/%U" |
|||
# Default mode used for user homeDirectory |
|||
userHomeDirectoryMode="700" |
|||
# Gecos |
|||
userGecos="System User" |
|||
# Default User (POSIX and Samba) GID |
|||
defaultUserGid="513" |
|||
# Default Computer (Samba) GID |
|||
defaultComputerGid="515" |
|||
# Skel dir |
|||
skeletonDir="/etc/skel" |
|||
# Default password validation time (time in days) Comment the next line if |
|||
# you don't want password to be enable for defaultMaxPasswordAge days (be |
|||
# careful to the sambaPwdMustChange attribute's value) |
|||
defaultMaxPasswordAge="45" |
|||
############################################################################## |
|||
# |
|||
# SAMBA Configuration |
|||
# |
|||
############################################################################## |
|||
# The UNC path to home drives location (%U username substitution) |
|||
# Just set it to a null string if you want to use the smb.conf 'logon home' |
|||
# directive and/or disable roaming profiles |
|||
# Ex: userSmbHome="\\PDC-SMB3\%U" |
|||
userSmbHome="\\192.168.0.4\%U" |
|||
# The UNC path to profiles locations (%U username substitution) |
|||
# Just set it to a null string if you want to use the smb.conf 'logon path' |
|||
# directive and/or disable roaming profiles |
|||
# Ex: userProfile="\\PDC-SMB3\profiles\%U" |
|||
userProfile="\\192.168.0.4\profiles\%U" |
|||
# The default Home Drive Letter mapping |
|||
# (will be automatically mapped at logon time if home directory exist) |
|||
# Ex: userHomeDrive="H:" |
|||
userHomeDrive="H:" |
|||
# The default user netlogon script name (%U username substitution) |
|||
# if not used, will be automatically username.cmd |
|||
# make sure script file is edited under dos |
|||
# Ex: userScript="startup.cmd" # make sure script file is edited under dos |
|||
userScript="%U.bat" |
|||
# Domain appended to the users "mail"-attribute |
|||
# when smbldap-useradd -M is used |
|||
# Ex: mailDomain="idealx.com" |
|||
mailDomain="differentialdesign.org" |
|||
############################################################################## |
|||
# |
|||
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) |
|||
# |
|||
############################################################################## |
|||
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but |
|||
# prefer Crypt::SmbHash library |
|||
with_smbpasswd="0" |
|||
smbpasswd="/usr/bin/smbpasswd" |
|||
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) |
|||
# but prefer Crypt:: libraries |
|||
with_slappasswd="0" |
|||
slappasswd="/usr/sbin/slappasswd" |
|||
# comment out the following line to get rid of the default banner |
|||
# no_banner="1" |
|||
4.1.2: smbldap.conf Slave |
|||
It is not necessary to install smbldap-tools on the backup domain controller. However this lets you add users from the BDC which will refer its update to the PDC ldap database. |
|||
# /etc/opt/IDEALX/sbin/smbldap.conf |
|||
# |
|||
# smbldap-tools.conf : Q & D configuration file for smbldap-tools |
|||
# This code was developped by IDEALX (http://IDEALX.org/) and |
|||
# contributors (their names can be found in the CONTRIBUTORS file). |
|||
# |
|||
# Copyright (C) 2001-2002 IDEALX |
|||
# |
|||
# This program is free software; you can redistribute it and/or |
|||
# modify it under the terms of the GNU General Public License |
|||
# as published by the Free Software Foundation; either version 2 |
|||
# of the License, or (at your option) any later version. |
|||
# |
|||
# This program is distributed in the hope that it will be useful, |
|||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
# GNU General Public License for more details. |
|||
# |
|||
# You should have received a copy of the GNU General Public License |
|||
# along with this program; if not, write to the Free Software |
|||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
|||
# USA. |
|||
# Purpose : |
|||
# . be the configuration file for all smbldap-tools scripts |
|||
############################################################################## |
|||
# |
|||
# General Configuration |
|||
# |
|||
############################################################################## |
|||
# Put your own SID. To obtain this number do: "net getlocalsid". |
|||
# If not defined, parameter is taking from "net getlocalsid" return |
|||
SID="S-1-5-21-3809161173-2687474671-1432921517" |
|||
# Domain name the Samba server is in charged. |
|||
# If not defined, parameter is taking from smb.conf configuration file |
|||
# Ex: sambaDomain="IDEALX-NT" |
|||
sambaDomain="DDESIGN" |
|||
############################################################################## |
|||
# |
|||
# LDAP Configuration |
|||
# |
|||
############################################################################## |
|||
# Notes: to use to dual ldap servers backend for Samba, you must patch |
|||
# Samba with the dual-head patch from IDEALX. If not using this patch |
|||
# just use the same server for slaveLDAP and masterLDAP. |
|||
# Those two servers declarations can also be used when you have |
|||
# . one master LDAP server where all writing operations must be done |
|||
# . one slave LDAP server where all reading operations must be done |
|||
# (typically a replication directory) |
|||
# Slave LDAP server |
|||
# Ex: slaveLDAP=127.0.0.1 |
|||
# If not defined, parameter is set to "127.0.0.1" |
|||
slaveLDAP="127.0.0.1" |
|||
# Slave LDAP port |
|||
# If not defined, parameter is set to "389" |
|||
slavePort="389" |
|||
# Master LDAP server: needed for write operations |
|||
# Ex: masterLDAP=127.0.0.1 |
|||
# If not defined, parameter is set to "127.0.0.1" |
|||
masterLDAP="192.168.0.2" |
|||
# Master LDAP port |
|||
# If not defined, parameter is set to "389" |
|||
masterPort="389" |
|||
# Use TLS for LDAP |
|||
# If set to 1, this option will use start_tls for connection |
|||
# (you should also used the port 389) |
|||
# If not defined, parameter is set to "1" |
|||
ldapTLS="0" |
|||
# How to verify the server's certificate (none, optional or require) |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
verify="" |
|||
# CA certificate |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
cafile="" |
|||
# certificate to use to connect to the ldap server |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
clientcert="" |
|||
# key certificate to use to connect to the ldap server |
|||
# see "man Net::LDAP" in start_tls section for more details |
|||
clientkey="" |
|||
# LDAP Suffix |
|||
# Ex: suffix=dc=IDEALX,dc=ORG |
|||
suffix="dc=differentialdesign,dc=org" |
|||
# Where are stored Users |
|||
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn |
|||
usersdn="ou=People,ou=Users,${suffix}" |
|||
# Where are stored Computers |
|||
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn |
|||
computersdn="ou=Computers,ou=Users,${suffix}" |
|||
# Where are stored Groups |
|||
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn |
|||
groupsdn="ou=Groups,${suffix}" |
|||
# Where are stored Idmap entries (used if samba is a domain member server) |
|||
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" |
|||
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn |
|||
idmapdn="ou=Idmap,${suffix}" |
|||
# Where to store next uidNumber and gidNumber available for new users and groups |
|||
# If not defined, entries are stored in sambaDomainName object. |
|||
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" |
|||
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" |
|||
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}" |
|||
# Default scope Used |
|||
scope="sub" |
|||
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) |
|||
hash_encrypt="MD5" |
|||
# if hash_encrypt is set to CRYPT, you may set a salt format. |
|||
# default is "%s", but many systems will generate MD5 hashed |
|||
# passwords if you use "$1$%.8s". This parameter is optional! |
|||
crypt_salt_format="" |
|||
############################################################################## |
|||
# |
|||
# Unix Accounts Configuration |
|||
# |
|||
############################################################################## |
|||
# Login defs |
|||
# Default Login Shell |
|||
# Ex: userLoginShell="/bin/bash" |
|||
userLoginShell="/bin/bash" |
|||
# Home directory |
|||
# Ex: userHome="/home/%U" |
|||
userHome="/data/home/%U" |
|||
# Default mode used for user homeDirectory |
|||
userHomeDirectoryMode="700" |
|||
# Gecos |
|||
userGecos="System User" |
|||
# Default User (POSIX and Samba) GID |
|||
defaultUserGid="513" |
|||
# Default Computer (Samba) GID |
|||
defaultComputerGid="515" |
|||
# Skel dir |
|||
skeletonDir="/etc/skel" |
|||
# Default password validation time (time in days) Comment the next line if |
|||
# you don't want password to be enable for defaultMaxPasswordAge days (be |
|||
# careful to the sambaPwdMustChange attribute's value) |
|||
defaultMaxPasswordAge="45" |
|||
############################################################################## |
|||
# |
|||
# SAMBA Configuration |
|||
# |
|||
############################################################################## |
|||
# The UNC path to home drives location (%U username substitution) |
|||
# Just set it to a null string if you want to use the smb.conf 'logon home' |
|||
# directive and/or disable roaming profiles |
|||
# Ex: userSmbHome="\\PDC-SMB3\%U" |
|||
userSmbHome="\\192.168.0.4\%U" |
|||
# The UNC path to profiles locations (%U username substitution) |
|||
# Just set it to a null string if you want to use the smb.conf 'logon path' |
|||
# directive and/or disable roaming profiles |
|||
# Ex: userProfile="\\PDC-SMB3\profiles\%U" |
|||
userProfile="\\192.168.0.4\profiles\%U" |
|||
# The default Home Drive Letter mapping |
|||
# (will be automatically mapped at logon time if home directory exist) |
|||
# Ex: userHomeDrive="H:" |
|||
userHomeDrive="H:" |
|||
# The default user netlogon script name (%U username substitution) |
|||
# if not used, will be automatically username.cmd |
|||
# make sure script file is edited under dos |
|||
# Ex: userScript="startup.cmd" # make sure script file is edited under dos |
|||
userScript="%U.bat" |
|||
# Domain appended to the users "mail"-attribute |
|||
# when smbldap-useradd -M is used |
|||
# Ex: mailDomain="idealx.com" |
|||
mailDomain="differentialdesign.org" |
|||
############################################################################## |
|||
# |
|||
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) |
|||
# |
|||
############################################################################## |
|||
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but |
|||
# prefer Crypt::SmbHash library |
|||
with_smbpasswd="0" |
|||
smbpasswd="/usr/bin/smbpasswd" |
|||
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) |
|||
# but prefer Crypt:: libraries |
|||
with_slappasswd="0" |
|||
slappasswd="/usr/sbin/slappasswd" |
|||
# comment out the following line to get rid of the default banner |
|||
# no_banner="1" |
|||
5.0: Heartbeat HA Configuration |
|||
Heartbeat Configuration |
|||
Node1 |
|||
Node2 |
|||
The heartbeat solution is not needed for domain logons; however in mission critical environments it supports failover if a node becomes unavailable. It provides a heartbeat through a serial and a crossover connection directly connected to each server. A virtual IP is shared by the cluster; we connect to this virtual IP Address when accessing a Samba share. |
|||
There are 2 main differential versions of heartbeat - version 1.2.3 is limited to a two node cluster; version 2 can span many machines and can become quite complex. Heartbeat version 2 is however backwards compatible with version 1.2.3 configuration files using the “crm no” option in the ha.cf configuration file. |
|||
You must never mix different versions of heartbeat in a cluster; they must all run the same version. If you do it will create instability and may lead to random rebooting. |
|||
If you want to be completely safe I highly recommend using version 1.2.3, for this exercise however we will be using version heartbeat 2. |
|||
If you are looking for proven stability version 1.2.3 has been used with DRBD for a long time; it is often used in hospitals to store MRI and other data that needs to be readily accessible; currently this is limited to a 2 node cluster. |
|||
5.1: Requirements |
|||
Each node will require 2 network cards. |
|||
Get the following RPM’s from the http://www.linux-ha.org web site. |
|||
Version 1.2.3 has proven rock solid in many mission critical environments. |
|||
You may need to satisfy dependencies. |
|||
If you chose to install heartbeat version 1.2.3 take note of the configuration file 4.3 Configuration PDC it differs slightly. |
|||
5.2: Installation |
|||
Heartbeat can now be downloaded with YUM, it will download version 2. |
|||
Repeat this process on node2 your backup domain controller, so they are both running identical versions of heartbeat. |
|||
Install heartbeat on both nodes |
|||
[root@node1 programs]# cd heartbeat-1.2.3/ |
|||
[root@node1 heartbeat-1.2.3]# ls |
|||
heartbeat-1.2.3-2.rh.9.i386.rpm |
|||
heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm |
|||
heartbeat-pils-1.2.3-2.rh.9.i386.rpm |
|||
heartbeat-stonith-1.2.3-2.rh.9.i386.rpm |
|||
[root@node1 heartbeat-1.2.3]#rpm -Uvh heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm |
|||
5.3: Configuration |
|||
Heartbeat running as version 1.2.3 is very easy to configure and manage. The never version 2 is able to support multiple nodes and uses xml type configuration files. If you are using version 2 I recommend running using crm = no option which provides 1.2.3 backwards compatability. |
|||
Just remember to always run the same version of heartbeat on both nodes. |
|||
5.3.1: ha.cf |
|||
Step1 |
|||
On node1 login with root account; the ha.cf file needs to be the same on both nodes. |
|||
Note: |
|||
The option “crm no” in the ha.cf specifies heartbeat version 2 to behave as version 1.2.3; this means it is limited to a 2 node cluster. |
|||
If you choose to run version 1.2.3 you will need to comment out or delete the “crm no” in the ha.cf |
|||
[root@node1]# cd /etc/ha.d |
|||
[root@node1]# vi ha.cf |
|||
## /etc/ha.d/ha.cf on node1 |
|||
## This configuration is to be the same on both machines |
|||
## This example is made for version 2, comment out crm if using version 1 |
|||
keepalive 1 |
|||
deadtime 5 |
|||
warntime 3 |
|||
initdead 20 |
|||
serial /dev/ttyS0 |
|||
bcast eth1 |
|||
auto_failback yes |
|||
node node1 |
|||
node node2 |
|||
crm no # comment out if using version 1.2.3 |
|||
Step2. |
|||
Copy the ha.cf to node2 so they both have the same configuration file. |
|||
[root@node1]# scp /etc/ha.d/ha.cf root@node2:/etc/ha.d/ |
|||
5.3.2: haresources |
|||
The haresorces file is called when heartbeat starts. Throughout this document we have used /data as our mount point for replication raid1 over LAN. |
|||
We use node1, which is the master server and use 192.168.0.4 which is the clusters virtual IP address which will be displayed as eth0:0 on the primary node. |
|||
You will see drbddisk Filesystem::/dev/drbd0::/data::ext3 - /dev/drbd0 is our DRBD drive. We have chosen to mount our DRBD file system at /data – this is our replication mount point, which we configured in our samba and smbldap-tools configuration. |
|||
You can easily make services highly available by adding the appropriate name to the haresources file as specified below with DNS service named. |
|||
Step1 |
|||
[root@node1]# vi haresources |
|||
## /etc/ha.d/haresources |
|||
## This configuration is to be the same on both nodes |
|||
node1 192.168.0.4 drbddisk Filesystem::/dev/drbd0::/data::ext3 named |
|||
Step2 |
|||
Copy the haresources file across to node2 so they are both identical. |
|||
[root@node1]# scp /etc/ha.d/haresources root@node2:/etc/ha.d/ |
|||
5.3.3: authkeys |
|||
The below method provides no security or authentication, so we recommended not to use. If however heartbeat communicates over a private link such as in our case (serial and crossover cable) there is no need to add this additional security. |
|||
Step1 |
|||
[root@node1]# vi authkeys |
|||
## /etc/ha.d/authkeys |
|||
auth 1 |
|||
1 crc |
|||
The preferred method is to sha encryption to authenticate nodes and their packets as below. |
|||
## /etc/ha.d/authkeys |
|||
auth 1 |
|||
1 sha HeartbeatPassword |
|||
Step2 |
|||
Give the authkeys file correct permissions. |
|||
[root@node1]# chmod 600 /etc/ha.d/authkeys |
|||
Step3 |
|||
Copy the authkeys file to node2 so they can authenticate with each other. |
|||
[root@node1]# scp /etc/ha.d/authkeys root@node2:/etc/ha.d/ |
|||
5.4: Testing |
|||
Now that we have heartbeat configured it is time to test ther |
|||
Step4. |
|||
Login to node2 – your backup domain controller, use the exact same configuration as the primary domain controllers configuration files for heartbeat. |
|||
6.0: DRBD |
|||
DRBD Configuration |
|||
Primary |
|||
Secondary |
|||
DRBD is a kernel module which has the ability to network 2 machines to provide Raid1 over LAN. |
|||
It is assumed that we have two identical drives in both machines; all data on this device will be destroyed. |
|||
If you are updating your kernel or version of DRBD, make sure DRBD is stopped on both machines. |
|||
Never attempt to run different versions of DRBD, this means both machines need the same kernel. |
|||
6.1: Requirements |
|||
You will need to install the DRBD kernel Module. We will build our own RPM kernel modules so it is optimized for our architecture. |
|||
I have tested many different kernels with DRBD, some are not stable so you will need to check Google to make sure your kernel is compatible with the particular DRBD release, most of the time this isn’t an issue. |
|||
Both the following kernels are recommended for Fedora Core 4; up to version drbd-0.7.23 I have used. |
|||
kernel-smp-2.6.14-1.1656_FC4 |
|||
kernel-smp-2.6.11-1.1369_FC4 |
|||
Please browse this list http://www.linbit.com/support/drbd-current/ and look for packages available. |
|||
Step1 |
|||
Get a serial cable and connect it to each nodes com1 port. |
|||
Execute the following; you may see a lot of garbage on the screen. |
|||
[root@node1 ~]# cat </dev/ttyS0 |
|||
Step2 |
|||
You may have to repeat the below a couple of times in rapid succession to see the output on node1. |
|||
[root@node2 ~]# echo hello >/dev/ttyS0 |
|||
6.2: Installation |
|||
Step1 |
|||
Extract the latest stable version of DRBD. |
|||
[root@node1 stable]# tar zxvf drbd-0.7.20.tar.gz |
|||
[root@node1 stable]# cd drbd-0.7.20 |
|||
[root@node1 drbd-0.7.20]# |
|||
Step2 |
|||
. It is nice to make your own rpm for your distribution. It makes upgrades seamless. |
|||
This will give us a RPM build specifically to our kernel, it may take some time. |
|||
[root@node1 drbd-0.7.20]# make |
|||
[root@node1 drbd-0.7.20]# make rpm |
|||
Step3 |
|||
[root@node1 drbd-0.7.20]# cd dist RPMS/i386/ |
|||
[root@node1 i386]#/ |
|||
[root@node1 i386]# ls |
|||
drbd-0.7.20-1.i386.rpm |
|||
drbd-debuginfo-0.7.20-1.i386.rpm |
|||
drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm |
|||
Step4 |
|||
We will now install DRBD and our Kernel module which we built earlier. |
|||
[root@node1 i386]# rpm -Uvh drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm |
|||
Step5 |
|||
Login to node 2 the backup domain controller and do the same. |
|||
6.3: Configuration |
|||
In the example throughout this document we have linked /dev/hdd1 to /dev/drbd; your however may be a different device, it could be SCSI. |
|||
All data on the device /dev/hdd will be destroyed. |
|||
Step1 |
|||
We are going to create a partition on /dev/hdd1 using fdisk. |
|||
[root@node1]# fdisk /dev/hdd1 |
|||
Command (m for help): m |
|||
Command action |
|||
a toggle a bootable flag |
|||
b edit bsd disklabel |
|||
c toggle the dos compatibility flag |
|||
d delete a partition |
|||
l list known partition types |
|||
m print this menu |
|||
n add a new partition |
|||
o create a new empty DOS partition table |
|||
p print the partition table |
|||
q quit without saving changes |
|||
s create a new empty Sun disklabel |
|||
t change a partition's system id |
|||
u change display/entry units |
|||
v verify the partition table |
|||
w write table to disk and exit |
|||
x extra functionality (experts only) |
|||
Command (m for help): d |
|||
No partition is defined yet! |
|||
Command (m for help): n |
|||
Command action |
|||
e extended |
|||
p primary partition (1-4) |
|||
p |
|||
Partition number (1-4): 1 |
|||
First cylinder (1-8677, default 1): |
|||
Using default value 1 |
|||
Last cylinder or +size or +sizeM or +sizeK (1-8677, default 8677): |
|||
Using default value 8677 |
|||
Command (m for help): w |
|||
Step2 |
|||
Now login to node2 the backup domain controller and fdisk /dev/hdd1 as per above; or your chosen device. |
|||
6.3.1: drbd.conf |
|||
Create this file on both you master and slave server, it should be identical however it is not a requirement. As long as the partition size is the same any mount point can be used. |
|||
Step1 |
|||
The below file is fairly self explanatory, you see the real disk link to the DRBD kernel module device. |
|||
[root@node1]# vi /etc/drbd.conf |
|||
# Datadrive (/data) /dev/hdd1 80GB |
|||
resource drbd1 { |
|||
protocol C; |
|||
disk { |
|||
on-io-error panic; |
|||
} |
|||
net { |
|||
max-buffers 2048; |
|||
ko-count 4; |
|||
on-disconnect reconnect; |
|||
} |
|||
syncer { |
|||
rate 700000; |
|||
} |
|||
on node1 { |
|||
device /dev/drbd0; |
|||
disk /dev/hdd1; |
|||
address 10.0.0.1:7789; |
|||
meta-disk internal; |
|||
} |
|||
on node2 { |
|||
device /dev/drbd0; |
|||
disk /dev/hdd1; |
|||
address 10.0.0.2:7789; |
|||
meta-disk internal; |
|||
} |
|||
} |
|||
Step2 |
|||
[root@node1]# scp /etc/drbd.conf root@node2:/etc/ |
|||
6.3.2: Initialization |
|||
In the following steps we will configure the disks to synchronize and choose a master node. |
|||
Step1 |
|||
On the Primary Domain Controller |
|||
[root@node1]# service drbd start |
|||
On the Backup Domain Controller |
|||
[root@node2]# service drbd start |
|||
Step2 |
|||
[root@node1]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.17 (api:77/proto:74) |
|||
SVN Revision: 2093 build by root@node1, 2006-04-23 14:40:20 |
|||
0: cs:Connected st:Secondary/Secondary ld:Inconsistent |
|||
ns:25127936 nr:3416 dw:23988760 dr:4936449 al:19624 bm:1038 lo:0 pe:0 ua:0 ap:0 |
|||
You can see both devices are ready, and waiting for a Primary drive to be activated which will do an initial synchronization to the secondary device. |
|||
Step3 |
|||
Stop the heartbeat service on both nodes. |
|||
Step4 |
|||
We are now telling DRBD to make node1 the primary drive. |
|||
[root@node1]# drbdadm -- --do-what-I-say primary all |
|||
[root@node1 ~]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.23 (api:79/proto:74) |
|||
SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13 |
|||
0: cs:SyncSource st:Primary/Secondary ld:Consistent |
|||
ns:67080 nr:85492 dw:91804 dr:72139 al:9 bm:268 lo:0 pe:30 ua:2019 ap:0 |
|||
[==>.................] sync'ed: 12.5% (458848/520196)K |
|||
finish: 0:01:44 speed: 4,356 (4,088) K/sec |
|||
Step6 |
|||
Create a filesystem on our RAID devices. |
|||
[root@node1]# mkfs.ext3 /dev/drbd0 |
|||
6.4: Testing |
|||
We have a 2 node cluster replicating data, its time to test a failover. |
|||
Step1 |
|||
Start the heartbeat service on both nodes. |
|||
Step2 |
|||
On node1 we can see the status of DRBD. |
|||
[root@node1 ~]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.23 (api:79/proto:74) |
|||
0: cs:Connected st:Primary/Secondary ld:Consistent |
|||
ns:1536 nr:0 dw:1372 dr:801 al:4 bm:6 lo:0 pe:0 ua:0 ap:0 |
|||
[root@node1 ~]# |
|||
On node2 we can see the status of DRBD. |
|||
[root@node2 ~]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.23 (api:79/proto:74) |
|||
SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03 |
|||
0: cs:Connected st:Secondary/Primary ld:Consistent |
|||
ns:0 nr:1484 dw:1484 dr:0 al:0 bm:6 lo:0 pe:0 ua:0 ap:0 |
|||
[root@node2 ~]# |
|||
That all looks good; we can see the devices are consistent and ready for use. |
|||
Step3 |
|||
Now let’s check the mount point we created in the heartbeat haresources file. |
|||
We can see heartbeat has successfully mounted “/dev/drbd0 to the /data directory” of course your device will not have any data on it yet. |
|||
[root@node1 ~]# df -h |
|||
Filesystem Size Used Avail Use% Mounted on |
|||
/dev/mapper/VolGroup00-LogVol00 |
|||
35G 14G 20G 41% / |
|||
/dev/hdc1 99M 21M 74M 22% /boot |
|||
/dev/shm 506M 0 506M 0% /dev/shm |
|||
/dev/drbd0 74G 37G 33G 53% /data |
|||
[root@node1 ~]# |
|||
Step4 |
|||
Login to node1 and execute the following command; once heartbeat is stopped it should only take a few seconds to migrate the services to node2. |
|||
[root@node1 ~]# service heartbeat stop |
|||
Stopping High-Availability services: |
|||
[ OK ] |
|||
[root@node1 ~]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.23 (api:79/proto:74) |
|||
SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13 |
|||
0: cs:Connected st:Secondary/Primary ld:Consistent |
|||
ns:5616 nr:85492 dw:90944 dr:2162 al:9 bm:260 lo:0 pe:0 ua:0 ap:0 |
|||
We can see drbd change state to secondary on node1. |
|||
Step5 |
|||
Now let’s check that status of DRBD on node2; we can see it has changed state and become the primary. |
|||
[root@node2 ~]# service drbd status |
|||
drbd driver loaded OK; device status: |
|||
version: 0.7.23 (api:79/proto:74) |
|||
SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03 |
|||
0: cs:Connected st:Primary/Secondary ld:Consistent |
|||
ns:4 nr:518132 dw:518136 dr:17 al:0 bm:220 lo:0 pe:0 ua:0 ap:0 |
|||
1: cs:Connected st:Primary/Secondary ld:Consistent |
|||
ns:28 nr:520252 dw:520280 dr:85 al:0 bm:199 lo:0 pe:0 ua:0 ap:0 |
|||
Check that node2 has mounted the device. |
|||
[root@node2 ~]# df -h |
|||
Filesystem Size Used Avail Use% Mounted on |
|||
/dev/mapper/VolGroup00-LogVol00 |
|||
35G 12G 22G 35% / |
|||
/dev/hdc1 99M 17M 78M 18% /boot |
|||
/dev/shm 506M 0 506M 0% /dev/shm |
|||
/dev/hdh1 111G 97G 7.6G 93% /storage |
|||
/dev/drbd0 74G 37G 33G 53% /data |
|||
[root@node2 ~]# |
|||
Step5 |
|||
Finally start the heartbeat service on node1 and be sure that all processes migrate back. |
|||
7.0: BIND DNS |
|||
We can use BIND – The Berkley Internet Name Domain in a high availability configuration. We can make 2 nodes appear as one, zone files will we stored on a DRBD drive, if node1 fails node2 can take over and automatically start NAMED. |
|||
BIND is able to have its /var/named directory relocated to a more appropriate location such as /data/dnszones; this enables us to provide real time replication of the zone files; the standby node2 will have to have its default directory modified to /data/dnszones. |
|||
We have 2 servers, and we will refer to the cluster as cluster.differentialdesign.org. It is assumed that these machines are behind a firewall with NAT and port forwarding to the appropriate ports. |
|||
When setting up Domain Names through a registrar you would want 2 separate name servers. It is recommended to setup an additional slave DNS server. |
|||
An example may be |
|||
Name Server:CLUSTER.DIFFERENTIALDESIGN.ORG ß Primary Name Server(s) |
|||
Name Server:NS1.DIFFERENTIALDESIGN.ORG |
|||
Name Server:NS2.DIFFERENTIALDESIGN.ORG |
|||
7.1: Configuration |
|||
Step1 |
|||
Here is a basic configuration overview: |
|||
We will now create a directory on our DRBD drive /data/dnszones. |
|||
[root@node1 ~]# mkdir /data/dnszones |
|||
Step2 |
|||
Change the location of the zone files to our replicated drive |
|||
[root@node1 ~]# named ? |
|||
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus] |
|||
[-p port] [-s] [-t chrootdir] [-u username] |
|||
[-m {usage|trace|record}] |
|||
[-D ] |
|||
named: extra command line arguments |
|||
[root@node1 ~]# named -t /data/dnszones/ |
|||
Step3 |
|||
Copy the default zone files to our new location and set the permissions. |
|||
[root@node1 ~]# rsync -avz /var/named/ /data/dnszones/ |
|||
[root@node1 ~]# chown –R named.named /data/dnszones/ |
|||
7.1.1: named.conf |
|||
It is important that all machines on the network use cluster.differentialdesign.org or its local IP address address as DNS servers. This way we can assure correct name resolution. |
|||
We will now edit the /etc/named.conf |
|||
Take note of the below file, you can see highlighted in red our secondary DNS servers, these are the IP addresses of ns1.differentialdesign.org and ns2.differentialdesign.org |
|||
The named.conf needs to be the same on both node1 and node2; you could manually copy the file over using SCP, or link it to the /data/dnszones directory using a symbolic link. |
|||
[root@node1 ~]# vi /etc/named.conf |
|||
// |
|||
// named.conf for Red Hat caching-nameserver |
|||
// |
|||
options { |
|||
directory "/data/dnszones"; |
|||
dump-file "/data/dnszones/data/cache_dump.db"; |
|||
statistics-file "/data/dnszones/data/named_stats.txt"; |
|||
/* |
|||
* If there is a firewall between you and nameservers you want |
|||
* to talk to, you might need to uncomment the query-source |
|||
* directive below. Previous versions of BIND always asked |
|||
* questions using port 53, but BIND 8.1 uses an unprivileged |
|||
* port by default. |
|||
*/ |
|||
// query-source address * port 53; |
|||
allow-transfer { |
|||
127.0.0.1; // localhost |
|||
202.161.90.250; // secondary DNS server for my zone |
|||
202.161.90.251; // secondary DNS server for my zone |
|||
}; |
|||
}; |
|||
// |
|||
// a caching only nameserver config |
|||
// |
|||
controls { |
|||
inet 127.0.0.1 allow { localhost; } keys { rndckey; }; |
|||
}; |
|||
zone "." IN { |
|||
type hint; |
|||
file "named.ca"; |
|||
}; |
|||
zone "localdomain" IN { |
|||
type master; |
|||
file "localdomain.zone"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "localhost" IN { |
|||
type master; |
|||
file "localhost.zone"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "0.0.127.in-addr.arpa" IN { |
|||
type master; |
|||
file "named.local"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { |
|||
type master; |
|||
file "named.ip6.local"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "255.in-addr.arpa" IN { |
|||
type master; |
|||
file "named.broadcast"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "0.in-addr.arpa" IN { |
|||
type master; |
|||
file "named.zero"; |
|||
allow-update { none; }; |
|||
}; |
|||
zone "differentialdesign.org" { |
|||
type master; |
|||
file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts"; |
|||
allow-update { none; }; |
|||
}; |
|||
7.1.2: zone file |
|||
In our named.conf file we have the following zone defined; |
|||
zone "differentialdesign.org" { |
|||
type master; |
|||
file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts"; |
|||
allow-update { none; }; |
|||
We can see the zone file located in /data/dnszones/ |
|||
Step1. |
|||
Create a sub folder where we will store our zone files. |
|||
[root@node1 ~]# mkdir /data/dnszones/differentialdesign.org/ |
|||
Step2. |
|||
Create a new file called named.differentialdesign.org.hosts. |
|||
[root@node1 ~]# vi /data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts |
|||
You will see below that nodes.differentialdesign.org. IN 192.168.0.4 is an “A record” which points us to the virtual IP address of the cluster. When setting up mapped drives it is best to use the name instead of IP address. |
|||
$TTL 8h |
|||
differentialdesign.org. IN SOA cluster.differentialdesign.org. asender.mail.samba.org. ( |
|||
2006211201 |
|||
10800 |
|||
3600 |
|||
3600000 |
|||
86400 ) |
|||
differentialdesign.org. IN NS cluster.differentialdesign.org. |
|||
differentialdesign.org. IN NS ns1.differentialdesign.org. |
|||
differentialdesign.org. IN NS ns2.differentialdesign.org. |
|||
differentialdesign.org. IN MX 50 mail.differentialdesign.org. |
|||
mail.differentialdesign.org. IN A 202.161.90.245 |
|||
www.differentialdesign.org. IN A 202.161.90.245 |
|||
cluster.differentialdesign.org. IN A 202.161.90.241 |
|||
node1.differentialdesign.org. IN A 192.168.0.2 |
|||
node2.differentialdesign.org. IN A 192.168.0.3 |
|||
nodes.differentialdesign.org. IN A 192.168.0.4 |
Revision as of 03:03, 25 January 2007
SAMBA 3: FAILOVER DOMAIN CONTROLLER
SAMBA 3 EXTENSIONS
TECHNICAL CONFIGURATION
Author: Adrian Sender
Supervisor: Simo Sorce
Objectives
Samba Active Directory Upgrade Compatible Set Standards High Availability Cluster Recommended By Developers
Overview
1.0: Configuring Samba 1.1 smb.conf PDC 1.2 smb.conf BDC 1.3 /etc/hosts 1.4 Samba Security
2.0: Configuring LDAP 2.1 slapd.conf Master 2.1.1 slapd.conf Master syncrepl Openldap2.2 2.1.2 slapd.conf Master delta-syncrepl Openldap2.3
2.2 slapd.conf Slave 2.2.1 slapd.conf Slave syncrepl Openldap2.2 2.2.2 slapd.conf Slave delta-syncrepl Openldap2.3 2.3 ldap.conf Master 2.4 ldap.conf Slave
3.0: Initialization LDAP Database 3.1 Provisioning Database 3.2 Preload LDIF 3.3 LDAP Population 3.4 Database Replication
4.0: User Management 4.1 smbldap-tools 4.1.1 smbldap.conf Master 4.1.2 smbldap.conf Slave
5.0: Heartbeat HA Configuration 5.1 Requirements 5.2 Installation 5.3 Configuration 5.3.1 ha.cf 5.3.2 haresources 5.3.3 authkeys 5.4 Testing
6.0: DRBD 6.1 Requirements 6.2 Installation 6.3 Configuration 6.3.1 drbd.conf 6.3.2 Initialization 6.4 Testing
7.0: BIND DNS 7.1 Configuration 7.1.1 named.conf 7.1.2 zone file
Overview
We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses.
Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted.
This is a complex setup and strict guide lines need to be followed in order to achieve stability.
We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive.
By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB.
Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering.
High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings.
The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken.
Each node will require 2 network cards.
Here is a basic configuration overview:
Configuration Details
node1.differentialdesign.org
Eth0: LAN Network Address IP Address: 192.168.0.2 Subnet Mast: 255.255.255.0 Gateway: 192.168.0.1
Eth0:1 Heartbeat LAN Address IP Address: 192.168.0.4 Subnet Mast: 255.255.255.0
Eth1: DRBD Replication Network IP Address: 10.0.0.1 Subnet Mast: 255.255.255.0 Gateway: None
HDC: Operating System Drive
HDD: DRBD Data Replication Drive
TTYS0: COM Port 1 Configuration Details
node2.differentialdesign.org
Eth0: LAN Network Address IP Address: 192.168.0.3 Subnet Mast: 255.255.255.0 Gateway: 192.168.0.1
Eth1: DRBD Replication Network IP Address: 10.0.0.2 Subnet Mast: 255.255.255.0 Gateway: None
HDC: Operating System Drive
HDD: DRBD Data Replication Drive
TTYS0: COM Port 1
1.0: Configuring Samba
Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows.
If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.
We are building a fault tolerant domain controller, which provides you with the following;
Samba Configuration Primary Domain Controller Backup Domain Controller
A master domain controller, that provides authentication through the use of LDAP A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.
Step1
Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz
It is essential that both the PDC and BDC are running the same version of samba.
[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz --19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz
=> `samba-latest.tar.gz'
Resolving us4.samba.org... 192.48.170.15 Connecting to us4.samba.org|192.48.170.15|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17,704,221 (17M) [application/x-tar]
100%[====================================>] 17,704,221 53.01K/s ETA 00:00
19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]
Step2
[root@node1 samba]# tar zxvf samba-latest.tar.gz
[root@node1 samba]# cd samba-3.0.23d/ [root@node1 samba-3.0.23d]#
[root@node1 samba-3.0.23d]# cd packaging/ bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ Debian/ LSB/ README RHEL/ Solaris/ sysv/
Step3
This will take some time.
[root@node1 samba-3.0.23d]# cd packaging/RHEL/
[root@node1 RHEL]# ls makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup
[root@node1 RHEL]# chmod 777 makerpms.sh [root@node1 RHEL]# ./makerpms.sh
Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm
makerpms.sh: Done. [root@node1 RHEL]#
Step4
Install the RPM files we built from source.
[root@node2]# cd /usr/src/redhat/RPMS/i386/ [root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba-swat-3.0.23d-1.i386.rpm Preparing... ########################################### [100%]
1:samba-common warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew
- [ 17%]
2:samba ########################################### [ 33%]
ls: /var/cache/samba/eventlog/*tdb: No such file or directory
3:samba-client ########################################### [ 50%] 4:samba-debuginfo ########################################### [ 67%] 5:samba-doc ########################################### [ 83%] 6:samba-swat ########################################### [100%]
[root@node1 i386]#
Step5
Login to node2 – the backup domain controller and repeat the above steps.
1.1: smb.conf PDC
You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful.
[root@node2 ~]# mkdir /data
[root@node1 ~]# vi /etc/samba/smb.conf
- # Primary Domain Controller smb.conf
- # Global parameters
[global] unix charset = LOCALE workgroup = DDESIGN netbios name = node1
- passdb backend = ldapsam:ldap://127.0.0.1
- passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
passdb backend = ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat
- logon path = \\192.168.0.4\profiles\%u
logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes domain master = Yes wins support = Yes ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = root printing = cups
- ========================Share Definitions=========================
[homes]
comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700
[netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no
[profiles]
path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777
[Documents]
comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users"
1.2: smb.conf BDC
[root@node2 ~]# mkdir /data
[root@node2 ~]# vi /etc/samba/smb.conf
- # Global parameters
- # Backup Domain Controller
[global] unix charset = LOCALE workgroup = DDESIGN netbios name = node2
- passdb backend = ldapsam:ldap://127.0.0.1
- passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = %u.bat
- logon path = \\192.168.0.4\profiles\%u
logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes os level = 63 domain master = No wins server = node1.differentialdesign.org ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org utmp = Yes idmap backend = ldap://node1.differentialdesign.org idmap uid = 10000-20000 idmap gid = 10000-20000 printing = cups
- ========================Share Definitions=========================
[homes]
comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700
[netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no
[profiles]
path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777
[Documents]
comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users"
1.3: /etc/hosts
In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS. However it is desirable to have a backup feature such as entries in the /etc/hosts file.
Step1
On node1 we will edit the hosts file to reflect our configuration.
[root@node1 ~]# vi /etc/hosts
- Do not remove the following line, or various programs
- that require network functionality will fail.
127.0.0.1 node1 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org
Step2
Login to node2 and edit the /etc/hosts file.
[root@node2 ~]# vi /etc/hosts
- Do not remove the following line, or various programs
- that require network functionality will fail.
127.0.0.1 node2 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org
1.4: Samba Security
There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this.
One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both.
The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf.
- /etc/samba/smb.conf
- Global parameters
[global]
workgroup = DDESIGN security = user hosts allow = 192.168.0.0/24
For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability.
This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses.
- /etc/samba/smb.conf
- ==== Share Definitions =====
[Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" hosts allow = 192.168.0.100/24
2.0: Configuring LDAP
It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.
There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.
replica host=192.168.0.3:389
suffix="dc=differentialdesign,dc=org" binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser
To bind to the database the slave replicas will need to use “upateuser’s” password defined above as “credentials=UpdateUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.
LDAP Replication Configuration
Master
Slave(s)
A master LDAP database that is replicated real time to the backup domain controller. A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.
LDAP Replication Configuration Provider Consumers(s)
A provider LDAP database that has the most updated version of the database. A consumer requests an update at a set interval, and provides load balancing.
The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.
There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries.
If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.
Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.
2.1: slapd.conf Master
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of Openldap.
- /etc/openldap/slapd.conf
- using slurpd
- LDAP Master
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap
replica host=node2.differentialdesign.org:389
suffix="dc=differentialdesign,dc=org" binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser
replogfile /var/lib/ldap/replogfile
access to attrs=userPassword
by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.1.1: slapd.conf Master syncrepl Openldap2.2
This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.
This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.
- slapd.conf Master syncrepl Openldap2.2
- Provider
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap
access to attrs=userPassword
by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.1.2: slapd.conf Master delta-syncrepl Openldap2.3
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.
The below slapd.conf will only run on Openldap 2.3.
Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.
- slapd.conf Master delta syncrepl Openldap2.3
- provider
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
modulepath /usr/lib/openldap2.3 moduleload syncprov.la moduleload accesslog.la
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
- Accesslog database definitions
database bdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
- Samba database
database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager index entryCSN eq index entryUUID eq
overlay syncprov syncprov-checkpoint 1000 60
- accesslog overlay definitions for primary db
overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE
- scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
access to attrs=userPassword
by self write by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write by dn="cn=syncuser,dc=differentialdesign,dc=org" read by * read
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.2: slapd.conf Slave
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of openldap.
- /etc/openldap/slapd.conf
- using slurpd
- LDAP Slave
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read
updatedn cn=syncuser,dc=differentialdesign,dc=org updateref ldap://node1.differentialdesign.org
directory /var/lib/ldap
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.2.1: slapd.conf Slave syncrepl Openldap2.2
This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.
This configuration file will only work with openldap version 2.2
- slapd.conf Slave syncrepl Openldap2.2
- LDAP Consumer
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap
syncrepl
rid=0 provider=ldap://node1.differentialdesign.org:389 binddn="cn=syncuser,dc=differentialdesign,dc=org" bindmethod=simple credentials=SyncUser searchbase="dc=differentialdesign,dc=org" filter="(objectClass=*)" attrs="*" schemachecking=off scope=sub type=refreshOnly interval=00:06:00:00
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.2.2: slapd.conf slave delta-syncrepl Openldap2.3
- slapd.conf delta synrepl Openldap2.3
- LDAP Consumer
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager
- syncrepl directives
syncrepl rid=0
provider=ldap://node1.differentialdesign.org:389 bindmethod=simple binddn="cn=syncuser,dc=differentialdesign,dc=org" credentials=SyncUser searchbase="dc=differentialdesign,dc=org" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write by * read
updateref ldap://node1.differentialdesign.org
- Indices to maintain
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
2.3: ldap.conf Master
You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave
- /etc/ldap.conf
- LDAP Master
host node1.differentialdesign.org node2.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager
pam_password exop
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no
2.4: ldap.conf Slave
- /etc/ldap.conf
- LDAP Slave
host node2.differentialdesign.org node1.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager
pam_password exop
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no
3.0: Initialization LDAP Database
Initial LDAP database population
There are many ways to initialize the LDAP database backend for samba and many scripts to help you out; however these loose our initial control of the database and can lead to issues such as database management.
Once your server is up and running with users on it, the database can not really be manipulated without knowing the full workings of LDAP, so for many of us we are stuck with what we created.
The future of Samba is changing to Active Directory; we keep this in mind when creating the database so it can be an easier upgrade path migrating to Samba4; eventually Samba4 will be able to support OpenLDAP as a modular backend.
3.1: Provisioning Database
We are going to manually create our initial LDAP database in a text file and be confident to use it in a full production environment.
Our LDAP database structure will look like the following if using the preload ldif as per section 3.2 Preload LDIF
|-Samba Base
|---Manager
|------syncuser
|------sambaadmin
|------mailadmin
|---------Users
|-----------People
|-------------------root |-------------------asender |-------------------simo
|-----------Computers
| |-------------------workstation1$ |-------------------workstation2$ |---------Groups |-----------Domain Admin
|-------------------root
|---------- Domain Users |-------------------root |-------------------asender |-------------------simo |------------ Domain Guests |--------------------nobody |------------ Domain Computers |--------------------workstation1$ |--------------------workstation2$ |----------Domains |-------------sambaDomainName
Step1
Delete all runtime files from prior Samba operation by executing;
[root@node1]# rm /etc/samba/*tdb [root@node1]# rm /var/lib/samba/*tdb [root@node1]# rm /var/lib/samba/*dat [root@node1]# rm /var/log/samba/*
Step2
Delete any previous LDAP database
[root@node1]# cd /var/lib/ldap [root@node1]# rm –rf *
Step3
Login to node2 - the backup domain controller, and do the same.
Step4
[root@node1 ~]# net getlocalsid SID for domain NODE1 is: S-1-5-21-3809161173-2687474671-1432921517
Your SID will differ to the one above; you will need to alter the preload LDIF as per below.
Step5
Login to your backup domain controller (node2) and type the following command using the SID obtained from step4.
[root@node2 ~]# net setlocalsid S-1-5-21-3809161173-2687474671-1432921517
3.2: Preload LDIF
Step1
Create a .txt file containing the following contents.
[root@node1]#vi preload-differentialdesign.ldif
Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure to leave the SID group mapping. Subsitute dc=differentialdesign,dc=org with your fully qualified domain name. Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
- SAMBA LDAP PRELOAD
- Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
- to leave the SID group mapping.
- Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
- Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
- The user to bind Samba to LDAP is defined in our smb.conf;
- [root@node1]# smbpasswd –w SambaAdmin)
- [root@node2]# smbpasswd –w SambaAdmin)
- SID S-1-5-21-3809161173-2687474671-1432921517
dn: dc=differentialdesign,dc=org objectClass: dcObject objectClass: organization dc: differentialdesign o: DDESIGN description: Posix and Samba LDAP Identity Database
dn: cn=Manager,dc=differentialdesign,dc=org objectClass: organizationalRole cn: Manager description: Directory Manager
dn: cn=syncuser,dc=differentialdesign,dc=org objectClass: person cn: syncuser sn: syncuser userPassword: SyncUser
dn: cn=sambaadmin,dc=differentialdesign,dc=org objectClass: person cn: sambaadmin sn: sambaadmin userPassword: SambaAdmin
dn: cn=mailadmin,dc=differentialdesign,dc=org objectClass: person cn: mailadmin sn: mailadmin userPassword: MailAdmin
dn: ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Users
dn: ou=People,ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: People
dn: ou=Computers,ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Computers
dn: ou=Groups,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Groups
dn: ou=Domains,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Domains
dn: sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org objectClass: sambaDomain objectClass: sambaUnixIdPool uidNumber: 1000 gidNumber: 1000 sambaDomainName: DDESIGN sambaSID: S-1-5-21-3809161173-2687474671-1432921517 sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain
dn: cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins sambaSID: S-1-5-21-3809161173-2687474671-1432921517-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Administrators
dn: cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users sambaSID: S-1-5-21-3809161173-2687474671-1432921517-513 sambaGroupType: 2 displayName: Domain Users description: Domain Users
dn: cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests sambaSID: S-1-5-21-3809161173-2687474671-1432921517-514 sambaGroupType: 2 displayName: Domain Guests description: Domain Guests
dn: cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers sambaSID: S-1-5-21-3809161173-2687474671-1432921517-515 sambaGroupType: 2 displayName: Domain Computers description: Domain Computers
dn: cn=Administrators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-544 sambaGroupType: 5 displayName: Administrators description: Administrators
dn: cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-548 sambaGroupType: 5 displayName: Account Operators description: Account Operators
dn: cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-550 sambaGroupType: 5 displayName: Print Operators description: Print Operators
dn: cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-551 sambaGroupType: 5 displayName: Backup Operators description: Backup Operators
dn: cn=Replicators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-552 sambaGroupType: 5 displayName: Replicators description: Replicators
3.3: LDAP population
Now its time to populate the database with our ldif that we edited to match our domain details as per section 3.2: Preload LDIF
Step1.
Make sure LDAP is not running.
[root@node1]# vi /var/lib/ldap/DB_CONFIG
- DB_CONFIG
set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE
Step2.
This step is necessary if you are using delta-syncrepl as per section 2.1.2: slapd.conf Master delta-syncrepl Openldap2.3.
Because we are using multiple databases on the Provider it is nessassary to place an additional DB_CONFIG file insite the database directory.
[root@node1]# mkdir /var/lib/ldap/accesslog [root@node1]# cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
Step3.
[root@node1]# cd /ldap-scripts/
[root@node1 scripts]# slapadd –b "dc=differentialdesign,dc=org" -v -l preload-differentialdesign.ldif
added: "dc=differentialdesign,dc=org" (00000001) added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) added: "ou=Users,dc=differentialdesign,dc=org" (00000006) added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)
Step4.
[root@node1]# chown –R ldap.ldap /var/lib/ldap
Step5.
The user to bind Samba to LDAP is defined in our smb.conf; this is sambaadmin’s password as set in samba preload-differentialdesign.ldif.
The entry in the preload-differentialdesign.ldif sambaadmin has a password “SambaAdmin”
dn: cn=sambaadmin,dc=differentialdesign,dc=org objectClass: person cn: sambaadmin sn: sambaadmin userPassword: SambaAdmin
[root@node1 scripts]# smbpasswd -w SambaAdmin
Setting stored password for "cn=sambaadmin,dc=differentialdesign,dc=org" in secrets.tdb
[root@node1 ~]# service ldap restart
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Starting slurpd: [ OK ]
[root@node1 ~]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ]
Step6.
Adding initial users with the smbldap-tools: Skip to section 4.1: smbldap-tools and install on node1.
[root@node1 scripts]# cd /opt/IDEALX/sbin/ [root@node1 sbin]# ./smbldap-useradd -m -a root [root@node1 sbin]# ./smbldap-passwd root Changing password for root New password : Retype new password
[root@node1 ]# smbpasswd -a New SMB password: Retype new SMB password: Added user root.
[root@node1 sbin]# ./smbldap-groupmod -m root Domain\ Admins
adding user root to group Domain Admins
[root@node1 ~]# cd /opt/IDEALX/sbin/ [root@node1 sbin]# ./smbldap-useradd -m -a asender [root@node1 sbin]#
[root@node1 sbin]# ./smbldap-passwd asender Changing password for asender New password : Retype new password : [root@node1 sbin]#
[root@node1 sbin]# smbpasswd asender New SMB password: Retype new SMB password: [root@node1 sbin]#
[root@node1 sbin]# id asender uid=1001(asender) gid=513(Domain Users) groups=513(Domain Users)
Step7
You are now ready to join a Windows machine to the domain with user ‘root’.
We will need to setup our BDC, Heartbeat and DRBD to match our configuration.
3.4: Database Replication
If we choose to use syncrepl instead of slurpd daemon as per sections 2.2.1 slapd.conf Slave Synrepl and 2.2.1.1 slapd.conf Slave delta-syncrepl 4 Openldap2.3 there is no need to do this section, the database will be copied across initially when the consumer requests is restarted.
Step1.
Dump the LDAP database, copy it across to node2.
[root@node1 ~]# slapcat –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
- id=00000001
- id=00000002
- id=00000003
- id=00000004
- id=00000005
- id=00000006
- id=00000007
- id=00000008
- id=00000009
- id=0000000a
- id=0000000b
- id=0000000c
- id=0000000d
- id=0000000e
- id=0000000f
- id=00000010
- id=00000011
- id=00000012
- id=00000013
- id=00000014
- id=00000015
- id=00000017
- id=00000018
[root@node1 ~]# scp transfer.ldif root@node2:/root/
Step2.
Transfer the database to node2.
[root@node2 ~]# slapadd –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
added: "dc=differentialdesign,dc=org" (00000001) added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) added: "ou=Users,dc=differentialdesign,dc=org" (00000006) added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014) added: "uid=root,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000015) added: "uid=asender,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000016)
Step3.
Make sure LDAP database is owned by LDAP
[root@node2 ~]# chown –R ldap.ldap /var/lib/ldap
Step4.
[root@node1 ~]# service ldap restart Stopping slapd: [ OK ] Stopping slurpd: [ OK ] Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ] Starting slurpd: [ OK ]
[root@node1 ~]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ]
Step5.
Login to node1 or your Primary Domain Controller and add another user as done so in section 3.6 LDAP population Step5, we will then check replication by logging onto node2 and see if the user exists on that machine.
[root@node1 sbin]# ./smbldap-useradd -m -a testuser [root@node1 sbin]# ./smbldap-passwd testuser Changing password for testuser New password : Retype new password : [root@node1 sbin]# smbpasswd testuser New SMB password: Retype new SMB password:
[root@node1 sbin]# ssh node2 root@node2's password:
Last login: Mon Dec 18 02:43:33 2006 from 192.168.0.2 [root@node2 ~]# id testuser uid=1009(testuser) gid=513(Domain Users) groups=513(Domain Users)
4.0: User Management
4.1: smbldap-tools
We will not be using the smbldap-tools to populate the database; however we will use it to manage users & groups once the database has been populated. These scripts allow us to add users and machines using NT tools such as srvtools.exe, it also makes life easier to manage to add users on the fly. However it is possible to create LDIF file to add users to the database.
Smbldap-tools give us an advantage of been able to add machine accounts on the fly through the standard windows domain join. It also gives us the ability of been able to use srvtools.exe; however these tools lack custom control that can only be obtained through manually adding accounts through ldap.
This document configuration has been tested with smbldap-tools-0.9.1-1.
Install smbldap-tools-0.9.1-1on both nodes, this means we can add users and groups from either the PDC or BDC as long as the PDC is contactable.
You may need to satisfy any dependencies.
[root@node1 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
Preparing... ########################################### [100%] 1:smbldap-tools ########################################### [100%]
[root@node1 smbldap-tools]#
[root@node2 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
Preparing... ########################################### [100%] 1:smbldap-tools ########################################### [100%]
[root@node2 smbldap-tools]#
4.1.1: smbldap.conf Master
Because we did not use smbldap-tools to populate our database, we must manually configure the smbldap.conf. This configuration file only applies to smbldap-tools-0.9.1-1. If you are using a different version alterations will need to be made.
We will need to configure this file to suit our init
- /etc/opt/IDEALX/sbin/smbldap.conf
- smbldap-tools.conf : Q & D configuration file for smbldap-tools
- This code was developped by IDEALX (http://IDEALX.org/) and
- contributors (their names can be found in the CONTRIBUTORS file).
- Copyright (C) 2001-2002 IDEALX
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version 2
- of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- USA.
- Purpose :
- . be the configuration file for all smbldap-tools scripts
- General Configuration
-
- Put your own SID. To obtain this number do: "net getlocalsid".
- If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3809161173-2687474671-1432921517"
- Domain name the Samba server is in charged.
- If not defined, parameter is taking from smb.conf configuration file
- Ex: sambaDomain="IDEALX-NT"
sambaDomain="DDESIGN"
- LDAP Configuration
-
- Notes: to use to dual ldap servers backend for Samba, you must patch
- Samba with the dual-head patch from IDEALX. If not using this patch
- just use the same server for slaveLDAP and masterLDAP.
- Those two servers declarations can also be used when you have
- . one master LDAP server where all writing operations must be done
- . one slave LDAP server where all reading operations must be done
- (typically a replication directory)
- Slave LDAP server
- Ex: slaveLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
slaveLDAP="192.168.0.3"
- Slave LDAP port
- If not defined, parameter is set to "389"
slavePort="389"
- Master LDAP server: needed for write operations
- Ex: masterLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
- Master LDAP port
- If not defined, parameter is set to "389"
masterPort="389"
- Use TLS for LDAP
- If set to 1, this option will use start_tls for connection
- (you should also used the port 389)
- If not defined, parameter is set to "1"
ldapTLS="0"
- How to verify the server's certificate (none, optional or require)
- see "man Net::LDAP" in start_tls section for more details
verify=""
- CA certificate
- see "man Net::LDAP" in start_tls section for more details
cafile=""
- certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientcert=""
- key certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientkey=""
- LDAP Suffix
- Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=differentialdesign,dc=org"
- Where are stored Users
- Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,ou=Users,${suffix}"
- Where are stored Computers
- Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,ou=Users,${suffix}"
- Where are stored Groups
- Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
- Where are stored Idmap entries (used if samba is a domain member server)
- Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
- Where to store next uidNumber and gidNumber available for new users and groups
- If not defined, entries are stored in sambaDomainName object.
- Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
- Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
- Default scope Used
scope="sub"
- Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
- if hash_encrypt is set to CRYPT, you may set a salt format.
- default is "%s", but many systems will generate MD5 hashed
- passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
- Unix Accounts Configuration
-
- Login defs
- Default Login Shell
- Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
- Home directory
- Ex: userHome="/home/%U"
userHome="/data/home/%U"
- Default mode used for user homeDirectory
userHomeDirectoryMode="700"
- Gecos
userGecos="System User"
- Default User (POSIX and Samba) GID
defaultUserGid="513"
- Default Computer (Samba) GID
defaultComputerGid="515"
- Skel dir
skeletonDir="/etc/skel"
- Default password validation time (time in days) Comment the next line if
- you don't want password to be enable for defaultMaxPasswordAge days (be
- careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
- SAMBA Configuration
-
- The UNC path to home drives location (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon home'
- directive and/or disable roaming profiles
- Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.4\%U"
- The UNC path to profiles locations (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon path'
- directive and/or disable roaming profiles
- Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.0.4\profiles\%U"
- The default Home Drive Letter mapping
- (will be automatically mapped at logon time if home directory exist)
- Ex: userHomeDrive="H:"
userHomeDrive="H:"
- The default user netlogon script name (%U username substitution)
- if not used, will be automatically username.cmd
- make sure script file is edited under dos
- Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
- Domain appended to the users "mail"-attribute
- when smbldap-useradd -M is used
- Ex: mailDomain="idealx.com"
mailDomain="differentialdesign.org"
- SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
-
- Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
- prefer Crypt::SmbHash library
with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"
- Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
- but prefer Crypt:: libraries
with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"
- comment out the following line to get rid of the default banner
- no_banner="1"
4.1.2: smbldap.conf Slave
It is not necessary to install smbldap-tools on the backup domain controller. However this lets you add users from the BDC which will refer its update to the PDC ldap database.
- /etc/opt/IDEALX/sbin/smbldap.conf
- smbldap-tools.conf : Q & D configuration file for smbldap-tools
- This code was developped by IDEALX (http://IDEALX.org/) and
- contributors (their names can be found in the CONTRIBUTORS file).
- Copyright (C) 2001-2002 IDEALX
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version 2
- of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- USA.
- Purpose :
- . be the configuration file for all smbldap-tools scripts
- General Configuration
-
- Put your own SID. To obtain this number do: "net getlocalsid".
- If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3809161173-2687474671-1432921517"
- Domain name the Samba server is in charged.
- If not defined, parameter is taking from smb.conf configuration file
- Ex: sambaDomain="IDEALX-NT"
sambaDomain="DDESIGN"
- LDAP Configuration
-
- Notes: to use to dual ldap servers backend for Samba, you must patch
- Samba with the dual-head patch from IDEALX. If not using this patch
- just use the same server for slaveLDAP and masterLDAP.
- Those two servers declarations can also be used when you have
- . one master LDAP server where all writing operations must be done
- . one slave LDAP server where all reading operations must be done
- (typically a replication directory)
- Slave LDAP server
- Ex: slaveLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
- Slave LDAP port
- If not defined, parameter is set to "389"
slavePort="389"
- Master LDAP server: needed for write operations
- Ex: masterLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
masterLDAP="192.168.0.2"
- Master LDAP port
- If not defined, parameter is set to "389"
masterPort="389"
- Use TLS for LDAP
- If set to 1, this option will use start_tls for connection
- (you should also used the port 389)
- If not defined, parameter is set to "1"
ldapTLS="0"
- How to verify the server's certificate (none, optional or require)
- see "man Net::LDAP" in start_tls section for more details
verify=""
- CA certificate
- see "man Net::LDAP" in start_tls section for more details
cafile=""
- certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientcert=""
- key certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientkey=""
- LDAP Suffix
- Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=differentialdesign,dc=org"
- Where are stored Users
- Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,ou=Users,${suffix}"
- Where are stored Computers
- Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,ou=Users,${suffix}"
- Where are stored Groups
- Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
- Where are stored Idmap entries (used if samba is a domain member server)
- Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
- Where to store next uidNumber and gidNumber available for new users and groups
- If not defined, entries are stored in sambaDomainName object.
- Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
- Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
- Default scope Used
scope="sub"
- Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
- if hash_encrypt is set to CRYPT, you may set a salt format.
- default is "%s", but many systems will generate MD5 hashed
- passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
- Unix Accounts Configuration
-
- Login defs
- Default Login Shell
- Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
- Home directory
- Ex: userHome="/home/%U"
userHome="/data/home/%U"
- Default mode used for user homeDirectory
userHomeDirectoryMode="700"
- Gecos
userGecos="System User"
- Default User (POSIX and Samba) GID
defaultUserGid="513"
- Default Computer (Samba) GID
defaultComputerGid="515"
- Skel dir
skeletonDir="/etc/skel"
- Default password validation time (time in days) Comment the next line if
- you don't want password to be enable for defaultMaxPasswordAge days (be
- careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
- SAMBA Configuration
-
- The UNC path to home drives location (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon home'
- directive and/or disable roaming profiles
- Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.4\%U"
- The UNC path to profiles locations (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon path'
- directive and/or disable roaming profiles
- Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.0.4\profiles\%U"
- The default Home Drive Letter mapping
- (will be automatically mapped at logon time if home directory exist)
- Ex: userHomeDrive="H:"
userHomeDrive="H:"
- The default user netlogon script name (%U username substitution)
- if not used, will be automatically username.cmd
- make sure script file is edited under dos
- Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
- Domain appended to the users "mail"-attribute
- when smbldap-useradd -M is used
- Ex: mailDomain="idealx.com"
mailDomain="differentialdesign.org"
- SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
-
- Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
- prefer Crypt::SmbHash library
with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"
- Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
- but prefer Crypt:: libraries
with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"
- comment out the following line to get rid of the default banner
- no_banner="1"
5.0: Heartbeat HA Configuration
Heartbeat Configuration Node1 Node2
The heartbeat solution is not needed for domain logons; however in mission critical environments it supports failover if a node becomes unavailable. It provides a heartbeat through a serial and a crossover connection directly connected to each server. A virtual IP is shared by the cluster; we connect to this virtual IP Address when accessing a Samba share.
There are 2 main differential versions of heartbeat - version 1.2.3 is limited to a two node cluster; version 2 can span many machines and can become quite complex. Heartbeat version 2 is however backwards compatible with version 1.2.3 configuration files using the “crm no” option in the ha.cf configuration file.
You must never mix different versions of heartbeat in a cluster; they must all run the same version. If you do it will create instability and may lead to random rebooting.
If you want to be completely safe I highly recommend using version 1.2.3, for this exercise however we will be using version heartbeat 2.
If you are looking for proven stability version 1.2.3 has been used with DRBD for a long time; it is often used in hospitals to store MRI and other data that needs to be readily accessible; currently this is limited to a 2 node cluster.
5.1: Requirements
Get the following RPM’s from the http://www.linux-ha.org web site.
Version 1.2.3 has proven rock solid in many mission critical environments. You may need to satisfy dependencies.
If you chose to install heartbeat version 1.2.3 take note of the configuration file 4.3 Configuration PDC it differs slightly.
5.2: Installation
Heartbeat can now be downloaded with YUM, it will download version 2. Repeat this process on node2 your backup domain controller, so they are both running identical versions of heartbeat.
Install heartbeat on both nodes
[root@node1 programs]# cd heartbeat-1.2.3/ [root@node1 heartbeat-1.2.3]# ls heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
[root@node1 heartbeat-1.2.3]#rpm -Uvh heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
5.3: Configuration
Heartbeat running as version 1.2.3 is very easy to configure and manage. The never version 2 is able to support multiple nodes and uses xml type configuration files. If you are using version 2 I recommend running using crm = no option which provides 1.2.3 backwards compatability.
Just remember to always run the same version of heartbeat on both nodes.
5.3.1: ha.cf
Step1
On node1 login with root account; the ha.cf file needs to be the same on both nodes.
Note: The option “crm no” in the ha.cf specifies heartbeat version 2 to behave as version 1.2.3; this means it is limited to a 2 node cluster. If you choose to run version 1.2.3 you will need to comment out or delete the “crm no” in the ha.cf
[root@node1]# cd /etc/ha.d [root@node1]# vi ha.cf
- /etc/ha.d/ha.cf on node1
- This configuration is to be the same on both machines
- This example is made for version 2, comment out crm if using version 1
keepalive 1 deadtime 5 warntime 3 initdead 20 serial /dev/ttyS0 bcast eth1 auto_failback yes node node1 node node2 crm no # comment out if using version 1.2.3
Step2.
Copy the ha.cf to node2 so they both have the same configuration file.
[root@node1]# scp /etc/ha.d/ha.cf root@node2:/etc/ha.d/
5.3.2: haresources
The haresorces file is called when heartbeat starts. Throughout this document we have used /data as our mount point for replication raid1 over LAN.
We use node1, which is the master server and use 192.168.0.4 which is the clusters virtual IP address which will be displayed as eth0:0 on the primary node.
You will see drbddisk Filesystem::/dev/drbd0::/data::ext3 - /dev/drbd0 is our DRBD drive. We have chosen to mount our DRBD file system at /data – this is our replication mount point, which we configured in our samba and smbldap-tools configuration.
You can easily make services highly available by adding the appropriate name to the haresources file as specified below with DNS service named.
Step1
[root@node1]# vi haresources
- /etc/ha.d/haresources
- This configuration is to be the same on both nodes
node1 192.168.0.4 drbddisk Filesystem::/dev/drbd0::/data::ext3 named
Step2
Copy the haresources file across to node2 so they are both identical.
[root@node1]# scp /etc/ha.d/haresources root@node2:/etc/ha.d/
5.3.3: authkeys
The below method provides no security or authentication, so we recommended not to use. If however heartbeat communicates over a private link such as in our case (serial and crossover cable) there is no need to add this additional security.
Step1
[root@node1]# vi authkeys
- /etc/ha.d/authkeys
auth 1 1 crc
The preferred method is to sha encryption to authenticate nodes and their packets as below.
- /etc/ha.d/authkeys
auth 1 1 sha HeartbeatPassword
Step2
Give the authkeys file correct permissions.
[root@node1]# chmod 600 /etc/ha.d/authkeys
Step3
Copy the authkeys file to node2 so they can authenticate with each other.
[root@node1]# scp /etc/ha.d/authkeys root@node2:/etc/ha.d/
5.4: Testing
Now that we have heartbeat configured it is time to test ther
Step4.
Login to node2 – your backup domain controller, use the exact same configuration as the primary domain controllers configuration files for heartbeat.
6.0: DRBD
DRBD Configuration Primary Secondary
DRBD is a kernel module which has the ability to network 2 machines to provide Raid1 over LAN.
It is assumed that we have two identical drives in both machines; all data on this device will be destroyed.
If you are updating your kernel or version of DRBD, make sure DRBD is stopped on both machines.
Never attempt to run different versions of DRBD, this means both machines need the same kernel.
6.1: Requirements
You will need to install the DRBD kernel Module. We will build our own RPM kernel modules so it is optimized for our architecture.
I have tested many different kernels with DRBD, some are not stable so you will need to check Google to make sure your kernel is compatible with the particular DRBD release, most of the time this isn’t an issue.
Both the following kernels are recommended for Fedora Core 4; up to version drbd-0.7.23 I have used.
kernel-smp-2.6.14-1.1656_FC4 kernel-smp-2.6.11-1.1369_FC4
Please browse this list http://www.linbit.com/support/drbd-current/ and look for packages available.
Step1
Get a serial cable and connect it to each nodes com1 port.
Execute the following; you may see a lot of garbage on the screen.
[root@node1 ~]# cat </dev/ttyS0
Step2
You may have to repeat the below a couple of times in rapid succession to see the output on node1.
[root@node2 ~]# echo hello >/dev/ttyS0
6.2: Installation
Step1
Extract the latest stable version of DRBD.
[root@node1 stable]# tar zxvf drbd-0.7.20.tar.gz
[root@node1 stable]# cd drbd-0.7.20 [root@node1 drbd-0.7.20]#
Step2
. It is nice to make your own rpm for your distribution. It makes upgrades seamless.
This will give us a RPM build specifically to our kernel, it may take some time.
[root@node1 drbd-0.7.20]# make [root@node1 drbd-0.7.20]# make rpm
Step3
[root@node1 drbd-0.7.20]# cd dist RPMS/i386/ [root@node1 i386]#/
[root@node1 i386]# ls drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
Step4
We will now install DRBD and our Kernel module which we built earlier.
[root@node1 i386]# rpm -Uvh drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
Step5
Login to node 2 the backup domain controller and do the same.
6.3: Configuration
In the example throughout this document we have linked /dev/hdd1 to /dev/drbd; your however may be a different device, it could be SCSI.
All data on the device /dev/hdd will be destroyed.
Step1
We are going to create a partition on /dev/hdd1 using fdisk.
[root@node1]# fdisk /dev/hdd1
Command (m for help): m Command action
a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table q quit without saving changes s create a new empty Sun disklabel t change a partition's system id u change display/entry units v verify the partition table w write table to disk and exit x extra functionality (experts only)
Command (m for help): d No partition is defined yet!
Command (m for help): n Command action
e extended p primary partition (1-4)
p Partition number (1-4): 1 First cylinder (1-8677, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-8677, default 8677): Using default value 8677
Command (m for help): w
Step2
Now login to node2 the backup domain controller and fdisk /dev/hdd1 as per above; or your chosen device.
6.3.1: drbd.conf
Create this file on both you master and slave server, it should be identical however it is not a requirement. As long as the partition size is the same any mount point can be used.
Step1
The below file is fairly self explanatory, you see the real disk link to the DRBD kernel module device.
[root@node1]# vi /etc/drbd.conf
- Datadrive (/data) /dev/hdd1 80GB
resource drbd1 {
protocol C; disk { on-io-error panic; } net { max-buffers 2048; ko-count 4; on-disconnect reconnect; } syncer { rate 700000; } on node1 { device /dev/drbd0; disk /dev/hdd1; address 10.0.0.1:7789; meta-disk internal; } on node2 { device /dev/drbd0; disk /dev/hdd1; address 10.0.0.2:7789; meta-disk internal; }
}
Step2
[root@node1]# scp /etc/drbd.conf root@node2:/etc/
6.3.2: Initialization
In the following steps we will configure the disks to synchronize and choose a master node.
Step1
On the Primary Domain Controller
[root@node1]# service drbd start
On the Backup Domain Controller
[root@node2]# service drbd start
Step2
[root@node1]# service drbd status
drbd driver loaded OK; device status: version: 0.7.17 (api:77/proto:74) SVN Revision: 2093 build by root@node1, 2006-04-23 14:40:20 0: cs:Connected st:Secondary/Secondary ld:Inconsistent
ns:25127936 nr:3416 dw:23988760 dr:4936449 al:19624 bm:1038 lo:0 pe:0 ua:0 ap:0
You can see both devices are ready, and waiting for a Primary drive to be activated which will do an initial synchronization to the secondary device.
Step3
Stop the heartbeat service on both nodes.
Step4
We are now telling DRBD to make node1 the primary drive.
[root@node1]# drbdadm -- --do-what-I-say primary all
[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13
0: cs:SyncSource st:Primary/Secondary ld:Consistent ns:67080 nr:85492 dw:91804 dr:72139 al:9 bm:268 lo:0 pe:30 ua:2019 ap:0 [==>.................] sync'ed: 12.5% (458848/520196)K finish: 0:01:44 speed: 4,356 (4,088) K/sec
Step6
Create a filesystem on our RAID devices.
[root@node1]# mkfs.ext3 /dev/drbd0
6.4: Testing
We have a 2 node cluster replicating data, its time to test a failover.
Step1
Start the heartbeat service on both nodes.
Step2
On node1 we can see the status of DRBD.
[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) 0: cs:Connected st:Primary/Secondary ld:Consistent
ns:1536 nr:0 dw:1372 dr:801 al:4 bm:6 lo:0 pe:0 ua:0 ap:0
[root@node1 ~]#
On node2 we can see the status of DRBD.
[root@node2 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03 0: cs:Connected st:Secondary/Primary ld:Consistent
ns:0 nr:1484 dw:1484 dr:0 al:0 bm:6 lo:0 pe:0 ua:0 ap:0
[root@node2 ~]#
That all looks good; we can see the devices are consistent and ready for use.
Step3
Now let’s check the mount point we created in the heartbeat haresources file.
We can see heartbeat has successfully mounted “/dev/drbd0 to the /data directory” of course your device will not have any data on it yet.
[root@node1 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00
35G 14G 20G 41% /
/dev/hdc1 99M 21M 74M 22% /boot /dev/shm 506M 0 506M 0% /dev/shm /dev/drbd0 74G 37G 33G 53% /data [root@node1 ~]#
Step4
Login to node1 and execute the following command; once heartbeat is stopped it should only take a few seconds to migrate the services to node2.
[root@node1 ~]# service heartbeat stop Stopping High-Availability services:
[ OK ]
[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13 0: cs:Connected st:Secondary/Primary ld:Consistent
ns:5616 nr:85492 dw:90944 dr:2162 al:9 bm:260 lo:0 pe:0 ua:0 ap:0
We can see drbd change state to secondary on node1.
Step5
Now let’s check that status of DRBD on node2; we can see it has changed state and become the primary.
[root@node2 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03
0: cs:Connected st:Primary/Secondary ld:Consistent ns:4 nr:518132 dw:518136 dr:17 al:0 bm:220 lo:0 pe:0 ua:0 ap:0 1: cs:Connected st:Primary/Secondary ld:Consistent ns:28 nr:520252 dw:520280 dr:85 al:0 bm:199 lo:0 pe:0 ua:0 ap:0
Check that node2 has mounted the device.
[root@node2 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00
35G 12G 22G 35% /
/dev/hdc1 99M 17M 78M 18% /boot /dev/shm 506M 0 506M 0% /dev/shm /dev/hdh1 111G 97G 7.6G 93% /storage /dev/drbd0 74G 37G 33G 53% /data [root@node2 ~]#
Step5
Finally start the heartbeat service on node1 and be sure that all processes migrate back.
7.0: BIND DNS
We can use BIND – The Berkley Internet Name Domain in a high availability configuration. We can make 2 nodes appear as one, zone files will we stored on a DRBD drive, if node1 fails node2 can take over and automatically start NAMED.
BIND is able to have its /var/named directory relocated to a more appropriate location such as /data/dnszones; this enables us to provide real time replication of the zone files; the standby node2 will have to have its default directory modified to /data/dnszones.
We have 2 servers, and we will refer to the cluster as cluster.differentialdesign.org. It is assumed that these machines are behind a firewall with NAT and port forwarding to the appropriate ports.
When setting up Domain Names through a registrar you would want 2 separate name servers. It is recommended to setup an additional slave DNS server.
An example may be
Name Server:CLUSTER.DIFFERENTIALDESIGN.ORG ß Primary Name Server(s) Name Server:NS1.DIFFERENTIALDESIGN.ORG Name Server:NS2.DIFFERENTIALDESIGN.ORG
7.1: Configuration
Step1
We will now create a directory on our DRBD drive /data/dnszones.
[root@node1 ~]# mkdir /data/dnszones
Step2
Change the location of the zone files to our replicated drive
[root@node1 ~]# named ? usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
[-p port] [-s] [-t chrootdir] [-u username] [-m {usage|trace|record}] [-D ]
named: extra command line arguments
[root@node1 ~]# named -t /data/dnszones/
Step3
Copy the default zone files to our new location and set the permissions.
[root@node1 ~]# rsync -avz /var/named/ /data/dnszones/
[root@node1 ~]# chown –R named.named /data/dnszones/
7.1.1: named.conf
It is important that all machines on the network use cluster.differentialdesign.org or its local IP address address as DNS servers. This way we can assure correct name resolution.
We will now edit the /etc/named.conf
Take note of the below file, you can see highlighted in red our secondary DNS servers, these are the IP addresses of ns1.differentialdesign.org and ns2.differentialdesign.org
The named.conf needs to be the same on both node1 and node2; you could manually copy the file over using SCP, or link it to the /data/dnszones directory using a symbolic link.
[root@node1 ~]# vi /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/data/dnszones"; dump-file "/data/dnszones/data/cache_dump.db"; statistics-file "/data/dnszones/data/named_stats.txt"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53;
allow-transfer { 127.0.0.1; // localhost 202.161.90.250; // secondary DNS server for my zone 202.161.90.251; // secondary DNS server for my zone
};
};
// // a caching only nameserver config // controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint; file "named.ca";
};
zone "localdomain" IN {
type master; file "localdomain.zone"; allow-update { none; };
};
zone "localhost" IN {
type master; file "localhost.zone"; allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master; file "named.local"; allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master; file "named.ip6.local"; allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master; file "named.broadcast"; allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master; file "named.zero"; allow-update { none; };
};
zone "differentialdesign.org" {
type master; file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts"; allow-update { none; };
};
7.1.2: zone file
In our named.conf file we have the following zone defined;
zone "differentialdesign.org" {
type master; file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts"; allow-update { none; };
We can see the zone file located in /data/dnszones/
Step1.
Create a sub folder where we will store our zone files.
[root@node1 ~]# mkdir /data/dnszones/differentialdesign.org/
Step2.
Create a new file called named.differentialdesign.org.hosts.
[root@node1 ~]# vi /data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts
You will see below that nodes.differentialdesign.org. IN 192.168.0.4 is an “A record” which points us to the virtual IP address of the cluster. When setting up mapped drives it is best to use the name instead of IP address.
$TTL 8h differentialdesign.org. IN SOA cluster.differentialdesign.org. asender.mail.samba.org. (
2006211201 10800 3600 3600000 86400 )
differentialdesign.org. IN NS cluster.differentialdesign.org. differentialdesign.org. IN NS ns1.differentialdesign.org. differentialdesign.org. IN NS ns2.differentialdesign.org. differentialdesign.org. IN MX 50 mail.differentialdesign.org. mail.differentialdesign.org. IN A 202.161.90.245 www.differentialdesign.org. IN A 202.161.90.245 cluster.differentialdesign.org. IN A 202.161.90.241 node1.differentialdesign.org. IN A 192.168.0.2 node2.differentialdesign.org. IN A 192.168.0.3 nodes.differentialdesign.org. IN A 192.168.0.4