Replicated Failover Domain Controller and file server using LDAP: Difference between revisions

Revision as of 03:03, 25 January 2007

SAMBA 3: FAILOVER DOMAIN CONTROLLER

SAMBA 3 EXTENSIONS

TECHNICAL CONFIGURATION

Author: Adrian Sender Supervisor: Simo Sorce

Objectives

Samba Active Directory Upgrade Compatible Set Standards High Availability Cluster Recommended By Developers

Overview

1.0: Configuring Samba 1.1 smb.conf PDC 1.2 smb.conf BDC 1.3 /etc/hosts 1.4 Samba Security

2.0: Configuring LDAP 2.1 slapd.conf Master 2.1.1 slapd.conf Master syncrepl Openldap2.2 2.1.2 slapd.conf Master delta-syncrepl Openldap2.3

2.2 slapd.conf Slave 2.2.1 slapd.conf Slave syncrepl Openldap2.2 2.2.2 slapd.conf Slave delta-syncrepl Openldap2.3 2.3 ldap.conf Master 2.4 ldap.conf Slave

3.0: Initialization LDAP Database 3.1 Provisioning Database 3.2 Preload LDIF 3.3 LDAP Population 3.4 Database Replication

4.0: User Management 4.1 smbldap-tools 4.1.1 smbldap.conf Master 4.1.2 smbldap.conf Slave

5.0: Heartbeat HA Configuration 5.1 Requirements 5.2 Installation 5.3 Configuration 5.3.1 ha.cf 5.3.2 haresources 5.3.3 authkeys 5.4 Testing

6.0: DRBD 6.1 Requirements 6.2 Installation 6.3 Configuration 6.3.1 drbd.conf 6.3.2 Initialization 6.4 Testing

7.0: BIND DNS 7.1 Configuration 7.1.1 named.conf 7.1.2 zone file

Overview

We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses.

Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted.

This is a complex setup and strict guide lines need to be followed in order to achieve stability.

We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive.

By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB.

Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering.

High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings.

The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken.

Each node will require 2 network cards.

Here is a basic configuration overview:

Configuration Details

node1.differentialdesign.org

Eth0: LAN Network Address IP Address: 192.168.0.2 Subnet Mast: 255.255.255.0 Gateway: 192.168.0.1

Eth0:1 Heartbeat LAN Address IP Address: 192.168.0.4 Subnet Mast: 255.255.255.0

Eth1: DRBD Replication Network IP Address: 10.0.0.1 Subnet Mast: 255.255.255.0 Gateway: None

HDC: Operating System Drive

HDD: DRBD Data Replication Drive

TTYS0: COM Port 1 Configuration Details

node2.differentialdesign.org

Eth0: LAN Network Address IP Address: 192.168.0.3 Subnet Mast: 255.255.255.0 Gateway: 192.168.0.1

Eth1: DRBD Replication Network IP Address: 10.0.0.2 Subnet Mast: 255.255.255.0 Gateway: None

HDC: Operating System Drive

HDD: DRBD Data Replication Drive

TTYS0: COM Port 1

1.0: Configuring Samba

Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows.

If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.

We are building a fault tolerant domain controller, which provides you with the following;

Samba Configuration Primary Domain Controller Backup Domain Controller

A master domain controller, that provides authentication through the use of LDAP A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.

Step1

Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz

It is essential that both the PDC and BDC are running the same version of samba.

[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz --19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz

          => `samba-latest.tar.gz'

Resolving us4.samba.org... 192.48.170.15 Connecting to us4.samba.org|192.48.170.15|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17,704,221 (17M) [application/x-tar]

100%[====================================>] 17,704,221 53.01K/s ETA 00:00

19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]

Step2

[root@node1 samba]# tar zxvf samba-latest.tar.gz

[root@node1 samba]# cd samba-3.0.23d/ [root@node1 samba-3.0.23d]#

[root@node1 samba-3.0.23d]# cd packaging/ bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ Debian/ LSB/ README RHEL/ Solaris/ sysv/

Step3

This will take some time.

[root@node1 samba-3.0.23d]# cd packaging/RHEL/

[root@node1 RHEL]# ls makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup

[root@node1 RHEL]# chmod 777 makerpms.sh [root@node1 RHEL]# ./makerpms.sh

Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm

makerpms.sh: Done. [root@node1 RHEL]#

Step4

Install the RPM files we built from source.

[root@node2]# cd /usr/src/redhat/RPMS/i386/ [root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba-swat-3.0.23d-1.i386.rpm Preparing... ########################################### [100%]

  1:samba-common           warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew

1. 1. 1. 1. [ 17%]

  2:samba                  ########################################### [ 33%]

ls: /var/cache/samba/eventlog/*tdb: No such file or directory

  3:samba-client           ########################################### [ 50%]
  4:samba-debuginfo        ########################################### [ 67%]
  5:samba-doc              ########################################### [ 83%]
  6:samba-swat             ########################################### [100%]

[root@node1 i386]#

Step5

Login to node2 – the backup domain controller and repeat the above steps.

1.1: smb.conf PDC

You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful.

[root@node2 ~]# mkdir /data

[root@node1 ~]# vi /etc/samba/smb.conf

# Primary Domain Controller smb.conf

# Global parameters

[global] unix charset = LOCALE workgroup = DDESIGN netbios name = node1

passdb backend = ldapsam:ldap://127.0.0.1
passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"

passdb backend = ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat

logon path = \\192.168.0.4\profiles\%u

logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes domain master = Yes wins support = Yes ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = root printing = cups

========================Share Definitions=========================

[homes]

  comment = Home Directories
  valid users = %S
  browseable = yes
  writable = yes
  create mask = 0600
  directory mask = 0700

[netlogon]
 comment = Network Logon Service
 path = /data/samba/netlogon
 writeable = yes
 browseable = yes
 read only = no

[profiles]

 path = /data/samba/profiles
 writeable = yes
 browseable = no
 read only = no
 create mode = 0777
 directory mode = 0777

[Documents]

 comment = share to test samba
 path = /data/documents
 writeable = yes
 browseable = yes
 read only = no
 valid users = "@Domain Users"

1.2: smb.conf BDC

[root@node2 ~]# mkdir /data

[root@node2 ~]# vi /etc/samba/smb.conf

# Global parameters

# Backup Domain Controller

[global] unix charset = LOCALE workgroup = DDESIGN netbios name = node2

passdb backend = ldapsam:ldap://127.0.0.1
passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"

passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = %u.bat

logon path = \\192.168.0.4\profiles\%u

logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes os level = 63 domain master = No wins server = node1.differentialdesign.org ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org utmp = Yes idmap backend = ldap://node1.differentialdesign.org idmap uid = 10000-20000 idmap gid = 10000-20000 printing = cups

========================Share Definitions=========================

[homes]

  comment = Home Directories
  valid users = %S
  browseable = yes
  writable = yes
  create mask = 0600
  directory mask = 0700

[netlogon]
 comment = Network Logon Service
 path = /data/samba/netlogon
 writeable = yes
 browseable = yes
 read only = no

[profiles]

 path = /data/samba/profiles
 writeable = yes
 browseable = no
 read only = no
 create mode = 0777
 directory mode = 0777

[Documents]

 comment = share to test samba
 path = /data/documents
 writeable = yes
 browseable = yes
 read only = no
 valid users = "@Domain Users"

1.3: /etc/hosts

In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS. However it is desirable to have a backup feature such as entries in the /etc/hosts file.

Step1

On node1 we will edit the hosts file to reflect our configuration.

[root@node1 ~]# vi /etc/hosts

Do not remove the following line, or various programs
that require network functionality will fail.

127.0.0.1 node1 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org

Step2

Login to node2 and edit the /etc/hosts file.

[root@node2 ~]# vi /etc/hosts

Do not remove the following line, or various programs
that require network functionality will fail.

127.0.0.1 node2 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org

1.4: Samba Security

There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this.

One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both.

The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf.

1. /etc/samba/smb.conf
2. Global parameters

[global]

workgroup = DDESIGN security = user hosts allow = 192.168.0.0/24

For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability.

This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses.

1. /etc/samba/smb.conf
2. ==== Share Definitions =====

[Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" hosts allow = 192.168.0.100/24

2.0: Configuring LDAP

It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.

There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.

replica host=192.168.0.3:389

           suffix="dc=differentialdesign,dc=org"
           binddn="cn=syncuser,dc=differentialdesign,dc=org"
           bindmethod=simple credentials=SyncUser

To bind to the database the slave replicas will need to use “upateuser’s” password defined above as “credentials=UpdateUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.

The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.

LDAP Replication Configuration Master Slave(s)

A master LDAP database that is replicated real time to the backup domain controller. A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.

LDAP Replication Configuration Provider Consumers(s)

A provider LDAP database that has the most updated version of the database. A consumer requests an update at a set interval, and provides load balancing.

The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.

There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries.

If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.

Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.

2.1: slapd.conf Master

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of Openldap.

/etc/openldap/slapd.conf
using slurpd
LDAP Master

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap

replica host=node2.differentialdesign.org:389

           suffix="dc=differentialdesign,dc=org"
           binddn="cn=syncuser,dc=differentialdesign,dc=org"
           bindmethod=simple credentials=SyncUser

replogfile /var/lib/ldap/replogfile

access to attrs=userPassword

        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.1.1: slapd.conf Master syncrepl Openldap2.2

This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.

This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.

slapd.conf Master syncrepl Openldap2.2
Provider

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap

access to attrs=userPassword

        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.1.2: slapd.conf Master delta-syncrepl Openldap2.3

This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.

The below slapd.conf will only run on Openldap 2.3.

Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.

slapd.conf Master delta syncrepl Openldap2.3
provider

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

modulepath /usr/lib/openldap2.3 moduleload syncprov.la moduleload accesslog.la

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

Accesslog database definitions

database bdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE

Samba database

database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager index entryCSN eq index entryUUID eq

overlay syncprov syncprov-checkpoint 1000 60

accesslog overlay definitions for primary db

overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE

scan the accesslog DB every day, and purge entries older than 7 days

logpurge 07+00:00 01+00:00

access to attrs=userPassword

        by self write
        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read

access to *

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
        by dn="cn=syncuser,dc=differentialdesign,dc=org" read
        by * read

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.2: slapd.conf Slave

This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.

This configuration file should work on any version of openldap.

/etc/openldap/slapd.conf
using slurpd
LDAP Slave

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager

access to attrs=userPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *

        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

updatedn cn=syncuser,dc=differentialdesign,dc=org updateref ldap://node1.differentialdesign.org

directory /var/lib/ldap

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.2.1: slapd.conf Slave syncrepl Openldap2.2

This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.

This configuration file will only work with openldap version 2.2

slapd.conf Slave syncrepl Openldap2.2
LDAP Consumer

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

database bdb suffix "dc=differentialdesign,dc=org" rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager directory /var/lib/ldap

syncrepl

   rid=0
       provider=ldap://node1.differentialdesign.org:389
       binddn="cn=syncuser,dc=differentialdesign,dc=org"
       bindmethod=simple
       credentials=SyncUser
       searchbase="dc=differentialdesign,dc=org"
       filter="(objectClass=*)"
       attrs="*"
       schemachecking=off
       scope=sub
       type=refreshOnly
       interval=00:06:00:00

access to attrs=userPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *

        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.2.2: slapd.conf slave delta-syncrepl Openldap2.3

slapd.conf delta synrepl Openldap2.3
LDAP Consumer

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args

database bdb suffix "dc=differentialdesign,dc=org" directory /var/lib/ldap rootdn "cn=Manager,dc=differentialdesign,dc=org" rootpw Manager

syncrepl directives

syncrepl rid=0

       provider=ldap://node1.differentialdesign.org:389
       bindmethod=simple
       binddn="cn=syncuser,dc=differentialdesign,dc=org"
       credentials=SyncUser
       searchbase="dc=differentialdesign,dc=org"
       logbase="cn=accesslog"
       logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
       schemachecking=on
       type=refreshAndPersist
       retry="60 +"
       syncdata=accesslog

access to attrs=userPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * auth

access to attrs=sambaLMPassword,sambaNTPassword

        by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
        by dn="cn=syncuser,dc=differentialdesign,dc=org" write

access to *

        by dn="cn=syncuser,dc=differentialdesign,dc=org" write
        by * read

updateref ldap://node1.differentialdesign.org

Indices to maintain

index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

2.3: ldap.conf Master

You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave

/etc/ldap.conf
LDAP Master

host node1.differentialdesign.org node2.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager

pam_password exop

nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no

2.4: ldap.conf Slave

/etc/ldap.conf
LDAP Slave

host node2.differentialdesign.org node1.differentialdesign.org base dc=differentialdesign,dc=org binddn cn=Manager,dc=differentialdesign,dc=org bindpw Manager

pam_password exop

nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one nss_base_group ou=Groups,dc=differentialdesign,dc=org?one ssl no

3.0: Initialization LDAP Database

Initial LDAP database population

There are many ways to initialize the LDAP database backend for samba and many scripts to help you out; however these loose our initial control of the database and can lead to issues such as database management.

Once your server is up and running with users on it, the database can not really be manipulated without knowing the full workings of LDAP, so for many of us we are stuck with what we created.

The future of Samba is changing to Active Directory; we keep this in mind when creating the database so it can be an easier upgrade path migrating to Samba4; eventually Samba4 will be able to support OpenLDAP as a modular backend.

3.1: Provisioning Database

We are going to manually create our initial LDAP database in a text file and be confident to use it in a full production environment.

Our LDAP database structure will look like the following if using the preload ldif as per section 3.2 Preload LDIF

           |-----------People

|-------------------root |-------------------asender |-------------------simo

           |-----------Computers

                         |-------------------root

Step1

Delete all runtime files from prior Samba operation by executing;

[root@node1]# rm /etc/samba/*tdb [root@node1]# rm /var/lib/samba/*tdb [root@node1]# rm /var/lib/samba/*dat [root@node1]# rm /var/log/samba/*

Step2

Delete any previous LDAP database

[root@node1]# cd /var/lib/ldap [root@node1]# rm –rf *

Step3

Login to node2 - the backup domain controller, and do the same.

Step4

[root@node1 ~]# net getlocalsid SID for domain NODE1 is: S-1-5-21-3809161173-2687474671-1432921517

Your SID will differ to the one above; you will need to alter the preload LDIF as per below.

Step5

Login to your backup domain controller (node2) and type the following command using the SID obtained from step4.

[root@node2 ~]# net setlocalsid S-1-5-21-3809161173-2687474671-1432921517

3.2: Preload LDIF

Step1

Create a .txt file containing the following contents.

[root@node1]#vi preload-differentialdesign.ldif

Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure to leave the SID group mapping. Subsitute dc=differentialdesign,dc=org with your fully qualified domain name. Subsitute sambaDomainName: DDESIGN with your Samba Domain Name

SAMBA LDAP PRELOAD

Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
to leave the SID group mapping.
Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
Subsitute sambaDomainName: DDESIGN with your Samba Domain Name

1. The user to bind Samba to LDAP is defined in our smb.conf;
2. [root@node1]# smbpasswd –w SambaAdmin)
3. [root@node2]# smbpasswd –w SambaAdmin)

SID S-1-5-21-3809161173-2687474671-1432921517

dn: dc=differentialdesign,dc=org objectClass: dcObject objectClass: organization dc: differentialdesign o: DDESIGN description: Posix and Samba LDAP Identity Database

dn: cn=Manager,dc=differentialdesign,dc=org objectClass: organizationalRole cn: Manager description: Directory Manager

dn: cn=syncuser,dc=differentialdesign,dc=org objectClass: person cn: syncuser sn: syncuser userPassword: SyncUser

dn: cn=sambaadmin,dc=differentialdesign,dc=org objectClass: person cn: sambaadmin sn: sambaadmin userPassword: SambaAdmin

dn: cn=mailadmin,dc=differentialdesign,dc=org objectClass: person cn: mailadmin sn: mailadmin userPassword: MailAdmin

dn: ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Users

dn: ou=People,ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: People

dn: ou=Computers,ou=Users,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Computers

dn: ou=Groups,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Groups

dn: ou=Domains,dc=differentialdesign,dc=org objectClass: top objectClass: organizationalUnit ou: Domains

dn: sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org objectClass: sambaDomain objectClass: sambaUnixIdPool uidNumber: 1000 gidNumber: 1000 sambaDomainName: DDESIGN sambaSID: S-1-5-21-3809161173-2687474671-1432921517 sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain

dn: cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins sambaSID: S-1-5-21-3809161173-2687474671-1432921517-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Administrators

dn: cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users sambaSID: S-1-5-21-3809161173-2687474671-1432921517-513 sambaGroupType: 2 displayName: Domain Users description: Domain Users

dn: cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests sambaSID: S-1-5-21-3809161173-2687474671-1432921517-514 sambaGroupType: 2 displayName: Domain Guests description: Domain Guests

dn: cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers sambaSID: S-1-5-21-3809161173-2687474671-1432921517-515 sambaGroupType: 2 displayName: Domain Computers description: Domain Computers

dn: cn=Administrators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-544 sambaGroupType: 5 displayName: Administrators description: Administrators

dn: cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-548 sambaGroupType: 5 displayName: Account Operators description: Account Operators

dn: cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-550 sambaGroupType: 5 displayName: Print Operators description: Print Operators

dn: cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-551 sambaGroupType: 5 displayName: Backup Operators description: Backup Operators

dn: cn=Replicators,ou=Groups,dc=differentialdesign,dc=org objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators sambaSID: S-1-5-21-3809161173-2687474671-1432921517-552 sambaGroupType: 5 displayName: Replicators description: Replicators

3.3: LDAP population

Now its time to populate the database with our ldif that we edited to match our domain details as per section 3.2: Preload LDIF

Step1.

Make sure LDAP is not running.

[root@node1]# vi /var/lib/ldap/DB_CONFIG

DB_CONFIG

set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE

Step2.

This step is necessary if you are using delta-syncrepl as per section 2.1.2: slapd.conf Master delta-syncrepl Openldap2.3.

Because we are using multiple databases on the Provider it is nessassary to place an additional DB_CONFIG file insite the database directory.

[root@node1]# mkdir /var/lib/ldap/accesslog [root@node1]# cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog

Step3.

[root@node1]# cd /ldap-scripts/

[root@node1 scripts]# slapadd –b "dc=differentialdesign,dc=org" -v -l preload-differentialdesign.ldif

added: "dc=differentialdesign,dc=org" (00000001) added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) added: "ou=Users,dc=differentialdesign,dc=org" (00000006) added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)

Step4.

[root@node1]# chown –R ldap.ldap /var/lib/ldap

Step5.

The user to bind Samba to LDAP is defined in our smb.conf; this is sambaadmin’s password as set in samba preload-differentialdesign.ldif.

The entry in the preload-differentialdesign.ldif sambaadmin has a password “SambaAdmin”

dn: cn=sambaadmin,dc=differentialdesign,dc=org objectClass: person cn: sambaadmin sn: sambaadmin userPassword: SambaAdmin

[root@node1 scripts]# smbpasswd -w SambaAdmin Setting stored password for "cn=sambaadmin,dc=differentialdesign,dc=org" in secrets.tdb

[root@node1 ~]# service ldap restart Stopping slapd: [ OK ] Stopping slurpd: [ OK ] Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ] Starting slurpd: [ OK ]

[root@node1 ~]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ]

Step6.

Adding initial users with the smbldap-tools: Skip to section 4.1: smbldap-tools and install on node1.

[root@node1 scripts]# cd /opt/IDEALX/sbin/ [root@node1 sbin]# ./smbldap-useradd -m -a root [root@node1 sbin]# ./smbldap-passwd root Changing password for root New password : Retype new password

[root@node1 ]# smbpasswd -a New SMB password: Retype new SMB password: Added user root.

[root@node1 sbin]# ./smbldap-groupmod -m root Domain\ Admins adding user root to group Domain Admins

[root@node1 ~]# cd /opt/IDEALX/sbin/ [root@node1 sbin]# ./smbldap-useradd -m -a asender [root@node1 sbin]#

[root@node1 sbin]# ./smbldap-passwd asender Changing password for asender New password : Retype new password : [root@node1 sbin]#

[root@node1 sbin]# smbpasswd asender New SMB password: Retype new SMB password: [root@node1 sbin]#

[root@node1 sbin]# id asender uid=1001(asender) gid=513(Domain Users) groups=513(Domain Users)

Step7

You are now ready to join a Windows machine to the domain with user ‘root’.

We will need to setup our BDC, Heartbeat and DRBD to match our configuration.

3.4: Database Replication

If we choose to use syncrepl instead of slurpd daemon as per sections 2.2.1 slapd.conf Slave Synrepl and 2.2.1.1 slapd.conf Slave delta-syncrepl 4 Openldap2.3 there is no need to do this section, the database will be copied across initially when the consumer requests is restarted.

Step1.

Dump the LDAP database, copy it across to node2.

[root@node1 ~]# slapcat –b “dc=differentialdesign,dc=org” -v -l transfer.ldif

id=00000001
id=00000002
id=00000003
id=00000004
id=00000005
id=00000006
id=00000007
id=00000008
id=00000009
id=0000000a
id=0000000b
id=0000000c
id=0000000d
id=0000000e
id=0000000f
id=00000010
id=00000011
id=00000012
id=00000013
id=00000014
id=00000015
id=00000017
id=00000018

[root@node1 ~]# scp transfer.ldif root@node2:/root/

Step2.

Transfer the database to node2.

[root@node2 ~]# slapadd –b “dc=differentialdesign,dc=org” -v -l transfer.ldif

added: "dc=differentialdesign,dc=org" (00000001) added: "cn=Manager,dc=differentialdesign,dc=org" (00000002) added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003) added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004) added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005) added: "ou=Users,dc=differentialdesign,dc=org" (00000006) added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007) added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008) added: "ou=Groups,dc=differentialdesign,dc=org" (00000009) added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a) added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b) added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c) added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d) added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e) added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f) added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010) added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011) added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012) added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013) added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014) added: "uid=root,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000015) added: "uid=asender,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000016)

Step3.

Make sure LDAP database is owned by LDAP

[root@node2 ~]# chown –R ldap.ldap /var/lib/ldap

Step4.

[root@node1 ~]# service ldap restart Stopping slapd: [ OK ] Stopping slurpd: [ OK ] Checking configuration files for slapd: config file testing succeeded

                                                                       [  OK  ]

Starting slapd: [ OK ] Starting slurpd: [ OK ]

[root@node1 ~]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ]

Step5.

Login to node1 or your Primary Domain Controller and add another user as done so in section 3.6 LDAP population Step5, we will then check replication by logging onto node2 and see if the user exists on that machine.

[root@node1 sbin]# ./smbldap-useradd -m -a testuser [root@node1 sbin]# ./smbldap-passwd testuser Changing password for testuser New password : Retype new password : [root@node1 sbin]# smbpasswd testuser New SMB password: Retype new SMB password:

[root@node1 sbin]# ssh node2 root@node2's password:

Last login: Mon Dec 18 02:43:33 2006 from 192.168.0.2 [root@node2 ~]# id testuser uid=1009(testuser) gid=513(Domain Users) groups=513(Domain Users)

4.0: User Management

4.1: smbldap-tools

We will not be using the smbldap-tools to populate the database; however we will use it to manage users & groups once the database has been populated. These scripts allow us to add users and machines using NT tools such as srvtools.exe, it also makes life easier to manage to add users on the fly. However it is possible to create LDIF file to add users to the database.

Smbldap-tools give us an advantage of been able to add machine accounts on the fly through the standard windows domain join. It also gives us the ability of been able to use srvtools.exe; however these tools lack custom control that can only be obtained through manually adding accounts through ldap.

This document configuration has been tested with smbldap-tools-0.9.1-1.

Install smbldap-tools-0.9.1-1on both nodes, this means we can add users and groups from either the PDC or BDC as long as the PDC is contactable.

You may need to satisfy any dependencies.

[root@node1 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm

   Preparing...                ########################################### [100%]
  1:smbldap-tools          ########################################### [100%]

[root@node1 smbldap-tools]#

[root@node2 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm

   Preparing...                ########################################### [100%]
  1:smbldap-tools          ########################################### [100%]

[root@node2 smbldap-tools]#

4.1.1: smbldap.conf Master

Because we did not use smbldap-tools to populate our database, we must manually configure the smbldap.conf. This configuration file only applies to smbldap-tools-0.9.1-1. If you are using a different version alterations will need to be made.

We will need to configure this file to suit our init

/etc/opt/IDEALX/sbin/smbldap.conf

smbldap-tools.conf : Q & D configuration file for smbldap-tools

This code was developped by IDEALX (http://IDEALX.org/) and
contributors (their names can be found in the CONTRIBUTORS file).
Copyright (C) 2001-2002 IDEALX
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
USA.

Purpose :
. be the configuration file for all smbldap-tools scripts

General Configuration

Put your own SID. To obtain this number do: "net getlocalsid".
If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-3809161173-2687474671-1432921517"

Domain name the Samba server is in charged.
If not defined, parameter is taking from smb.conf configuration file
Ex: sambaDomain="IDEALX-NT"

sambaDomain="DDESIGN"

LDAP Configuration

Notes: to use to dual ldap servers backend for Samba, you must patch
Samba with the dual-head patch from IDEALX. If not using this patch
just use the same server for slaveLDAP and masterLDAP.
Those two servers declarations can also be used when you have
. one master LDAP server where all writing operations must be done
. one slave LDAP server where all reading operations must be done
(typically a replication directory)

Slave LDAP server
Ex: slaveLDAP=127.0.0.1
If not defined, parameter is set to "127.0.0.1"

slaveLDAP="192.168.0.3"

Slave LDAP port
If not defined, parameter is set to "389"

slavePort="389"

Master LDAP server: needed for write operations
Ex: masterLDAP=127.0.0.1
If not defined, parameter is set to "127.0.0.1"

masterLDAP="127.0.0.1"

Master LDAP port
If not defined, parameter is set to "389"

masterPort="389"

Use TLS for LDAP
If set to 1, this option will use start_tls for connection
(you should also used the port 389)
If not defined, parameter is set to "1"

ldapTLS="0"

How to verify the server's certificate (none, optional or require)
see "man Net::LDAP" in start_tls section for more details

verify=""

CA certificate
see "man Net::LDAP" in start_tls section for more details

cafile=""

certificate to use to connect to the ldap server
see "man Net::LDAP" in start_tls section for more details

clientcert=""

key certificate to use to connect to the ldap server
see "man Net::LDAP" in start_tls section for more details

clientkey=""

LDAP Suffix
Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=differentialdesign,dc=org"

Where are stored Users
Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for usersdn

usersdn="ou=People,ou=Users,${suffix}"

Where are stored Computers
Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for computersdn

computersdn="ou=Computers,ou=Users,${suffix}"

Where are stored Groups
Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

groupsdn="ou=Groups,${suffix}"

Where are stored Idmap entries (used if samba is a domain member server)
Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

idmapdn="ou=Idmap,${suffix}"

Where to store next uidNumber and gidNumber available for new users and groups
If not defined, entries are stored in sambaDomainName object.
Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"

Default scope Used

scope="sub"

Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="MD5"

if hash_encrypt is set to CRYPT, you may set a salt format.
default is "%s", but many systems will generate MD5 hashed
passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format=""

Unix Accounts Configuration

Login defs
Default Login Shell
Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

Home directory
Ex: userHome="/home/%U"

userHome="/data/home/%U"

Default mode used for user homeDirectory

userHomeDirectoryMode="700"

Gecos

userGecos="System User"

Default User (POSIX and Samba) GID

defaultUserGid="513"

Default Computer (Samba) GID

defaultComputerGid="515"

Skel dir

skeletonDir="/etc/skel"

Default password validation time (time in days) Comment the next line if
you don't want password to be enable for defaultMaxPasswordAge days (be
careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="45"

SAMBA Configuration

The UNC path to home drives location (%U username substitution)
Just set it to a null string if you want to use the smb.conf 'logon home'
directive and/or disable roaming profiles
Ex: userSmbHome="\\PDC-SMB3\%U"

userSmbHome="\\192.168.0.4\%U"

The UNC path to profiles locations (%U username substitution)
Just set it to a null string if you want to use the smb.conf 'logon path'
directive and/or disable roaming profiles
Ex: userProfile="\\PDC-SMB3\profiles\%U"

userProfile="\\192.168.0.4\profiles\%U"

The default Home Drive Letter mapping
(will be automatically mapped at logon time if home directory exist)
Ex: userHomeDrive="H:"

userHomeDrive="H:"

The default user netlogon script name (%U username substitution)
if not used, will be automatically username.cmd
make sure script file is edited under dos
Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript="%U.bat"

Domain appended to the users "mail"-attribute
when smbldap-useradd -M is used
Ex: mailDomain="idealx.com"

mailDomain="differentialdesign.org"

SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
prefer Crypt::SmbHash library

with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"

Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
but prefer Crypt:: libraries

with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"

comment out the following line to get rid of the default banner
no_banner="1"

4.1.2: smbldap.conf Slave

It is not necessary to install smbldap-tools on the backup domain controller. However this lets you add users from the BDC which will refer its update to the PDC ldap database.

/etc/opt/IDEALX/sbin/smbldap.conf

smbldap-tools.conf : Q & D configuration file for smbldap-tools

This code was developped by IDEALX (http://IDEALX.org/) and
contributors (their names can be found in the CONTRIBUTORS file).
Copyright (C) 2001-2002 IDEALX
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
USA.

Purpose :
. be the configuration file for all smbldap-tools scripts

General Configuration

Put your own SID. To obtain this number do: "net getlocalsid".
If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-3809161173-2687474671-1432921517"

Domain name the Samba server is in charged.
If not defined, parameter is taking from smb.conf configuration file
Ex: sambaDomain="IDEALX-NT"

sambaDomain="DDESIGN"

LDAP Configuration

Notes: to use to dual ldap servers backend for Samba, you must patch
Samba with the dual-head patch from IDEALX. If not using this patch
just use the same server for slaveLDAP and masterLDAP.
Those two servers declarations can also be used when you have
. one master LDAP server where all writing operations must be done
. one slave LDAP server where all reading operations must be done
(typically a replication directory)

Slave LDAP server
Ex: slaveLDAP=127.0.0.1
If not defined, parameter is set to "127.0.0.1"

slaveLDAP="127.0.0.1"

Slave LDAP port
If not defined, parameter is set to "389"

slavePort="389"

Master LDAP server: needed for write operations
Ex: masterLDAP=127.0.0.1
If not defined, parameter is set to "127.0.0.1"

masterLDAP="192.168.0.2"

Master LDAP port
If not defined, parameter is set to "389"

masterPort="389"

Use TLS for LDAP
If set to 1, this option will use start_tls for connection
(you should also used the port 389)
If not defined, parameter is set to "1"

ldapTLS="0"

How to verify the server's certificate (none, optional or require)
see "man Net::LDAP" in start_tls section for more details

verify=""

CA certificate
see "man Net::LDAP" in start_tls section for more details

cafile=""

certificate to use to connect to the ldap server
see "man Net::LDAP" in start_tls section for more details

clientcert=""

key certificate to use to connect to the ldap server
see "man Net::LDAP" in start_tls section for more details

clientkey=""

LDAP Suffix
Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=differentialdesign,dc=org"

Where are stored Users
Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for usersdn

usersdn="ou=People,ou=Users,${suffix}"

Where are stored Computers
Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for computersdn

computersdn="ou=Computers,ou=Users,${suffix}"

Where are stored Groups
Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

groupsdn="ou=Groups,${suffix}"

Where are stored Idmap entries (used if samba is a domain member server)
Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

idmapdn="ou=Idmap,${suffix}"

Where to store next uidNumber and gidNumber available for new users and groups
If not defined, entries are stored in sambaDomainName object.
Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"

Default scope Used

scope="sub"

Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="MD5"

if hash_encrypt is set to CRYPT, you may set a salt format.
default is "%s", but many systems will generate MD5 hashed
passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format=""

Unix Accounts Configuration

Login defs
Default Login Shell
Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

Home directory
Ex: userHome="/home/%U"

userHome="/data/home/%U"

Default mode used for user homeDirectory

userHomeDirectoryMode="700"

Gecos

userGecos="System User"

Default User (POSIX and Samba) GID

defaultUserGid="513"

Default Computer (Samba) GID

defaultComputerGid="515"

Skel dir

skeletonDir="/etc/skel"

Default password validation time (time in days) Comment the next line if
you don't want password to be enable for defaultMaxPasswordAge days (be
careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="45"

SAMBA Configuration

The UNC path to home drives location (%U username substitution)
Just set it to a null string if you want to use the smb.conf 'logon home'
directive and/or disable roaming profiles
Ex: userSmbHome="\\PDC-SMB3\%U"

userSmbHome="\\192.168.0.4\%U"

The UNC path to profiles locations (%U username substitution)
Just set it to a null string if you want to use the smb.conf 'logon path'
directive and/or disable roaming profiles
Ex: userProfile="\\PDC-SMB3\profiles\%U"

userProfile="\\192.168.0.4\profiles\%U"

The default Home Drive Letter mapping
(will be automatically mapped at logon time if home directory exist)
Ex: userHomeDrive="H:"

userHomeDrive="H:"

The default user netlogon script name (%U username substitution)
if not used, will be automatically username.cmd
make sure script file is edited under dos
Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript="%U.bat"

Domain appended to the users "mail"-attribute
when smbldap-useradd -M is used
Ex: mailDomain="idealx.com"

mailDomain="differentialdesign.org"

SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
prefer Crypt::SmbHash library

with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"

Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
but prefer Crypt:: libraries

with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"

comment out the following line to get rid of the default banner
no_banner="1"

5.0: Heartbeat HA Configuration

Heartbeat Configuration Node1 Node2

The heartbeat solution is not needed for domain logons; however in mission critical environments it supports failover if a node becomes unavailable. It provides a heartbeat through a serial and a crossover connection directly connected to each server. A virtual IP is shared by the cluster; we connect to this virtual IP Address when accessing a Samba share.

There are 2 main differential versions of heartbeat - version 1.2.3 is limited to a two node cluster; version 2 can span many machines and can become quite complex. Heartbeat version 2 is however backwards compatible with version 1.2.3 configuration files using the “crm no” option in the ha.cf configuration file.

You must never mix different versions of heartbeat in a cluster; they must all run the same version. If you do it will create instability and may lead to random rebooting.

If you want to be completely safe I highly recommend using version 1.2.3, for this exercise however we will be using version heartbeat 2.

If you are looking for proven stability version 1.2.3 has been used with DRBD for a long time; it is often used in hospitals to store MRI and other data that needs to be readily accessible; currently this is limited to a 2 node cluster.

5.1: Requirements

Get the following RPM’s from the http://www.linux-ha.org web site.

Version 1.2.3 has proven rock solid in many mission critical environments. You may need to satisfy dependencies.

If you chose to install heartbeat version 1.2.3 take note of the configuration file 4.3 Configuration PDC it differs slightly.

5.2: Installation

Heartbeat can now be downloaded with YUM, it will download version 2. Repeat this process on node2 your backup domain controller, so they are both running identical versions of heartbeat.

Install heartbeat on both nodes

[root@node1 programs]# cd heartbeat-1.2.3/ [root@node1 heartbeat-1.2.3]# ls heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm

[root@node1 heartbeat-1.2.3]#rpm -Uvh heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm

5.3: Configuration

Heartbeat running as version 1.2.3 is very easy to configure and manage. The never version 2 is able to support multiple nodes and uses xml type configuration files. If you are using version 2 I recommend running using crm = no option which provides 1.2.3 backwards compatability.

Just remember to always run the same version of heartbeat on both nodes.

5.3.1: ha.cf

Step1

On node1 login with root account; the ha.cf file needs to be the same on both nodes.

Note: The option “crm no” in the ha.cf specifies heartbeat version 2 to behave as version 1.2.3; this means it is limited to a 2 node cluster. If you choose to run version 1.2.3 you will need to comment out or delete the “crm no” in the ha.cf

[root@node1]# cd /etc/ha.d [root@node1]# vi ha.cf

1. /etc/ha.d/ha.cf on node1
2. This configuration is to be the same on both machines
3. This example is made for version 2, comment out crm if using version 1

keepalive 1 deadtime 5 warntime 3 initdead 20 serial /dev/ttyS0 bcast eth1 auto_failback yes node node1 node node2 crm no # comment out if using version 1.2.3

Step2.

Copy the ha.cf to node2 so they both have the same configuration file.

[root@node1]# scp /etc/ha.d/ha.cf root@node2:/etc/ha.d/

5.3.2: haresources

The haresorces file is called when heartbeat starts. Throughout this document we have used /data as our mount point for replication raid1 over LAN.

We use node1, which is the master server and use 192.168.0.4 which is the clusters virtual IP address which will be displayed as eth0:0 on the primary node.

You will see drbddisk Filesystem::/dev/drbd0::/data::ext3 - /dev/drbd0 is our DRBD drive. We have chosen to mount our DRBD file system at /data – this is our replication mount point, which we configured in our samba and smbldap-tools configuration.

You can easily make services highly available by adding the appropriate name to the haresources file as specified below with DNS service named.

Step1

[root@node1]# vi haresources

1. /etc/ha.d/haresources
2. This configuration is to be the same on both nodes

node1 192.168.0.4 drbddisk Filesystem::/dev/drbd0::/data::ext3 named

Step2

Copy the haresources file across to node2 so they are both identical.

[root@node1]# scp /etc/ha.d/haresources root@node2:/etc/ha.d/

5.3.3: authkeys

The below method provides no security or authentication, so we recommended not to use. If however heartbeat communicates over a private link such as in our case (serial and crossover cable) there is no need to add this additional security.

Step1

[root@node1]# vi authkeys

1. /etc/ha.d/authkeys

auth 1 1 crc

The preferred method is to sha encryption to authenticate nodes and their packets as below.

1. /etc/ha.d/authkeys

auth 1 1 sha HeartbeatPassword

Step2

Give the authkeys file correct permissions.

[root@node1]# chmod 600 /etc/ha.d/authkeys

Step3

Copy the authkeys file to node2 so they can authenticate with each other.

[root@node1]# scp /etc/ha.d/authkeys root@node2:/etc/ha.d/

5.4: Testing

Now that we have heartbeat configured it is time to test ther

Step4.

Login to node2 – your backup domain controller, use the exact same configuration as the primary domain controllers configuration files for heartbeat.

6.0: DRBD

DRBD Configuration Primary Secondary

DRBD is a kernel module which has the ability to network 2 machines to provide Raid1 over LAN.

It is assumed that we have two identical drives in both machines; all data on this device will be destroyed.

If you are updating your kernel or version of DRBD, make sure DRBD is stopped on both machines.

Never attempt to run different versions of DRBD, this means both machines need the same kernel.

6.1: Requirements

You will need to install the DRBD kernel Module. We will build our own RPM kernel modules so it is optimized for our architecture.

I have tested many different kernels with DRBD, some are not stable so you will need to check Google to make sure your kernel is compatible with the particular DRBD release, most of the time this isn’t an issue.

Both the following kernels are recommended for Fedora Core 4; up to version drbd-0.7.23 I have used.

kernel-smp-2.6.14-1.1656_FC4 kernel-smp-2.6.11-1.1369_FC4

Please browse this list http://www.linbit.com/support/drbd-current/ and look for packages available.

Step1

Get a serial cable and connect it to each nodes com1 port.

Execute the following; you may see a lot of garbage on the screen.

[root@node1 ~]# cat </dev/ttyS0

Step2

You may have to repeat the below a couple of times in rapid succession to see the output on node1.

[root@node2 ~]# echo hello >/dev/ttyS0

6.2: Installation

Step1

Extract the latest stable version of DRBD.

[root@node1 stable]# tar zxvf drbd-0.7.20.tar.gz

[root@node1 stable]# cd drbd-0.7.20 [root@node1 drbd-0.7.20]#

Step2

. It is nice to make your own rpm for your distribution. It makes upgrades seamless.

This will give us a RPM build specifically to our kernel, it may take some time.

[root@node1 drbd-0.7.20]# make [root@node1 drbd-0.7.20]# make rpm

Step3

[root@node1 drbd-0.7.20]# cd dist RPMS/i386/ [root@node1 i386]#/

[root@node1 i386]# ls drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm

Step4

We will now install DRBD and our Kernel module which we built earlier.

[root@node1 i386]# rpm -Uvh drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm

Step5

Login to node 2 the backup domain controller and do the same.

6.3: Configuration

In the example throughout this document we have linked /dev/hdd1 to /dev/drbd; your however may be a different device, it could be SCSI.

All data on the device /dev/hdd will be destroyed.

Step1

We are going to create a partition on /dev/hdd1 using fdisk.

[root@node1]# fdisk /dev/hdd1

Command (m for help): m Command action

  a   toggle a bootable flag
  b   edit bsd disklabel
  c   toggle the dos compatibility flag
  d   delete a partition
  l   list known partition types
  m   print this menu
  n   add a new partition
  o   create a new empty DOS partition table
  p   print the partition table
  q   quit without saving changes
  s   create a new empty Sun disklabel
  t   change a partition's system id
  u   change display/entry units
  v   verify the partition table
  w   write table to disk and exit
  x   extra functionality (experts only)

Command (m for help): d No partition is defined yet!

Command (m for help): n Command action

  e   extended
  p   primary partition (1-4)

p Partition number (1-4): 1 First cylinder (1-8677, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-8677, default 8677): Using default value 8677

Command (m for help): w

Step2

Now login to node2 the backup domain controller and fdisk /dev/hdd1 as per above; or your chosen device.

6.3.1: drbd.conf

Create this file on both you master and slave server, it should be identical however it is not a requirement. As long as the partition size is the same any mount point can be used.

Step1

The below file is fairly self explanatory, you see the real disk link to the DRBD kernel module device.

[root@node1]# vi /etc/drbd.conf

Datadrive (/data) /dev/hdd1 80GB

resource drbd1 {

 protocol C;
 disk {
   on-io-error panic;
 }
 net {
   max-buffers 2048;
   ko-count 4;
   on-disconnect reconnect;
 }
 syncer {
   rate 700000;
 }
 on node1 {
   device    /dev/drbd0;
   disk      /dev/hdd1;
   address   10.0.0.1:7789;
   meta-disk internal;
 }
 on node2 {
   device    /dev/drbd0;
   disk      /dev/hdd1;
   address   10.0.0.2:7789;
   meta-disk internal;
 }

}

Step2

[root@node1]# scp /etc/drbd.conf root@node2:/etc/

6.3.2: Initialization

In the following steps we will configure the disks to synchronize and choose a master node.

Step1

On the Primary Domain Controller

[root@node1]# service drbd start

On the Backup Domain Controller

[root@node2]# service drbd start

Step2

[root@node1]# service drbd status

drbd driver loaded OK; device status: version: 0.7.17 (api:77/proto:74) SVN Revision: 2093 build by root@node1, 2006-04-23 14:40:20 0: cs:Connected st:Secondary/Secondary ld:Inconsistent

   ns:25127936 nr:3416 dw:23988760 dr:4936449 al:19624 bm:1038 lo:0 pe:0 ua:0 ap:0

You can see both devices are ready, and waiting for a Primary drive to be activated which will do an initial synchronization to the secondary device.

Step3

Stop the heartbeat service on both nodes.

Step4

We are now telling DRBD to make node1 the primary drive.

[root@node1]# drbdadm -- --do-what-I-say primary all

[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13

0: cs:SyncSource st:Primary/Secondary ld:Consistent
   ns:67080 nr:85492 dw:91804 dr:72139 al:9 bm:268 lo:0 pe:30 ua:2019 ap:0
       [==>.................] sync'ed: 12.5% (458848/520196)K
       finish: 0:01:44 speed: 4,356 (4,088) K/sec

Step6

Create a filesystem on our RAID devices.

[root@node1]# mkfs.ext3 /dev/drbd0

6.4: Testing

We have a 2 node cluster replicating data, its time to test a failover.

Step1

Start the heartbeat service on both nodes.

Step2

On node1 we can see the status of DRBD.

[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) 0: cs:Connected st:Primary/Secondary ld:Consistent

   ns:1536 nr:0 dw:1372 dr:801 al:4 bm:6 lo:0 pe:0 ua:0 ap:0

[root@node1 ~]#

On node2 we can see the status of DRBD.

[root@node2 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03 0: cs:Connected st:Secondary/Primary ld:Consistent

   ns:0 nr:1484 dw:1484 dr:0 al:0 bm:6 lo:0 pe:0 ua:0 ap:0

[root@node2 ~]#

That all looks good; we can see the devices are consistent and ready for use.

Step3

Now let’s check the mount point we created in the heartbeat haresources file.

We can see heartbeat has successfully mounted “/dev/drbd0 to the /data directory” of course your device will not have any data on it yet.

[root@node1 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00

                      35G   14G   20G  41% /

/dev/hdc1 99M 21M 74M 22% /boot /dev/shm 506M 0 506M 0% /dev/shm /dev/drbd0 74G 37G 33G 53% /data [root@node1 ~]#

Step4

Login to node1 and execute the following command; once heartbeat is stopped it should only take a few seconds to migrate the services to node2.

[root@node1 ~]# service heartbeat stop Stopping High-Availability services:

                                                          [  OK  ]

[root@node1 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13 0: cs:Connected st:Secondary/Primary ld:Consistent

   ns:5616 nr:85492 dw:90944 dr:2162 al:9 bm:260 lo:0 pe:0 ua:0 ap:0

We can see drbd change state to secondary on node1.

Step5

Now let’s check that status of DRBD on node2; we can see it has changed state and become the primary.

[root@node2 ~]# service drbd status drbd driver loaded OK; device status: version: 0.7.23 (api:79/proto:74) SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03

0: cs:Connected st:Primary/Secondary ld:Consistent
   ns:4 nr:518132 dw:518136 dr:17 al:0 bm:220 lo:0 pe:0 ua:0 ap:0
1: cs:Connected st:Primary/Secondary ld:Consistent
   ns:28 nr:520252 dw:520280 dr:85 al:0 bm:199 lo:0 pe:0 ua:0 ap:0

Check that node2 has mounted the device.

[root@node2 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00

                      35G   12G   22G  35% /

/dev/hdc1 99M 17M 78M 18% /boot /dev/shm 506M 0 506M 0% /dev/shm /dev/hdh1 111G 97G 7.6G 93% /storage /dev/drbd0 74G 37G 33G 53% /data [root@node2 ~]#

Step5

Finally start the heartbeat service on node1 and be sure that all processes migrate back.

7.0: BIND DNS

We can use BIND – The Berkley Internet Name Domain in a high availability configuration. We can make 2 nodes appear as one, zone files will we stored on a DRBD drive, if node1 fails node2 can take over and automatically start NAMED.

BIND is able to have its /var/named directory relocated to a more appropriate location such as /data/dnszones; this enables us to provide real time replication of the zone files; the standby node2 will have to have its default directory modified to /data/dnszones.

We have 2 servers, and we will refer to the cluster as cluster.differentialdesign.org. It is assumed that these machines are behind a firewall with NAT and port forwarding to the appropriate ports.

When setting up Domain Names through a registrar you would want 2 separate name servers. It is recommended to setup an additional slave DNS server.

An example may be

Name Server:CLUSTER.DIFFERENTIALDESIGN.ORG ß Primary Name Server(s) Name Server:NS1.DIFFERENTIALDESIGN.ORG Name Server:NS2.DIFFERENTIALDESIGN.ORG

7.1: Configuration

Step1

We will now create a directory on our DRBD drive /data/dnszones.

[root@node1 ~]# mkdir /data/dnszones

Step2

Change the location of the zone files to our replicated drive

[root@node1 ~]# named ? usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]

            [-p port] [-s] [-t chrootdir] [-u username]
            [-m {usage|trace|record}]
            [-D ]

named: extra command line arguments

[root@node1 ~]# named -t /data/dnszones/

Step3

Copy the default zone files to our new location and set the permissions.

[root@node1 ~]# rsync -avz /var/named/ /data/dnszones/

[root@node1 ~]# chown –R named.named /data/dnszones/

7.1.1: named.conf

It is important that all machines on the network use cluster.differentialdesign.org or its local IP address address as DNS servers. This way we can assure correct name resolution.

We will now edit the /etc/named.conf

Take note of the below file, you can see highlighted in red our secondary DNS servers, these are the IP addresses of ns1.differentialdesign.org and ns2.differentialdesign.org

The named.conf needs to be the same on both node1 and node2; you could manually copy the file over using SCP, or link it to the /data/dnszones directory using a symbolic link.

[root@node1 ~]# vi /etc/named.conf

// // named.conf for Red Hat caching-nameserver //

options {

       directory "/data/dnszones";
       dump-file "/data/dnszones/data/cache_dump.db";
       statistics-file "/data/dnszones/data/named_stats.txt";
       /*
        * If there is a firewall between you and nameservers you want
        * to talk to, you might need to uncomment the query-source
        * directive below.  Previous versions of BIND always asked
        * questions using port 53, but BIND 8.1 uses an unprivileged
        * port by default.
        */
        // query-source address * port 53;

       allow-transfer {
               127.0.0.1;              // localhost
               202.161.90.250;               // secondary DNS server for my zone
               202.161.90.251;               // secondary DNS server for my zone

};

};

// // a caching only nameserver config // controls {

       inet 127.0.0.1 allow { localhost; } keys { rndckey; };

};

zone "." IN {

       type hint;
       file "named.ca";

};

zone "localdomain" IN {

       type master;
       file "localdomain.zone";
       allow-update { none; };

};

zone "localhost" IN {

       type master;
       file "localhost.zone";
       allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {

       type master;
       file "named.local";
       allow-update { none; };

};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {

       type master;
       file "named.ip6.local";
       allow-update { none; };

};

zone "255.in-addr.arpa" IN {

       type master;
       file "named.broadcast";
       allow-update { none; };

};

zone "0.in-addr.arpa" IN {

       type master;
       file "named.zero";
       allow-update { none; };

};

zone "differentialdesign.org" {

       type master;
       file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
       allow-update { none; };

};

7.1.2: zone file

In our named.conf file we have the following zone defined;

zone "differentialdesign.org" {

       type master;
       file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
       allow-update { none; };

We can see the zone file located in /data/dnszones/

Step1.

Create a sub folder where we will store our zone files.

[root@node1 ~]# mkdir /data/dnszones/differentialdesign.org/

Step2.

Create a new file called named.differentialdesign.org.hosts.

[root@node1 ~]# vi /data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts

You will see below that nodes.differentialdesign.org. IN 192.168.0.4 is an “A record” which points us to the virtual IP address of the cluster. When setting up mapped drives it is best to use the name instead of IP address.

$TTL 8h differentialdesign.org. IN SOA cluster.differentialdesign.org. asender.mail.samba.org. (

differentialdesign.org. IN NS cluster.differentialdesign.org. differentialdesign.org. IN NS ns1.differentialdesign.org. differentialdesign.org. IN NS ns2.differentialdesign.org. differentialdesign.org. IN MX 50 mail.differentialdesign.org. mail.differentialdesign.org. IN A 202.161.90.245 www.differentialdesign.org. IN A 202.161.90.245 cluster.differentialdesign.org. IN A 202.161.90.241 node1.differentialdesign.org. IN A 192.168.0.2 node2.differentialdesign.org. IN A 192.168.0.3 nodes.differentialdesign.org. IN A 192.168.0.4

Anonymous

Search

Replicated Failover Domain Controller and file server using LDAP: Difference between revisions

Namespaces

More

Page actions

Revision as of 03:03, 25 January 2007

Navigation

Navigation

Wiki tools

Wiki tools

@@ Line 1: / Line 1: @@
-'''Bold text''''''SAMBA 3: FAILOVER DOMAIN CONTROLLER'''
+SAMBA 3: FAILOVER DOMAIN CONTROLLER
+SAMBA 3 EXTENSIONS
-'''SAMBA 3 EXTENSIONS'''
+TECHNICAL CONFIGURATION
-Author: Adrian Sender
+Author: Adrian Sender
 Supervisor: Simo Sorce
+Objectives
+Samba Active Directory Upgrade Compatible
-'''Objectives'''
+Set Standards
+High Availability Cluster
+Recommended By Developers
+Overview
+.0: Configuring Samba
+.1 smb.conf PDC
+.2 smb.conf BDC
+.3 /etc/hosts
+.4 Samba Security
+.0: Configuring LDAP
+.1 slapd.conf Master
+.1.1 slapd.conf Master syncrepl Openldap2.2
+.1.2 slapd.conf Master delta-syncrepl Openldap2.3
+.2 slapd.conf Slave
+.2.1 slapd.conf Slave syncrepl Openldap2.2
+.2.2 slapd.conf Slave delta-syncrepl Openldap2.3
+.3 ldap.conf Master
+.4 ldap.conf Slave
+.0: Initialization LDAP Database
-'''Samba Active Directory Upgrade Compatible'''
+.1 Provisioning Database
+.2 Preload LDIF
+.3 LDAP Population
+.4 Database Replication
+.0: User Management
+.1 smbldap-tools
+.1.1 smbldap.conf Master
+.1.2 smbldap.conf Slave
+.0: Heartbeat HA Configuration
-'''Set Standards'''
+.1 Requirements
+.2 Installation
+.3 Configuration
+.3.1 ha.cf
+.3.2 haresources
+.3.3 authkeys
+.4 Testing
+.0: DRBD
+.1 Requirements
+.2 Installation
+.3 Configuration
+.3.1 drbd.conf
+.3.2 Initialization
+.4 Testing
+.0: BIND DNS
-'''High Availability Cluster'''
+.1 Configuration
+.1.1 named.conf
+.1.2 zone file
-'''Recommended By Developers'''
+Overview
+We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses.
+Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted.
+This is a complex setup and strict guide lines need to be followed in order to achieve stability.
+We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive.
+By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB.
+Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering.
+High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings.
+The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken.
+Each node will require 2 network cards.
+Here is a basic configuration overview:
+Configuration Details
+node1.differentialdesign.org
+Eth0:	LAN Network Address
+IP Address:	192.168.0.2
+Subnet Mast:	255.255.255.0
+Gateway:	192.168.0.1
+Eth0:1    Heartbeat LAN Address
+IP Address:	192.168.0.4
+Subnet Mast:	255.255.255.0
+Eth1:	DRBD Replication Network
+IP Address:	10.0.0.1
+Subnet Mast:	255.255.255.0
+Gateway:	None
+HDC:	Operating System Drive
+HDD:	DRBD Data Replication Drive
+TTYS0: COM Port 1
+	Configuration Details
+node2.differentialdesign.org
+Eth0:	LAN Network Address
+IP Address:	192.168.0.3
+Subnet Mast:	255.255.255.0
+Gateway:	192.168.0.1
+Eth1:	DRBD Replication Network
+IP Address:	10.0.0.2
+Subnet Mast:	255.255.255.0
+Gateway:	None
+HDC:	Operating System Drive
+HDD:	DRBD Data Replication Drive
+TTYS0: COM Port 1
-OVERVIEW
 .0: Configuring Samba
+Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows.
-.1 smb.conf PDC
+If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.
-.2 smb.conf BDC
+We are building a fault tolerant domain controller, which provides you with the following;
-.3 /etc/hosts
+Samba Configuration
+Primary Domain Controller
+Backup Domain Controller
+A master domain controller, that provides authentication through the use of LDAP
+A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.
+Step1
+Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz
+It is essential that both the PDC and BDC are running the same version of samba.
+[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz
+--19:28:04--  http://us4.samba.org/samba/ftp/samba-latest.tar.gz
+           => `samba-latest.tar.gz'
+Resolving us4.samba.org... 192.48.170.15
+Connecting to us4.samba.org|192.48.170.15|:80... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 17,704,221 (17M) [application/x-tar]
+%[====================================>] 17,704,221    53.01K/s    ETA 00:00
+:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]
+Step2
+[root@node1 samba]# tar zxvf samba-latest.tar.gz
+[root@node1 samba]# cd samba-3.0.23d/
+[root@node1 samba-3.0.23d]#
+[root@node1 samba-3.0.23d]# cd packaging/
+bin/      Example/  Mandrake/ RedHat-9/ SGI/      SuSE/
+Debian/   LSB/      README    RHEL/     Solaris/  sysv/
+Step3
+This will take some time.
+[root@node1 samba-3.0.23d]# cd packaging/RHEL/
+[root@node1 RHEL]# ls
+makerpms.sh  makerpms.sh.tmpl  samba.spec  samba.spec.tmpl  setup
+[root@node1 RHEL]# chmod 777 makerpms.sh
+[root@node1 RHEL]# ./makerpms.sh
+Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm
+Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm
+makerpms.sh: Done.
+[root@node1 RHEL]#
+Step4
+Install the RPM files we built from source.
+[root@node2]# cd /usr/src/redhat/RPMS/i386/
+[root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba-swat-3.0.23d-1.i386.rpm
+Preparing...                ########################################### [100%]
+:samba-common           warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew
+########################################### [ 17%]
+:samba                  ########################################### [ 33%]
+ls: /var/cache/samba/eventlog/*tdb: No such file or directory
+:samba-client           ########################################### [ 50%]
+:samba-debuginfo        ########################################### [ 67%]
+:samba-doc              ########################################### [ 83%]
+:samba-swat             ########################################### [100%]
+[root@node1 i386]#
+Step5
+Login to node2 – the backup domain controller and repeat the above steps.
+.1: smb.conf PDC
+You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful.
+[root@node2 ~]# mkdir /data
+[root@node1 ~]# vi /etc/samba/smb.conf
+# # Primary Domain Controller smb.conf
+# # Global parameters
+[global]
+unix charset = LOCALE
+workgroup = DDESIGN
+netbios name = node1
+#passdb backend = ldapsam:ldap://127.0.0.1
+#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
+passdb backend = ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org"
+username map = /etc/samba/smbusers
+log level = 1
+syslog = 0
+log file = /var/log/samba/%m
+max log size = 0
+name resolve order = wins bcast hosts
+time server = Yes
+printcap name = CUPS
+add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
+delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
+add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'
+delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
+add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'
+delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'
+set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
+add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
+shutdown script = /var/lib/samba/scripts/shutdown.sh
+abort shutdown script = /sbin/shutdown -c
+logon script = %u.bat
+#logon path = \\192.168.0.4\profiles\%u
+logon path = \\nodes.differentialdesign.org\profiles\%u
+logon drive = H:
+domain logons = Yes
+domain master = Yes
+wins support = Yes
+ldap suffix = dc=differentialdesign,dc=org
+ldap machine suffix = ou=Computers,ou=Users
+ldap user suffix = ou=People,ou=Users
+ldap group suffix = ou=Groups
+ldap idmap suffix = ou=Idmap
+ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org
+idmap backend = ldap://127.0.0.1
+idmap uid = 10000-20000
+idmap gid = 10000-20000
+printer admin = root
+printing = cups
+#========================Share Definitions=========================
+[homes]
+   comment = Home Directories
+   valid users = %S
+   browseable = yes
+   writable = yes
+   create mask = 0600
+   directory mask = 0700
+ [netlogon]
+  comment = Network Logon Service
+  path = /data/samba/netlogon
+  writeable = yes
+  browseable = yes
+  read only = no
+[profiles]
+  path = /data/samba/profiles
+  writeable = yes
+  browseable = no
+  read only = no
+  create mode = 0777
+  directory mode = 0777
+[Documents]
+  comment = share to test samba
+  path = /data/documents
+  writeable = yes
+  browseable = yes
+  read only = no
+  valid users = "@Domain Users"
+.2: smb.conf BDC
+[root@node2 ~]# mkdir /data
+[root@node2 ~]# vi /etc/samba/smb.conf
+# # Global parameters
+# # Backup Domain Controller
+[global]
+unix charset = LOCALE
+workgroup = DDESIGN
+netbios name = node2
+#passdb backend = ldapsam:ldap://127.0.0.1
+#passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
+passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org"
+username map = /etc/samba/smbusers
+log level = 1
+syslog = 0
+log file = /var/log/samba/%m
+max log size = 50
+name resolve order = wins bcast hosts
+printcap name = CUPS
+show add printer wizard = No
+logon script = %u.bat
+#logon path = \\192.168.0.4\profiles\%u
+logon path = \\nodes.differentialdesign.org\profiles\%u
+logon drive = H:
+domain logons = Yes
+os level = 63
+domain master = No
+wins server = node1.differentialdesign.org
+ldap suffix = dc=differentialdesign,dc=org
+ldap machine suffix = ou=Computers,ou=Users
+ldap user suffix = ou=People,ou=Users
+ldap group suffix = ou=Groups
+ldap idmap suffix = ou=Idmap
+ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org
+utmp = Yes
+idmap backend = ldap://node1.differentialdesign.org
+idmap uid = 10000-20000
+idmap gid = 10000-20000
+printing = cups
+#========================Share Definitions=========================
+[homes]
+   comment = Home Directories
+   valid users = %S
+   browseable = yes
+   writable = yes
+   create mask = 0600
+   directory mask = 0700
+ [netlogon]
+  comment = Network Logon Service
+  path = /data/samba/netlogon
+  writeable = yes
+  browseable = yes
+  read only = no
+[profiles]
+  path = /data/samba/profiles
+  writeable = yes
+  browseable = no
+  read only = no
+  create mode = 0777
+  directory mode = 0777
+[Documents]
+  comment = share to test samba
+  path = /data/documents
+  writeable = yes
+  browseable = yes
+  read only = no
+  valid users = "@Domain Users"
+.3: /etc/hosts
+In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS. However it is desirable to have a backup feature such as entries in the /etc/hosts file.
+Step1
+On node1 we will edit the hosts file to reflect our configuration.
+[root@node1 ~]# vi /etc/hosts
+# Do not remove the following line, or various programs
+# that require network functionality will fail.
+.0.0.1         node1   localhost.localdomain   localhost
+.168.0.2     node1.differentialdesign.org
+.168.0.3     node2.differentialdesign.org
+.168.0.4     nodes.differentialdesign.org
+Step2
+Login to node2 and edit the /etc/hosts file.
+[root@node2 ~]# vi /etc/hosts
+# Do not remove the following line, or various programs
+# that require network functionality will fail.
+.0.0.1         node2   localhost.localdomain   localhost
+.168.0.2     node1.differentialdesign.org
+.168.0.3     node2.differentialdesign.org
+.168.0.4     nodes.differentialdesign.org
+.4: Samba Security
+There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this.
+One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both.
+The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf.
+## /etc/samba/smb.conf
+## Global parameters
+[global]
+workgroup = DDESIGN
+security = user
+hosts allow = 192.168.0.0/24
+For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability.
+This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses.
+## /etc/samba/smb.conf
+## ==== Share Definitions =====
+[Documents]
+comment = share to test samba
+path = /data/documents
+writeable = yes
+browseable = yes
+read only = no
+valid users = "@Domain Users"
+hosts allow = 192.168.0.100/24
-.4 Samba Security
 .0: Configuring LDAP
+It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.
-.1 slapd.conf Master
+There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.
-.1.1 slapd.conf Master syncrepl Openldap2.2
+replica     host=192.168.0.3:389
-.1.2 slapd.conf Master delta-syncrepl Openldap2.3
+            suffix="dc=differentialdesign,dc=org"
+            binddn="cn=syncuser,dc=differentialdesign,dc=org"
+            bindmethod=simple credentials=SyncUser
+To bind to the database the slave replicas will need to use “upateuser’s” password defined above as “credentials=UpdateUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.
+The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.
-.2 slapd.conf Slave
-.2.1 slapd.conf Slave syncrepl Openldap2.2
+LDAP Replication Configuration
-.2.2 slapd.conf Slave delta-syncrepl Openldap2.3
+Master
+Slave(s)
+A master LDAP database that is replicated real time to the backup domain controller.
-.3 ldap.conf Master
+A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.
+LDAP Replication Configuration
+Provider
+Consumers(s)
+A provider LDAP database that has the most updated version of the database.
+A consumer requests an update at a set interval, and provides load balancing.
+The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.
+There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter   “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds  “+” indicates indefinite number of retries.
+If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.
+Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.
+.1: slapd.conf Master
+This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
+This configuration file should work on any version of Openldap.
+# /etc/openldap/slapd.conf
+# using slurpd
+# LDAP Master
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+pidfile     /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+database    bdb
+suffix       "dc=differentialdesign,dc=org"
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+directory   /var/lib/ldap
+replica  host=node2.differentialdesign.org:389
+            suffix="dc=differentialdesign,dc=org"
+            binddn="cn=syncuser,dc=differentialdesign,dc=org"
+            bindmethod=simple credentials=SyncUser
+replogfile  /var/lib/ldap/replogfile
+access to attrs=userPassword
+         by self write
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+access to *
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * read
+# Indices to maintain
+index objectClass           eq
+index cn                    pres,sub,eq
+index sn                    pres,sub,eq
+index uid                   pres,sub,eq
+index displayName           pres,sub,eq
+index uidNumber             eq
+index gidNumber             eq
+index memberUID             eq
+index sambaSID              eq
+index sambaPrimaryGroupSID  eq
+index sambaDomainName       eq
+index default               sub
+.1.1: slapd.conf Master syncrepl Openldap2.2
+This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.
+This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.
+# slapd.conf Master syncrepl Openldap2.2
+# Provider
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+pidfile     /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+database    bdb
+suffix      "dc=differentialdesign,dc=org"
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+directory   /var/lib/ldap
+access to attrs=userPassword
+         by self write
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+access to *
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * read
+# Indices to maintain
+index objectClass           eq
+index cn                    pres,sub,eq
+index sn                    pres,sub,eq
+index uid                   pres,sub,eq
+index displayName           pres,sub,eq
+index uidNumber             eq
+index gidNumber             eq
+index memberUID             eq
+index sambaSID              eq
+index sambaPrimaryGroupSID  eq
+index sambaDomainName       eq
+index default               sub
+.1.2: slapd.conf Master delta-syncrepl Openldap2.3
+This configuration file is designed to support Openldap’s newest features.  We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.
+The below slapd.conf will only run on Openldap 2.3.
+Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.
+#slapd.conf Master delta syncrepl Openldap2.3
+#provider
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+modulepath /usr/lib/openldap2.3
+moduleload syncprov.la
+moduleload accesslog.la
+pidfile     /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+# Accesslog database definitions
+database    bdb
+suffix      cn=accesslog
+directory   /var/lib/ldap/accesslog
+rootdn      cn=accesslog
+index default eq
+index entryCSN,objectClass,reqEnd,reqResult,reqStart
+overlay syncprov
+syncprov-nopresent TRUE
+syncprov-reloadhint TRUE
+# Samba database
+database    bdb
+suffix      "dc=differentialdesign,dc=org"
+directory   /var/lib/ldap
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+index entryCSN eq
+index entryUUID eq
+overlay syncprov
+syncprov-checkpoint 1000 60
+# accesslog overlay definitions for primary db
+overlay accesslog
+logdb cn=accesslog
+logops writes
+logsuccess TRUE
+# scan the accesslog DB every day, and purge entries older than 7 days
+logpurge 07+00:00 01+00:00
+access to attrs=userPassword
+         by self write
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+access to *
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" read
+         by * read
+# Indices to maintain
+index objectClass           eq
+index cn                    pres,sub,eq
+index sn                    pres,sub,eq
+index uid                   pres,sub,eq
+index displayName           pres,sub,eq
+index uidNumber             eq
+index gidNumber             eq
+index memberUID             eq
+index sambaSID              eq
+index sambaPrimaryGroupSID  eq
+index sambaDomainName       eq
+index default               sub
+.2: slapd.conf Slave
+This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
+This configuration file should work on any version of openldap.
+# /etc/openldap/slapd.conf
+# using slurpd
+# LDAP Slave
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+pidfile     /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+database    bdb
+suffix      "dc=differentialdesign,dc=org"
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+access to attrs=userPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+access to *
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * read
+updatedn    cn=syncuser,dc=differentialdesign,dc=org
+updateref   ldap://node1.differentialdesign.org
+directory   /var/lib/ldap
+# Indices to maintain
+index objectClass          		             eq
+index cn                    		             pres,sub,eq
+index sn                   			pres,sub,eq
+index uid                   		             pres,sub,eq
+index displayName           		pres,sub,eq
+index uidNumber             		eq
+index gidNumber             		eq
+index memberUID             		eq
+index sambaSID              		eq
+index sambaPrimaryGroupSID  	             eq
+index sambaDomainName       	             eq
+index default               		             sub
+.2.1: slapd.conf Slave syncrepl Openldap2.2
+This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.
+This configuration file will only work with openldap version 2.2
+# slapd.conf Slave syncrepl Openldap2.2
+# LDAP Consumer
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+pidfile     /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+database    bdb
+suffix      "dc=differentialdesign,dc=org"
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+directory   /var/lib/ldap
+syncrepl
+    rid=0
+        provider=ldap://node1.differentialdesign.org:389
+        binddn="cn=syncuser,dc=differentialdesign,dc=org"
+        bindmethod=simple
+        credentials=SyncUser
+        searchbase="dc=differentialdesign,dc=org"
+        filter="(objectClass=*)"
+        attrs="*"
+        schemachecking=off
+        scope=sub
+        type=refreshOnly
+        interval=00:06:00:00
+access to attrs=userPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+access to *
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * read
+# Indices to maintain
+index objectClass           eq
+index cn                    pres,sub,eq
+index sn                    pres,sub,eq
+index uid                   pres,sub,eq
+index displayName           pres,sub,eq
+index uidNumber             eq
+index gidNumber             eq
+index memberUID             eq
+index sambaSID              eq
+index sambaPrimaryGroupSID  eq
+index sambaDomainName       eq
+index default               sub
+.2.2: slapd.conf slave delta-syncrepl Openldap2.3
+# slapd.conf delta synrepl Openldap2.3
+# LDAP Consumer
+include     /etc/openldap/schema/core.schema
+include     /etc/openldap/schema/cosine.schema
+include     /etc/openldap/schema/inetorgperson.schema
+include     /etc/openldap/schema/nis.schema
+include     /etc/openldap/schema/samba.schema
+pidfile       /var/run/slapd/slapd.pid
+argsfile    /var/run/slapd/slapd.args
+database    bdb
+suffix      "dc=differentialdesign,dc=org"
+directory   /var/lib/ldap
+rootdn      "cn=Manager,dc=differentialdesign,dc=org"
+rootpw      Manager
+# syncrepl directives
+syncrepl  rid=0
+        provider=ldap://node1.differentialdesign.org:389
+        bindmethod=simple
+        binddn="cn=syncuser,dc=differentialdesign,dc=org"
+        credentials=SyncUser
+        searchbase="dc=differentialdesign,dc=org"
+        logbase="cn=accesslog"
+        logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
+        schemachecking=on
+        type=refreshAndPersist
+        retry="60 +"
+        syncdata=accesslog
+access to attrs=userPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * auth
+access to attrs=sambaLMPassword,sambaNTPassword
+         by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+access to *
+         by dn="cn=syncuser,dc=differentialdesign,dc=org" write
+         by * read
+updateref   ldap://node1.differentialdesign.org
+# Indices to maintain
+index objectClass           eq
+index cn                    pres,sub,eq
+index sn                    pres,sub,eq
+index uid                   pres,sub,eq
+index displayName           pres,sub,eq
+index uidNumber             eq
+index gidNumber             eq
+index memberUID             eq
+index sambaSID              eq
+index sambaPrimaryGroupSID  eq
+index sambaDomainName       eq
+index default               sub
+.3: ldap.conf Master
+You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible.  The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave
+#/etc/ldap.conf
+# LDAP Master
+host    node1.differentialdesign.org node2.differentialdesign.org
+base    dc=differentialdesign,dc=org
+binddn  cn=Manager,dc=differentialdesign,dc=org
+bindpw  Manager
+pam_password exop
+nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_group  ou=Groups,dc=differentialdesign,dc=org?one
+ssl     no
+.4: ldap.conf Slave
+#/etc/ldap.conf
+# LDAP Slave
+host    node2.differentialdesign.org node1.differentialdesign.org
+base    dc=differentialdesign,dc=org
+binddn  cn=Manager,dc=differentialdesign,dc=org
+bindpw  Manager
+pam_password exop
+nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
+nss_base_group  ou=Groups,dc=differentialdesign,dc=org?one
+ssl     no
-.4 ldap.conf Slave
 .0: Initialization LDAP Database
+Initial LDAP database population
-.1 Provisioning Database
+There are many ways to initialize the LDAP database backend for samba and many scripts to help you out; however these loose our initial control of the database and can lead to issues such as database management.
-.2 Preload LDIF
+Once your server is up and running with users on it, the database can not really be manipulated without knowing the full workings of LDAP, so for many of us we are stuck with what we created.
-.3 LDAP Population
+The future of Samba is changing to Active Directory; we keep this in mind when creating the database so it can be an easier upgrade path migrating to Samba4; eventually Samba4 will be able to support OpenLDAP as a modular backend.
-.4 Database Replication
+.1: Provisioning Database
+We are going to manually create our initial LDAP database in a text file and be confident to use it in a full production environment.
+Our LDAP database structure will look like the following if using the preload ldif as per section 3.2 Preload LDIF
+:
+|-Samba Base
+|---Manager
+|------syncuser
+|------sambaadmin
+|------mailadmin
+|---------Users
+            |-----------People
+		|-------------------root
+		|-------------------asender
+		|-------------------simo
+            |-----------Computers
+|		|-------------------workstation1$
+		|-------------------workstation2$
+|---------Groups
+|-----------Domain Admin
+                          |-------------------root
+|---------- Domain Users
+|-------------------root
+|-------------------asender
+|-------------------simo
+|------------ Domain Guests
+|--------------------nobody
+	|------------ Domain Computers
+|--------------------workstation1$
+|--------------------workstation2$
+|----------Domains
+|-------------sambaDomainName
+Step1
+Delete all runtime files from prior Samba operation by executing;
+[root@node1]#   rm /etc/samba/*tdb
+[root@node1]#   rm /var/lib/samba/*tdb
+[root@node1]#   rm /var/lib/samba/*dat
+[root@node1]#   rm /var/log/samba/*
+Step2
+Delete any previous LDAP database
+[root@node1]#  cd /var/lib/ldap
+[root@node1]#  rm –rf *
+Step3
+Login to node2 - the backup domain controller, and do the same.
+Step4
+[root@node1 ~]# net getlocalsid
+SID for domain NODE1 is: S-1-5-21-3809161173-2687474671-1432921517
+Your SID will differ to the one above; you will need to alter the preload LDIF as per below.
+Step5
+Login to your backup domain controller (node2) and type the following command using the SID obtained from step4.
+[root@node2 ~]# net setlocalsid S-1-5-21-3809161173-2687474671-1432921517
+.2: Preload LDIF
+Step1
+Create a .txt file containing the following contents.
+[root@node1]#vi preload-differentialdesign.ldif
+Subsitute SID  S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
+to leave the SID group mapping.
+Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
+Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
+#SAMBA LDAP PRELOAD
+# Subsitute SID  S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
+# to leave the SID group mapping.
+# Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
+# Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
+##The user to bind Samba to LDAP is defined in our smb.conf;
+##[root@node1]#  smbpasswd –w SambaAdmin)
+##[root@node2]#  smbpasswd –w SambaAdmin)
+#SID S-1-5-21-3809161173-2687474671-1432921517
+dn: dc=differentialdesign,dc=org
+objectClass: dcObject
+objectClass: organization
+dc: differentialdesign
+o: DDESIGN
+description: Posix and Samba LDAP Identity Database
+dn: cn=Manager,dc=differentialdesign,dc=org
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+dn: cn=syncuser,dc=differentialdesign,dc=org
+objectClass: person
+cn: syncuser
+sn: syncuser
+userPassword: SyncUser
+dn: cn=sambaadmin,dc=differentialdesign,dc=org
+objectClass: person
+cn: sambaadmin
+sn: sambaadmin
+userPassword: SambaAdmin
+dn: cn=mailadmin,dc=differentialdesign,dc=org
+objectClass: person
+cn: mailadmin
+sn: mailadmin
+userPassword: MailAdmin
+dn: ou=Users,dc=differentialdesign,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: Users
+dn: ou=People,ou=Users,dc=differentialdesign,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+dn: ou=Computers,ou=Users,dc=differentialdesign,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: Computers
+dn: ou=Groups,dc=differentialdesign,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+dn: ou=Domains,dc=differentialdesign,dc=org
+objectClass: top
+objectClass: organizationalUnit
+ou: Domains
+dn: sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org
+objectClass: sambaDomain
+objectClass: sambaUnixIdPool
+uidNumber: 1000
+gidNumber: 1000
+sambaDomainName: DDESIGN
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517
+sambaAlgorithmicRidBase: 1000
+structuralObjectClass: sambaDomain
+dn: cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 512
+cn: Domain Admins
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-512
+sambaGroupType: 2
+displayName: Domain Admins
+description: Domain Administrators
+dn: cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: Domain Users
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+dn: cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 514
+cn: Domain Guests
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-514
+sambaGroupType: 2
+displayName: Domain Guests
+description: Domain Guests
+dn: cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 515
+cn: Domain Computers
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-515
+sambaGroupType: 2
+displayName: Domain Computers
+description: Domain Computers
+dn: cn=Administrators,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 544
+cn: Administrators
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-544
+sambaGroupType: 5
+displayName: Administrators
+description: Administrators
+dn: cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 548
+cn: Account Operators
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-548
+sambaGroupType: 5
+displayName: Account Operators
+description: Account Operators
+dn: cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 550
+cn: Print Operators
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-550
+sambaGroupType: 5
+displayName: Print Operators
+description: Print Operators
+dn: cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 551
+cn: Backup Operators
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-551
+sambaGroupType: 5
+displayName: Backup Operators
+description: Backup Operators
+dn: cn=Replicators,ou=Groups,dc=differentialdesign,dc=org
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 552
+cn: Replicators
+sambaSID: S-1-5-21-3809161173-2687474671-1432921517-552
+sambaGroupType: 5
+displayName: Replicators
+description: Replicators
+.3: LDAP population
+Now its time to populate the database with our ldif that we edited to match our domain details as per section 3.2: Preload LDIF
+Step1.
+Make sure LDAP is not running.
+[root@node1]# vi /var/lib/ldap/DB_CONFIG
+#DB_CONFIG
+set_cachesize           0 150000000 1
+set_lg_regionmax        262144
+set_lg_bsize            2097152
+set_flags               DB_LOG_AUTOREMOVE
+Step2.
+This step is necessary if you are using delta-syncrepl as per section 2.1.2: slapd.conf Master delta-syncrepl Openldap2.3.
+Because we are using multiple databases on the Provider it is nessassary to place an additional DB_CONFIG file insite the database directory.
+[root@node1]# mkdir /var/lib/ldap/accesslog
+[root@node1]# cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
+Step3.
+[root@node1]# cd /ldap-scripts/
+[root@node1 scripts]# slapadd –b "dc=differentialdesign,dc=org"  -v -l preload-differentialdesign.ldif
+added: "dc=differentialdesign,dc=org" (00000001)
+added: "cn=Manager,dc=differentialdesign,dc=org" (00000002)
+added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003)
+added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004)
+added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005)
+added: "ou=Users,dc=differentialdesign,dc=org" (00000006)
+added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007)
+added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008)
+added: "ou=Groups,dc=differentialdesign,dc=org" (00000009)
+added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a)
+added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b)
+added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c)
+added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d)
+added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e)
+added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f)
+added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010)
+added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011)
+added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012)
+added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013)
+added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)
+Step4.
+[root@node1]# chown –R ldap.ldap /var/lib/ldap
+Step5.
+The user to bind Samba to LDAP is defined in our smb.conf; this is sambaadmin’s password as set in samba
+preload-differentialdesign.ldif.
+The entry in the preload-differentialdesign.ldif sambaadmin has a password “SambaAdmin”
+dn: cn=sambaadmin,dc=differentialdesign,dc=org
+objectClass: person
+cn: sambaadmin
+sn: sambaadmin
+userPassword: SambaAdmin
+[root@node1 scripts]# smbpasswd -w SambaAdmin
+Setting stored password for "cn=sambaadmin,dc=differentialdesign,dc=org" in secrets.tdb
+[root@node1 ~]# service ldap restart
+Stopping slapd:				[  OK  ]
+Stopping slurpd:				[  OK  ]
+Checking configuration files for slapd:  config file testing succeeded
+					[  OK  ]
+Starting slapd:				[  OK  ]
+Starting slurpd:                                            [  OK  ]
+[root@node1 ~]# service smb restart
+Shutting down SMB services:                     [  OK  ]
+Shutting down NMB services:                    [  OK  ]
+Starting SMB services:			[  OK  ]
+Starting NMB services:                              [  OK  ]
+Step6.
+Adding initial users with the smbldap-tools: Skip to section 4.1: smbldap-tools and install on node1.
+[root@node1 scripts]# cd /opt/IDEALX/sbin/
+[root@node1 sbin]# ./smbldap-useradd -m -a root
+[root@node1 sbin]# ./smbldap-passwd root
+Changing password for root
+New password :
+Retype new password
+[root@node1 ]# smbpasswd -a
+New SMB password:
+Retype new SMB password:
+Added user root.
+[root@node1 sbin]# ./smbldap-groupmod -m root Domain\ Admins
+adding user root to group Domain Admins
+[root@node1 ~]# cd /opt/IDEALX/sbin/
+[root@node1 sbin]# ./smbldap-useradd -m -a asender
+[root@node1 sbin]#
+[root@node1 sbin]# ./smbldap-passwd asender
+Changing password for asender
+New password :
+Retype new password :
+[root@node1 sbin]#
+[root@node1 sbin]# smbpasswd asender
+New SMB password:
+Retype new SMB password:
+[root@node1 sbin]#
+[root@node1 sbin]# id asender
+uid=1001(asender) gid=513(Domain Users) groups=513(Domain Users)
+Step7
+You are now ready to join a Windows machine to the domain with user ‘root’.
+We will need to setup our BDC, Heartbeat and DRBD to match our configuration.
+.4: Database Replication
+If we choose to use syncrepl instead of slurpd daemon as per sections 2.2.1 slapd.conf Slave Synrepl and 2.2.1.1 slapd.conf Slave delta-syncrepl 4 Openldap2.3  there is no need to do this section, the database will be copied across initially when the consumer requests is restarted.
+Step1.
+Dump the LDAP database, copy it across to node2.
+[root@node1 ~]# slapcat –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
+# id=00000001
+# id=00000002
+# id=00000003
+# id=00000004
+# id=00000005
+# id=00000006
+# id=00000007
+# id=00000008
+# id=00000009
+# id=0000000a
+# id=0000000b
+# id=0000000c
+# id=0000000d
+# id=0000000e
+# id=0000000f
+# id=00000010
+# id=00000011
+# id=00000012
+# id=00000013
+# id=00000014
+# id=00000015
+# id=00000017
+# id=00000018
+[root@node1 ~]# scp transfer.ldif root@node2:/root/
+Step2.
+Transfer the database to node2.
+[root@node2 ~]# slapadd –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
+added: "dc=differentialdesign,dc=org" (00000001)
+added: "cn=Manager,dc=differentialdesign,dc=org" (00000002)
+added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003)
+added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004)
+added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005)
+added: "ou=Users,dc=differentialdesign,dc=org" (00000006)
+added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007)
+added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008)
+added: "ou=Groups,dc=differentialdesign,dc=org" (00000009)
+added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a)
+added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b)
+added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c)
+added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d)
+added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e)
+added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f)
+added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010)
+added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011)
+added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012)
+added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013)
+added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)
+added: "uid=root,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000015)
+added: "uid=asender,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000016)
+Step3.
+Make sure LDAP database is owned by LDAP
+[root@node2 ~]# chown –R ldap.ldap /var/lib/ldap
+Step4.
+[root@node1 ~]# service ldap restart
+Stopping slapd:				[  OK  ]
+Stopping slurpd:				[  OK  ]
+Checking configuration files for slapd:  config file testing succeeded
+                                                                        [  OK  ]
+Starting slapd:					[  OK  ]
+Starting slurpd:                                          [  OK  ]
+[root@node1 ~]# service smb restart
+Shutting down SMB services:                     [  OK  ]
+Shutting down NMB services:                    [  OK  ]
+Starting SMB services:			[  OK  ]
+Starting NMB services:                              [  OK  ]
+Step5.
+Login to node1 or your Primary Domain Controller and add another user as done so in section 3.6 LDAP population Step5, we will then check replication by logging onto node2 and see if the user exists on that machine.
+[root@node1 sbin]# ./smbldap-useradd -m -a testuser
+[root@node1 sbin]# ./smbldap-passwd testuser
+Changing password for testuser
+New password :
+Retype new password :
+[root@node1 sbin]# smbpasswd testuser
+New SMB password:
+Retype new SMB password:
+[root@node1 sbin]# ssh node2
+root@node2's password:
+Last login: Mon Dec 18 02:43:33 2006 from 192.168.0.2
+[root@node2 ~]# id testuser
+uid=1009(testuser) gid=513(Domain Users) groups=513(Domain Users)
 .0: User Management
-.1 smbldap-tools
-.1.1 smbldap.conf Master
+.1: smbldap-tools
+We will not be using the smbldap-tools to populate the database; however we will use it to manage users & groups once the database has been populated. These scripts allow us to add users and machines using NT tools such as srvtools.exe, it also makes life easier to manage to add users on the fly.  However it is possible to create LDIF file to add users to the database.
-.1.2 smbldap.conf Slave
+Smbldap-tools give us an advantage of been able to add machine accounts on the fly through the standard windows domain join. It also gives us the ability of been able to use srvtools.exe; however these tools lack custom control that can only be obtained through manually adding accounts through ldap.
+This document configuration has been tested with smbldap-tools-0.9.1-1.
-.0: Heartbeat HA Configuration
+Install smbldap-tools-0.9.1-1on both nodes, this means we can add users and groups from either the PDC or BDC as long as the PDC is contactable.
-.1 Requirements
+You may need to satisfy any dependencies.
-.2 Installation
-.3 Configuration
-.3.1 ha.cf
+[root@node1 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
-.3.2 haresources
+    Preparing...                ########################################### [100%]
+:smbldap-tools          ########################################### [100%]
+[root@node1 smbldap-tools]#
-.3.3 authkeys
-.4 Testing
+[root@node2 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
-.0: DRBD
+    Preparing...                ########################################### [100%]
+:smbldap-tools          ########################################### [100%]
+[root@node2 smbldap-tools]#
-.1 Requirements
-.2 Installation
+.1.1: smbldap.conf Master
+Because we did not use smbldap-tools to populate our database, we must manually configure the smbldap.conf. This configuration file only applies to smbldap-tools-0.9.1-1. If you are using a different version alterations will need to be made.
-.3 Configuration
+We will need to configure this file to suit our init
-.3.1 drbd.conf
+# /etc/opt/IDEALX/sbin/smbldap.conf
-.3.2 Initialization
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
-.4 Testing
+#  This code was developped by IDEALX (http://IDEALX.org/) and
+#  contributors (their names can be found in the CONTRIBUTORS file).
+#
+#                 Copyright (C) 2001-2002 IDEALX
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License
+#  as published by the Free Software Foundation; either version 2
+#  of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+#  USA.
+#  Purpose :
-.0: BIND DNS
+#       . be the configuration file for all smbldap-tools scripts
+##############################################################################
-.1 Configuration
+#
+# General Configuration
+#
+##############################################################################
+# Put your own SID. To obtain this number do: "net getlocalsid".
-.1.1 named.conf
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-3809161173-2687474671-1432921517"
+# Domain name the Samba server is in charged.
-.1.2 zone file
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="DDESIGN"
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+#   (typically a replication directory)
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="192.168.0.3"
+# Slave LDAP port
-Overview
+# If not defined, parameter is set to "389"
+slavePort="389"
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="127.0.0.1"
+# Master LDAP port
-We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses.
+# If not defined, parameter is set to "389"
+masterPort="389"
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="0"
+# How to verify the server's certificate (none, optional or require)
-Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted.
+# see "man Net::LDAP" in start_tls section for more details
+verify=""
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile=""
+# certificate to use to connect to the ldap server
-This is a complex setup and strict guide lines need to be followed in order to achieve stability.
+# see "man Net::LDAP" in start_tls section for more details
+clientcert=""
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey=""
+# LDAP Suffix
-We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive.
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=differentialdesign,dc=org"
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=People,ou=Users,${suffix}"
+# Where are stored Computers
-By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB.
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,ou=Users,${suffix}"
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+# Where are stored Idmap entries (used if samba is a domain member server)
-Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering.
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
+# Default scope Used
-High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings.
+scope="sub"
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="MD5"
+# if hash_encrypt is set to CRYPT, you may set a salt format.
-The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format=""
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/data/home/%U"
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+# Gecos
+userGecos="System User"
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+# Skel dir
+skeletonDir="/etc/skel"
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\192.168.0.4\%U"
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\192.168.0.4\profiles\%U"
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="%U.bat"
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="differentialdesign.org"
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+.1.2: smbldap.conf Slave
+It is not necessary to install smbldap-tools on the backup domain controller. However this lets you add users from the BDC which will refer its update to the PDC ldap database.
+# /etc/opt/IDEALX/sbin/smbldap.conf
+#
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
+#  This code was developped by IDEALX (http://IDEALX.org/) and
+#  contributors (their names can be found in the CONTRIBUTORS file).
+#
+#                 Copyright (C) 2001-2002 IDEALX
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License
+#  as published by the Free Software Foundation; either version 2
+#  of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+#  USA.
+#  Purpose :
+#       . be the configuration file for all smbldap-tools scripts
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+# Put your own SID. To obtain this number do: "net getlocalsid".
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-3809161173-2687474671-1432921517"
+# Domain name the Samba server is in charged.
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="DDESIGN"
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+#   (typically a replication directory)
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="127.0.0.1"
+# Slave LDAP port
+# If not defined, parameter is set to "389"
+slavePort="389"
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="192.168.0.2"
+# Master LDAP port
+# If not defined, parameter is set to "389"
+masterPort="389"
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="0"
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify=""
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile=""
+# certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert=""
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey=""
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=differentialdesign,dc=org"
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=People,ou=Users,${suffix}"
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,ou=Users,${suffix}"
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
+# Default scope Used
+scope="sub"
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="MD5"
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format=""
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/data/home/%U"
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+# Gecos
+userGecos="System User"
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+# Skel dir
+skeletonDir="/etc/skel"
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\192.168.0.4\%U"
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\192.168.0.4\profiles\%U"
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="%U.bat"
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="differentialdesign.org"
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+.0: Heartbeat HA Configuration
+Heartbeat Configuration
+Node1
+Node2
+The heartbeat solution is not needed for domain logons; however in mission critical environments it supports failover if a node becomes unavailable. It provides a heartbeat through a serial and a crossover connection directly connected to each server. A virtual IP is shared by the cluster; we connect to this virtual IP Address when accessing a Samba share.
+There are 2 main differential versions of heartbeat - version 1.2.3 is limited to a two node cluster; version 2 can span many machines and can become quite complex. Heartbeat version 2 is however backwards compatible with version 1.2.3 configuration files using the “crm no” option in the ha.cf configuration file.
+You must never mix different versions of heartbeat in a cluster; they must all run the same version. If you do it will create instability and may lead to random rebooting.
+If you want to be completely safe I highly recommend using version 1.2.3, for this exercise however we will be using version heartbeat 2.
+If you are looking for proven stability version 1.2.3 has been used with DRBD for a long time; it is often used in hospitals to store MRI and other data that needs to be readily accessible; currently this is limited to a 2 node cluster.
+.1: Requirements
-Each node will require 2 network cards.
+Get the following RPM’s from the http://www.linux-ha.org web site.
+Version 1.2.3 has proven rock solid in many mission critical environments.
+You may need to satisfy dependencies.
+If you chose to install heartbeat version 1.2.3 take note of the configuration file 4.3 Configuration PDC it differs slightly.
+.2: Installation
+Heartbeat can now be downloaded with YUM, it will download version 2.
+Repeat this process on node2 your backup domain controller, so they are both running identical versions of heartbeat.
+Install heartbeat on both nodes
+[root@node1 programs]# cd heartbeat-1.2.3/
+[root@node1 heartbeat-1.2.3]# ls
+heartbeat-1.2.3-2.rh.9.i386.rpm
+heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm
+heartbeat-pils-1.2.3-2.rh.9.i386.rpm
+heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
+[root@node1 heartbeat-1.2.3]#rpm -Uvh heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
+.3: Configuration
+Heartbeat running as version 1.2.3 is very easy to configure and manage. The never version 2 is able to support multiple nodes and uses xml type configuration files. If you are using version 2 I recommend running using crm = no option which provides 1.2.3 backwards compatability.
+Just remember to always run the same version of heartbeat on both nodes.
+.3.1: ha.cf
+Step1
+On node1 login with root account; the ha.cf file needs to be the same on both nodes.
+Note:
+The option “crm no” in the ha.cf specifies heartbeat version 2 to behave as version 1.2.3; this means it is limited to a 2 node cluster.
+If you choose to run version 1.2.3 you will need to comment out or delete the “crm no” in the ha.cf
+[root@node1]# cd /etc/ha.d
+[root@node1]# vi ha.cf
+## /etc/ha.d/ha.cf on node1
+## This configuration is to be the same on both machines
+## This example is made for version 2, comment out crm if using version 1
+keepalive 1
+deadtime 5
+warntime 3
+initdead 20
+serial /dev/ttyS0
+bcast eth1
+auto_failback yes
+node node1
+node node2
+crm no # comment out if using version 1.2.3
+Step2.
+Copy the ha.cf to node2 so they both have the same configuration file.
+[root@node1]# scp /etc/ha.d/ha.cf root@node2:/etc/ha.d/
+.3.2: haresources
+The haresorces file is called when heartbeat starts. Throughout this document we have used /data as our mount point for replication raid1 over LAN.
+We use node1, which is the master server and use 192.168.0.4 which is the clusters virtual IP address which will be displayed as eth0:0 on the primary node.
+You will see drbddisk Filesystem::/dev/drbd0::/data::ext3 - /dev/drbd0 is our DRBD drive. We have chosen to mount our DRBD file system at /data – this is our replication mount point, which we configured in our samba and smbldap-tools configuration.
+You can easily make services highly available by adding the appropriate name to the haresources file as specified below with DNS service named.
+Step1
+[root@node1]# vi haresources
+## /etc/ha.d/haresources
+## This configuration is to be the same on both nodes
+node1 192.168.0.4 drbddisk Filesystem::/dev/drbd0::/data::ext3 named
+Step2
+Copy the haresources file across to node2 so they are both identical.
+[root@node1]# scp /etc/ha.d/haresources root@node2:/etc/ha.d/
+.3.3: authkeys
+The below method provides no security or authentication, so we recommended not to use. If however heartbeat communicates over a private link such as in our case (serial and crossover cable) there is no need to add this additional security.
+Step1
+[root@node1]# vi authkeys
+## /etc/ha.d/authkeys
+auth 1
+crc
+The preferred method is to sha encryption to authenticate nodes and their packets as below.
+## /etc/ha.d/authkeys
+auth 1
+sha HeartbeatPassword
+Step2
+Give the authkeys file correct permissions.
+[root@node1]# chmod 600 /etc/ha.d/authkeys
+Step3
+Copy the authkeys file to node2 so they can authenticate with each other.
+[root@node1]# scp /etc/ha.d/authkeys root@node2:/etc/ha.d/
+.4: Testing
+Now that we have heartbeat configured it is time to test ther
+Step4.
+Login to node2 – your backup domain controller, use the exact same configuration as the primary domain controllers configuration files for heartbeat.
+.0: DRBD
+DRBD Configuration
+Primary
+Secondary
+DRBD is a kernel module which has the ability to network 2 machines to provide Raid1 over LAN.
+It is assumed that we have two identical drives in both machines; all data on this device will be destroyed.
+If you are updating your kernel or version of DRBD, make sure DRBD is stopped on both machines.
+Never attempt to run different versions of DRBD, this means both machines need the same kernel.
+.1: Requirements
+You will need to install the DRBD kernel Module. We will build our own RPM kernel modules so it is optimized for our architecture.
+I have tested many different kernels with DRBD, some are not stable so you will need to check Google to make sure your kernel is compatible with the particular DRBD release, most of the time this isn’t an issue.
+Both the following kernels are recommended for Fedora Core 4; up to version drbd-0.7.23 I have used.
+kernel-smp-2.6.14-1.1656_FC4
+kernel-smp-2.6.11-1.1369_FC4
+Please browse this list http://www.linbit.com/support/drbd-current/ and look for packages available.
+Step1
+Get a serial cable and connect it to each nodes com1 port.
+Execute the following; you may see a lot of garbage on the screen.
+[root@node1 ~]# cat </dev/ttyS0
+Step2
+You may have to repeat the below a couple of times in rapid succession to see the output on node1.
+[root@node2 ~]# echo hello >/dev/ttyS0
+.2: Installation
+Step1
+Extract the latest stable version of DRBD.
+[root@node1 stable]# tar zxvf drbd-0.7.20.tar.gz
+[root@node1 stable]# cd drbd-0.7.20
+[root@node1 drbd-0.7.20]#
+Step2
+. It is nice to make your own rpm for your distribution. It makes upgrades seamless.
+This will give us a RPM build specifically to our kernel, it may take some time.
+[root@node1 drbd-0.7.20]# make
+[root@node1 drbd-0.7.20]# make rpm
+Step3
+[root@node1 drbd-0.7.20]# cd dist RPMS/i386/
+[root@node1 i386]#/
+[root@node1 i386]# ls
+drbd-0.7.20-1.i386.rpm
+drbd-debuginfo-0.7.20-1.i386.rpm
+drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
+Step4
+We will now install DRBD and our Kernel module which we built earlier.
+[root@node1 i386]# rpm -Uvh drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
+Step5
+Login to node 2 the backup domain controller and do the same.
+.3: Configuration
+In the example throughout this document we have linked /dev/hdd1 to /dev/drbd; your however may be a different device, it could be SCSI.
+All data on the device /dev/hdd will be destroyed.
+Step1
+We are going to create a partition on /dev/hdd1 using fdisk.
+[root@node1]# fdisk /dev/hdd1
+Command (m for help): m
+Command action
+   a   toggle a bootable flag
+   b   edit bsd disklabel
+   c   toggle the dos compatibility flag
+   d   delete a partition
+   l   list known partition types
+   m   print this menu
+   n   add a new partition
+   o   create a new empty DOS partition table
+   p   print the partition table
+   q   quit without saving changes
+   s   create a new empty Sun disklabel
+   t   change a partition's system id
+   u   change display/entry units
+   v   verify the partition table
+   w   write table to disk and exit
+   x   extra functionality (experts only)
+Command (m for help): d
+No partition is defined yet!
+Command (m for help): n
+Command action
+   e   extended
+   p   primary partition (1-4)
+p
+Partition number (1-4): 1
+First cylinder (1-8677, default 1):
+Using default value 1
+Last cylinder or +size or +sizeM or +sizeK (1-8677, default 8677):
+Using default value 8677
+Command (m for help): w
+Step2
+Now login to node2 the backup domain controller and fdisk /dev/hdd1 as per above; or your chosen device.
+.3.1: drbd.conf
+Create this file on both you master and slave server, it should be identical however it is not a requirement. As long as the partition size is the same any mount point can be used.
+Step1
+The below file is fairly self explanatory, you see the real disk link to the DRBD kernel module device.
+[root@node1]# vi /etc/drbd.conf
+# Datadrive (/data) /dev/hdd1 80GB
+resource drbd1 {
+  protocol C;
+  disk {
+    on-io-error panic;
+  }
+  net {
+    max-buffers 2048;
+    ko-count 4;
+    on-disconnect reconnect;
+  }
+  syncer {
+    rate 700000;
+  }
+  on node1 {
+    device    /dev/drbd0;
+    disk      /dev/hdd1;
+    address   10.0.0.1:7789;
+    meta-disk internal;
+  }
+  on node2 {
+    device    /dev/drbd0;
+    disk      /dev/hdd1;
+    address   10.0.0.2:7789;
+    meta-disk internal;
+  }
+}
+Step2
+[root@node1]# scp /etc/drbd.conf root@node2:/etc/
+.3.2: Initialization
+In the following steps we will configure the disks to synchronize and choose a master node.
+Step1
+On the Primary Domain Controller
+[root@node1]# service drbd start
+On the Backup Domain Controller
+[root@node2]# service drbd start
+Step2
+[root@node1]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.17 (api:77/proto:74)
+SVN Revision: 2093 build by root@node1, 2006-04-23 14:40:20
+: cs:Connected st:Secondary/Secondary ld:Inconsistent
+    ns:25127936 nr:3416 dw:23988760 dr:4936449 al:19624 bm:1038 lo:0 pe:0 ua:0 ap:0
+You can see both devices are ready, and waiting for a Primary drive to be activated which will do an initial synchronization to the secondary device.
+Step3
+Stop the heartbeat service on both nodes.
+Step4
+We are now telling DRBD to make node1 the primary drive.
+[root@node1]#  drbdadm -- --do-what-I-say primary all
+[root@node1 ~]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.23 (api:79/proto:74)
+SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13
+: cs:SyncSource st:Primary/Secondary ld:Consistent
+    ns:67080 nr:85492 dw:91804 dr:72139 al:9 bm:268 lo:0 pe:30 ua:2019 ap:0
+        [==>.................] sync'ed: 12.5% (458848/520196)K
+        finish: 0:01:44 speed: 4,356 (4,088) K/sec
+Step6
+Create a filesystem on our RAID devices.
+[root@node1]# mkfs.ext3 /dev/drbd0
+.4: Testing
+We have a 2 node cluster replicating data, its time to test a failover.
+Step1
+Start the heartbeat service on both nodes.
+Step2
+On node1 we can see the status of DRBD.
+[root@node1 ~]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.23 (api:79/proto:74)
+: cs:Connected st:Primary/Secondary ld:Consistent
+    ns:1536 nr:0 dw:1372 dr:801 al:4 bm:6 lo:0 pe:0 ua:0 ap:0
+[root@node1 ~]#
+On node2 we can see the status of DRBD.
+[root@node2 ~]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.23 (api:79/proto:74)
+SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03
+: cs:Connected st:Secondary/Primary ld:Consistent
+    ns:0 nr:1484 dw:1484 dr:0 al:0 bm:6 lo:0 pe:0 ua:0 ap:0
+[root@node2 ~]#
+That all looks good; we can see the devices are consistent and ready for use.
+Step3
+Now let’s check the mount point we created in the heartbeat haresources file.
+We can see heartbeat has successfully mounted “/dev/drbd0 to the /data directory” of course your device will not have any data on it yet.
+[root@node1 ~]# df -h
+Filesystem            Size  Used Avail Use% Mounted on
+/dev/mapper/VolGroup00-LogVol00
+G   14G   20G  41% /
+/dev/hdc1              99M   21M   74M  22% /boot
+/dev/shm              506M     0  506M   0% /dev/shm
+/dev/drbd0             74G   37G   33G  53% /data
+[root@node1 ~]#
+Step4
+Login to node1 and execute the following command; once heartbeat is stopped it should only take a few seconds to migrate the services to node2.
+[root@node1 ~]# service heartbeat stop
+Stopping High-Availability services:
+                                                           [  OK  ]
+[root@node1 ~]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.23 (api:79/proto:74)
+SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13
+: cs:Connected st:Secondary/Primary ld:Consistent
+    ns:5616 nr:85492 dw:90944 dr:2162 al:9 bm:260 lo:0 pe:0 ua:0 ap:0
+We can see drbd change state to secondary on node1.
+Step5
+Now let’s check that status of DRBD on node2; we can see it has changed state and become the primary.
+[root@node2 ~]# service drbd status
+drbd driver loaded OK; device status:
+version: 0.7.23 (api:79/proto:74)
+SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03
+: cs:Connected st:Primary/Secondary ld:Consistent
+    ns:4 nr:518132 dw:518136 dr:17 al:0 bm:220 lo:0 pe:0 ua:0 ap:0
+: cs:Connected st:Primary/Secondary ld:Consistent
+    ns:28 nr:520252 dw:520280 dr:85 al:0 bm:199 lo:0 pe:0 ua:0 ap:0
+Check that node2 has mounted the device.
+[root@node2 ~]# df -h
+Filesystem            Size  Used Avail Use% Mounted on
+/dev/mapper/VolGroup00-LogVol00
+G   12G   22G  35% /
+/dev/hdc1              99M   17M   78M  18% /boot
+/dev/shm              506M     0  506M   0% /dev/shm
+/dev/hdh1             111G   97G  7.6G  93% /storage
+/dev/drbd0             74G   37G   33G  53% /data
+[root@node2 ~]#
+Step5
+Finally start the heartbeat service on node1 and be sure that all processes migrate back.
+.0: BIND DNS
+We can use BIND – The Berkley Internet Name Domain in a high availability configuration. We can make 2 nodes appear as one, zone files will we stored on a DRBD drive, if node1 fails node2 can take over and automatically start NAMED.
+BIND is able to have its /var/named directory relocated to a more appropriate location such as /data/dnszones; this enables us to provide real time replication of the zone files; the standby node2 will have to have its default directory modified to /data/dnszones.
+We have 2 servers, and we will refer to the cluster as cluster.differentialdesign.org. It is assumed that these machines are behind a firewall with NAT and port forwarding to the appropriate ports.
+When setting up Domain Names through a registrar you would want 2 separate name servers. It is recommended to setup an additional slave DNS server.
+An example may be
+Name Server:CLUSTER.DIFFERENTIALDESIGN.ORG ß Primary Name Server(s)
+Name Server:NS1.DIFFERENTIALDESIGN.ORG
+Name Server:NS2.DIFFERENTIALDESIGN.ORG
+.1: Configuration
+Step1
-Here is a basic configuration overview:
+We will now create a directory on our DRBD drive /data/dnszones.
+[root@node1 ~]# mkdir /data/dnszones
+Step2
+Change the location of the zone files to our replicated drive
+[root@node1 ~]# named ?
+usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
+             [-p port] [-s] [-t chrootdir] [-u username]
+             [-m {usage|trace|record}]
+             [-D ]
+named: extra command line arguments
+[root@node1 ~]# named -t /data/dnszones/
+Step3
+Copy the default zone files to our new location and set the permissions.
+[root@node1 ~]# rsync -avz /var/named/ /data/dnszones/
+[root@node1 ~]# chown –R named.named /data/dnszones/
+.1.1: named.conf
+It is important that all machines on the network use cluster.differentialdesign.org or its local IP address address as DNS servers. This way we can assure correct name resolution.
+We will now edit the /etc/named.conf
+Take note of the below file, you can see highlighted in red our secondary DNS servers, these are the IP addresses of ns1.differentialdesign.org and ns2.differentialdesign.org
+The named.conf needs to be the same on both node1 and node2; you could manually copy the file over using SCP, or link it to the /data/dnszones directory using a symbolic link.
+[root@node1 ~]# vi /etc/named.conf
+//
+// named.conf for Red Hat caching-nameserver
+//
+options {
+        directory "/data/dnszones";
+        dump-file "/data/dnszones/data/cache_dump.db";
+        statistics-file "/data/dnszones/data/named_stats.txt";
+        /*
+         * If there is a firewall between you and nameservers you want
+         * to talk to, you might need to uncomment the query-source
+         * directive below.  Previous versions of BIND always asked
+         * questions using port 53, but BIND 8.1 uses an unprivileged
+         * port by default.
+         */
+         // query-source address * port 53;
+        allow-transfer {
+.0.0.1;              // localhost
+.161.90.250;               // secondary DNS server for my zone
+.161.90.251;               // secondary DNS server for my zone
+         };
+};
+//
+// a caching only nameserver config
+//
+controls {
+        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
+};
+zone "." IN {
+        type hint;
+        file "named.ca";
+};
+zone "localdomain" IN {
+        type master;
+        file "localdomain.zone";
+        allow-update { none; };
+};
+zone "localhost" IN {
+        type master;
+        file "localhost.zone";
+        allow-update { none; };
+};
+zone "0.0.127.in-addr.arpa" IN {
+        type master;
+        file "named.local";
+        allow-update { none; };
+};
+zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+        type master;
+        file "named.ip6.local";
+        allow-update { none; };
+};
+zone "255.in-addr.arpa" IN {
+        type master;
+        file "named.broadcast";
+        allow-update { none; };
+};
+zone "0.in-addr.arpa" IN {
+        type master;
+        file "named.zero";
+        allow-update { none; };
+};
+zone "differentialdesign.org" {
+        type master;
+        file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
+        allow-update { none; };
+};
+.1.2: zone file
+In our named.conf file we have the following zone defined;
+zone "differentialdesign.org" {
+        type master;
+        file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
+        allow-update { none; };
+We can see the zone file located in /data/dnszones/
+Step1.
+Create a sub folder where we will store our zone files.
+[root@node1 ~]# mkdir /data/dnszones/differentialdesign.org/
+Step2.
+Create a new file called named.differentialdesign.org.hosts.
+[root@node1 ~]# vi /data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts
+You will see below that nodes.differentialdesign.org. IN 192.168.0.4 is an “A record” which points us to the virtual IP address of the cluster. When setting up mapped drives it is best to use the name instead of IP address.
+$TTL 8h
+differentialdesign.org.    IN      SOA     cluster.differentialdesign.org. asender.mail.samba.org. (
+                        2006211201
+                        3600000
+)
+differentialdesign.org.            IN      NS               cluster.differentialdesign.org.
+differentialdesign.org.            IN      NS               ns1.differentialdesign.org.
+differentialdesign.org.            IN      NS               ns2.differentialdesign.org.
+differentialdesign.org.            IN      MX      50     mail.differentialdesign.org.
+mail.differentialdesign.org.        	IN      A             202.161.90.245
+www.differentialdesign.org.       	IN      A             202.161.90.245
+cluster.differentialdesign.org.	IN      A	           202.161.90.241
+node1.differentialdesign.org.      IN      A             192.168.0.2
+node2.differentialdesign.org.      IN      A             192.168.0.3
+nodes.differentialdesign.org.	IN      A	            192.168.0.4

Anonymous

Search

Replicated Failover Domain Controller and file server using LDAP: Difference between revisions

Revision as of 03:03, 25 January 2007

Navigation

Wiki tools

Page tools