Replicated Failover Domain Controller and file server using LDAP
Insert non-formatted text hereSAMBA 3 LDAP HIGH AVAILABILITY CLUSTER
SAMBA 3 EXTENSIONS
TECHNICAL CONFIGURATION
Author: Adrian Sender
Supervisor: Simo Sorce
Objectives
· Samba Active Directory Upgrade Compatible
· Set Standards
· High Availability Cluster
· Recommended By Developers
Overview
- 1.0: Configuring Samba
o 1.1 smb.conf PDC
o 1.2 smb.conf BDC
o 1.3 /etc/hosts
o 1.4 Samba Security
- 2.0: Configuring LDAP
o 2.1 slapd.conf Master
§ 2.1.1 slapd.conf Master syncrepl Openldap2.2
§ 2.1.2 slapd.conf Master delta-syncrepl Openldap2.3
o 2.2 slapd.conf Slave
§ 2.2.1 slapd.conf Slave syncrepl Openldap2.2
§ 2.2.2 slapd.conf Slave delta-syncrepl Openldap2.3
o 2.3 ldap.conf Master
o 2.4 ldap.conf Slave
- 3.0: Initialization LDAP Database
o 3.1 Provisioning Database
o 3.2 Preload LDIF
o 3.3 LDAP Population
o 3.4 Database Replication
- 4.0: User Management
o 4.1 smbldap-tools
§ 4.1.1 smbldap.conf Master
§ 4.1.2 smbldap.conf Slave
- 5.0: Heartbeat HA Configuration
o 5.1 Requirements
o 5.2 Installation
o 5.3 Configuration
§ 5.3.1 ha.cf
§ 5.3.2 haresources
§ 5.3.3 authkeys
o 5.4 Testing
- 6.0: DRBD
o 6.1 Requirements
o 6.2 Installation
o 6.3 Configuration
§ 6.3.1 drbd.conf
§ 6.3.2 Initialization
o 6.4 Testing
- 7.0: BIND DNS
o 7.1 Configuration
§ 7.1.1 named.conf
§ 7.1.2 zone file
Overview
We will be configuring a 2 node cluster using Samba and Openldap to provide windows domain authentication. Heartbeat will provide the 2 nodes with one virtual IP address; we will use this IP address to map network drives and access recourses.
Most of us are familiar with some form of RAID; we will be using DRBD software RAID1 over LAN to provide real time data replication, it replicates the data on a block level; if a failure occurs on node1 or it becomes unresponsive resources will be migrated to node2 and the DRBD drive mounted.
This is a complex setup and strict guide lines need to be followed in order to achieve stability.
We should start with 2 identical machines each with 2 hard drives. One of these drives will be used for the operating system; the other is our DRBD RAID1 over LAN drive.
By today’s standards anything in the Pentium 4 range and above will suit, Operating system drive should be no less then approximately 40GB, the DRBD replication drive should be approximately 300GB each - SATA and SCSI are also fine. DRBD can currently address and replicate data storage up to 4TB.
Once familiar with this kind of configuration you can easily take one node offline to upgrade additional storage or any hardware requirements without users suffering.
High Availability and data replication should not replace traditional backups such as tape and external media devices, especially if you are using this configuration and are not familiar with the workings.
The machines will need to be in close proximity to each other so we can use Serial communication to provide a fault tolerant heartbeat. If you choose not to use serial you may have unexpected failovers due to bandwidth delay or a network card failure. Ideally we want to have a quick failover so it is important that these precautions are taken.
Each node will require 2 network cards.
Here is a basic configuration overview:
Configuration Details
node1.differentialdesign.org
Eth0: LAN Network Address
IP Address: 192.168.0.2
Subnet Mast: 255.255.255.0
Gateway: 192.168.0.1
Eth0:1 Heartbeat LAN Address
IP Address: 192.168.0.4
Subnet Mast: 255.255.255.0
Eth1: DRBD Replication Network
IP Address: 10.0.0.1
Subnet Mast: 255.255.255.0
Gateway: None
HDC: Operating System Drive
HDD: DRBD Data Replication Drive
TTYS0: COM Port 1
Configuration Details
node2.differentialdesign.org
Eth0: LAN Network Address
IP Address: 192.168.0.3
Subnet Mast: 255.255.255.0
Gateway: 192.168.0.1
Eth1: DRBD Replication Network
IP Address: 10.0.0.2
Subnet Mast: 255.255.255.0
Gateway: None
HDC: Operating System Drive
HDD: DRBD Data Replication Drive
TTYS0: COM Port 1
1.0: Configuring Samba
Samba is an ambitious project to provide solutions for file & print sharing between Linux ™ and Microsoft Windows.
If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.
We are building a fault tolerant domain controller, which provides you with the following;
Samba Configuration
- Primary Domain Controller
- Backup Domain Controller
A master domain controller, that provides authentication through the use of LDAP
A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.
Step1
Get the latest version of samba http://us4.samba.org/samba/ftp/samba-latest.tar.gz
It is essential that both the PDC and BDC are running the same version of samba.
[root@node1 samba]# wget http://us4.samba.org/samba/ftp/samba-latest.tar.gz
--19:28:04-- http://us4.samba.org/samba/ftp/samba-latest.tar.gz
=> `samba-latest.tar.gz'
Resolving us4.samba.org... 192.48.170.15
Connecting to us4.samba.org|192.48.170.15|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,704,221 (17M) [application/x-tar]
100%[====================================>] 17,704,221 53.01K/s ETA 00:00
19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]
Step2
[root@node1 samba]# tar zxvf samba-latest.tar.gz
[root@node1 samba]# cd samba-3.0.23d/
[root@node1 samba-3.0.23d]#
[root@node1 samba-3.0.23d]# cd packaging/
bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/
Debian/ LSB/ README RHEL/ Solaris/ sysv/
Step3
This will take some time.
[root@node1 samba-3.0.23d]# cd packaging/RHEL/
[root@node1 RHEL]# ls
makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup
[root@node1 RHEL]# chmod 777 makerpms.sh
[root@node1 RHEL]# ./makerpms.sh
Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm
Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm
makerpms.sh: Done.
[root@node1 RHEL]#
Step4
Install the RPM files we built from source.
[root@node2]# cd /usr/src/redhat/RPMS/i386/
[root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba-swat-3.0.23d-1.i386.rpm
Preparing... ########################################### [100%]
1:samba-common warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew
- [ 17%]
2:samba ########################################### [ 33%]
ls: /var/cache/samba/eventlog/*tdb: No such file or directory
3:samba-client ########################################### [ 50%]
4:samba-debuginfo ########################################### [ 67%]
5:samba-doc ########################################### [ 83%]
6:samba-swat ########################################### [100%]
[root@node1 i386]#
Step5
Login to node2 – the backup domain controller and repeat the above steps.
1.1: smb.conf PDC
You will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful.
[root@node2 ~]# mkdir /data
[root@node1 ~]# vi /etc/samba/smb.conf
- # Primary Domain Controller smb.conf
- # Global parameters
[global]
unix charset = LOCALE
workgroup = DDESIGN
netbios name = node1
- passdb backend = ldapsam:ldap://127.0.0.1
- passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
passdb backend = ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org"
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'
delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = %u.bat
- logon path = \\192.168.0.4\profiles\%u
logon path = \\nodes.differentialdesign.org\profiles\%u
logon drive = H:
domain logons = Yes
domain master = Yes
wins support = Yes
ldap suffix = dc=differentialdesign,dc=org
ldap machine suffix = ou=Computers,ou=Users
ldap user suffix = ou=People,ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = root
printing = cups
- ========================Share Definitions=========================
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
writeable = yes
browseable = yes
read only = no
[profiles]
path = /data/samba/profiles
writeable = yes
browseable = no
read only = no
create mode = 0777
directory mode = 0777
[Documents]
comment = share to test samba
path = /data/documents
writeable = yes
browseable = yes
read only = no
valid users = "@Domain Users"
1.2: smb.conf BDC
[root@node2 ~]# mkdir /data
[root@node2 ~]# vi /etc/samba/smb.conf
- # Global parameters
- # Backup Domain Controller
[global]
unix charset = LOCALE
workgroup = DDESIGN
netbios name = node2
- passdb backend = ldapsam:ldap://127.0.0.1
- passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3"
passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org"
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = %u.bat
- logon path = \\192.168.0.4\profiles\%u
logon path = \\nodes.differentialdesign.org\profiles\%u
logon drive = H:
domain logons = Yes
os level = 63
domain master = No
wins server = node1.differentialdesign.org
ldap suffix = dc=differentialdesign,dc=org
ldap machine suffix = ou=Computers,ou=Users
ldap user suffix = ou=People,ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org
utmp = Yes
idmap backend = ldap://node1.differentialdesign.org
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
- ========================Share Definitions=========================
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
writeable = yes
browseable = yes
read only = no
[profiles]
path = /data/samba/profiles
writeable = yes
browseable = no
read only = no
create mode = 0777
directory mode = 0777
[Documents]
comment = share to test samba
path = /data/documents
writeable = yes
browseable = yes
read only = no
valid users = "@Domain Users"
1.3: /etc/hosts
In order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0: BIND DNS. However it is desirable to have a backup feature such as entries in the /etc/hosts file.
Step1
On node1 we will edit the hosts file to reflect our configuration.
[root@node1 ~]# vi /etc/hosts
- Do not remove the following line, or various programs
- that require network functionality will fail.
127.0.0.1 node1 localhost.localdomain localhost
192.168.0.2 node1.differentialdesign.org
192.168.0.3 node2.differentialdesign.org
192.168.0.4 nodes.differentialdesign.org
Step2
Login to node2 and edit the /etc/hosts file.
[root@node2 ~]# vi /etc/hosts
- Do not remove the following line, or various programs
- that require network functionality will fail.
127.0.0.1 node2 localhost.localdomain localhost
192.168.0.2 node1.differentialdesign.org
192.168.0.3 node2.differentialdesign.org
192.168.0.4 nodes.differentialdesign.org
1.4: Samba Security
There are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this.
One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both.
The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf.
- /etc/samba/smb.conf
- Global parameters
[global]
workgroup = DDESIGN
security = user
hosts allow = 192.168.0.0/24
For the enthusiast, we can use this option on a per share basis, which provides us with greater flexability.
This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses.
- /etc/samba/smb.conf
- ==== Share Definitions =====
[Documents]
comment = share to test samba
path = /data/documents
writeable = yes
browseable = yes
read only = no
valid users = "@Domain Users"
hosts allow = 192.168.0.100/24
2.0: Configuring LDAP
It is necessary to use LDAP as our backend to Samba which provides replication to the Backup Domain Controllers.
There are two methods for providing replication, using openldap’s “slurpd” to provide Master / Slave operation, the database is pushed to slaves which is defined in slapd.conf on the master LDAP server; here is an example of the original way defined in 2.1: slapd.conf Master.
replica host=192.168.0.3:389
suffix="dc=differentialdesign,dc=org"
binddn="cn=syncuser,dc=differentialdesign,dc=org"
bindmethod=simple credentials=SyncUser
To bind to the database the slave replicas will need to use “upateuser’s” password defined above as “credentials=UpdateUser“. Initially you will need to manually populate the slave database as defined in section 3.4 Database Replication.
The main restriction with using this original design is the ldap database needs to be restarted on both the master and the slave when adding additional replicas.
LDAP Replication Configuration
- Master
- Slave(s)
A master LDAP database that is replicated real time to the backup domain controller.
A slave LDAP database that provides load balance authentication, and can be used as a failover if the master becomes unavailable.
LDAP Replication Configuration
- Provider
- Consumers(s)
A provider LDAP database that has the most updated version of the database.
A consumer requests an update at a set interval, and provides load balancing.
The ulternative is to use syncrepl which is included in the ldap daemon. This means we no longer need to run slurpd daemon which is to replicate the database.
There are 2 main types of syncrepl operation: “refeshOnly” operation where the consumer requests an update from the provider at set time interval defined as “interval=00:00:10:00” which would pull the provider every 10 minutes. The more desirable way is to use delta-syncrepl; this provides a mode known as “refrshAndPersist” which provides a consistent connection. Instead of using a time interval to poll the provider we have the parameter “retry="30 10 300 +" which means it will retry 10 times every 30 seconds, then every 300 seconds “+” indicates indefinite number of retries.
If you are using Syncrepl with version 2.2 Openldap delta-syncrepl is known to be very buggy, so you are better sticking with standard syncrepl refreshOnly mode.
Additionally the ldap daemon does not need to be restarted on the provider; the consumer will request it by polling the provider at a set interval.
2.1: slapd.conf Master
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of Openldap.
- /etc/openldap/slapd.conf
- using slurpd
- LDAP Master
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=differentialdesign,dc=org"
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
directory /var/lib/ldap
replica host=node2.differentialdesign.org:389
suffix="dc=differentialdesign,dc=org"
binddn="cn=syncuser,dc=differentialdesign,dc=org"
bindmethod=simple credentials=SyncUser
replogfile /var/lib/ldap/replogfile
access to attrs=userPassword
by self write
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * read
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.1.1: slapd.conf Master syncrepl Openldap2.2
This is the slapd.conf master ldap file; we are using syncrepl instead of slurpd witch is the traditional method.
This configuration file is specifically designed for openldap 2.2 and supports syncrepl refreshOnly mode.
- slapd.conf Master syncrepl Openldap2.2
- Provider
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=differentialdesign,dc=org"
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
directory /var/lib/ldap
access to attrs=userPassword
by self write
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * read
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.1.2: slapd.conf Master delta-syncrepl Openldap2.3
This configuration file is designed to support Openldap’s newest features. We will be using delta-syncrepl which supports refreshAndPersist with performance similar to that of slurpd.
The below slapd.conf will only run on Openldap 2.3.
Take note of the “modulepath /usr/lib/openldap2.3” in the below file, you will need to change this to where you have syncprov.la located.
- slapd.conf Master delta syncrepl Openldap2.3
- provider
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
modulepath /usr/lib/openldap2.3
moduleload syncprov.la
moduleload accesslog.la
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
- Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/ldap/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
- Samba database
database bdb
suffix "dc=differentialdesign,dc=org"
directory /var/lib/ldap
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
index entryCSN eq
index entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
- accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
- scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
access to attrs=userPassword
by self write
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
access to *
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" write
by dn="cn=syncuser,dc=differentialdesign,dc=org" read
by * read
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.2: slapd.conf Slave
This is the original method for replicating the database to slave ldap servers. We are using the slurpd which has been around for a long time and proven itself to be stable.
This configuration file should work on any version of openldap.
- /etc/openldap/slapd.conf
- using slurpd
- LDAP Slave
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=differentialdesign,dc=org"
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * read
updatedn cn=syncuser,dc=differentialdesign,dc=org
updateref ldap://node1.differentialdesign.org
directory /var/lib/ldap
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.2.1: slapd.conf Slave syncrepl Openldap2.2
This is the configuration file for openldap version 2.2 using the syncrepl method refreshOnly.
This configuration file will only work with openldap version 2.2
- slapd.conf Slave syncrepl Openldap2.2
- LDAP Consumer
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=differentialdesign,dc=org"
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
directory /var/lib/ldap
syncrepl
rid=0
provider=ldap://node1.differentialdesign.org:389
binddn="cn=syncuser,dc=differentialdesign,dc=org"
bindmethod=simple
credentials=SyncUser
searchbase="dc=differentialdesign,dc=org"
filter="(objectClass=*)"
attrs="*"
schemachecking=off
scope=sub
type=refreshOnly
interval=00:06:00:00
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * read
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.2.2: slapd.conf slave delta-syncrepl Openldap2.3
- slapd.conf delta synrepl Openldap2.3
- LDAP Consumer
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=differentialdesign,dc=org"
directory /var/lib/ldap
rootdn "cn=Manager,dc=differentialdesign,dc=org"
rootpw Manager
- syncrepl directives
syncrepl rid=0
provider=ldap://node1.differentialdesign.org:389
bindmethod=simple
binddn="cn=syncuser,dc=differentialdesign,dc=org"
credentials=SyncUser
searchbase="dc=differentialdesign,dc=org"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
access to attrs=userPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * auth
access to attrs=sambaLMPassword,sambaNTPassword
by dn="cn=sambaadmin,dc=differentialdesign,dc=org" read
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
access to *
by dn="cn=syncuser,dc=differentialdesign,dc=org" write
by * read
updateref ldap://node1.differentialdesign.org
- Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
2.3: ldap.conf Master
You will notice below in the host options that we use both IP addresses of the Primary and Secondary LDAP database servers. This serves as a failover option if the local LDAP database is inaccessible. The same applies for the Slave LDAP configuration; 2.4: ldap.conf Slave
- /etc/ldap.conf
- LDAP Master
host node1.differentialdesign.org node2.differentialdesign.org
base dc=differentialdesign,dc=org
binddn cn=Manager,dc=differentialdesign,dc=org
bindpw Manager
pam_password exop
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_group ou=Groups,dc=differentialdesign,dc=org?one
ssl no
2.4: ldap.conf Slave
- /etc/ldap.conf
- LDAP Slave
host node2.differentialdesign.org node1.differentialdesign.org
base dc=differentialdesign,dc=org
binddn cn=Manager,dc=differentialdesign,dc=org
bindpw Manager
pam_password exop
nss_base_passwd ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=People,ou=Users,dc=differentialdesign,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_shadow ou=Computers,ou=Users,dc=differentialdesign,dc=org?one
nss_base_group ou=Groups,dc=differentialdesign,dc=org?one
ssl no
3.0: Initialization LDAP Database
Initial LDAP database population
There are many ways to initialize the LDAP database backend for samba and many scripts to help you out; however these loose our initial control of the database and can lead to issues such as database management.
Once your server is up and running with users on it, the database can not really be manipulated without knowing the full workings of LDAP, so for many of us we are stuck with what we created.
The future of Samba is changing to Active Directory; we keep this in mind when creating the database so it can be an easier upgrade path migrating to Samba4; eventually Samba4 will be able to support OpenLDAP as a modular backend.
3.1: Provisioning Database
We are going to manually create our initial LDAP database in a text file and be confident to use it in a full production environment.
Our LDAP database structure will look like the following if using the preload ldif as per section 3.2 Preload LDIF
|-Samba Base
|---Manager
|------syncuser
|------sambaadmin
|------mailadmin
|---------Users
|-----------People
|-------------------root
|-------------------asender
|-------------------simo
|-----------Computers
| |-------------------workstation1$
|-------------------workstation2$
|---------Groups
|-----------Domain Admin
|-------------------root
|---------- Domain Users
|-------------------root
|-------------------asender
|-------------------simo
|------------ Domain Guests
|--------------------nobody
|------------ Domain Computers
|--------------------workstation1$
|--------------------workstation2$
|----------Domains
|-------------sambaDomainName
Step1
Delete all runtime files from prior Samba operation by executing;
[root@node1]# rm /etc/samba/*tdb
[root@node1]# rm /var/lib/samba/*tdb
[root@node1]# rm /var/lib/samba/*dat
[root@node1]# rm /var/log/samba/*
Step2
Delete any previous LDAP database
[root@node1]# cd /var/lib/ldap
[root@node1]# rm –rf *
Step3
Login to node2 - the backup domain controller, and do the same.
Step4
[root@node1 ~]# net getlocalsid
SID for domain NODE1 is: S-1-5-21-3809161173-2687474671-1432921517
Your SID will differ to the one above; you will need to alter the preload LDIF as per below.
Step5
Login to your backup domain controller (node2) and type the following command using the SID obtained from step4.
[root@node2 ~]# net setlocalsid S-1-5-21-3809161173-2687474671-1432921517
3.2: Preload LDIF
Step1
Create a .txt file containing the following contents.
[root@node1]#vi preload-differentialdesign.ldif
Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
to leave the SID group mapping.
Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
- SAMBA LDAP PRELOAD
- Subsitute SID S-1-5-21-3809161173-2687474671-1432921517 with your domain SID, be sure
- to leave the SID group mapping.
- Subsitute dc=differentialdesign,dc=org with your fully qualified domain name.
- Subsitute sambaDomainName: DDESIGN with your Samba Domain Name
- The user to bind Samba to LDAP is defined in our smb.conf;
- [root@node1]# smbpasswd –w SambaAdmin)
- [root@node2]# smbpasswd –w SambaAdmin)
- SID S-1-5-21-3809161173-2687474671-1432921517
dn: dc=differentialdesign,dc=org
objectClass: dcObject
objectClass: organization
dc: differentialdesign
o: DDESIGN
description: Posix and Samba LDAP Identity Database
dn: cn=Manager,dc=differentialdesign,dc=org
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: cn=syncuser,dc=differentialdesign,dc=org
objectClass: person
cn: syncuser
sn: syncuser
userPassword: SyncUser
dn: cn=sambaadmin,dc=differentialdesign,dc=org
objectClass: person
cn: sambaadmin
sn: sambaadmin
userPassword: SambaAdmin
dn: cn=mailadmin,dc=differentialdesign,dc=org
objectClass: person
cn: mailadmin
sn: mailadmin
userPassword: MailAdmin
dn: ou=Users,dc=differentialdesign,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Users
dn: ou=People,ou=Users,dc=differentialdesign,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Computers,ou=Users,dc=differentialdesign,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Computers
dn: ou=Groups,dc=differentialdesign,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups
dn: ou=Domains,dc=differentialdesign,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Domains
dn: sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org
objectClass: sambaDomain
objectClass: sambaUnixIdPool
uidNumber: 1000
gidNumber: 1000
sambaDomainName: DDESIGN
sambaSID: S-1-5-21-3809161173-2687474671-1432921517
sambaAlgorithmicRidBase: 1000
structuralObjectClass: sambaDomain
dn: cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-512
sambaGroupType: 2
displayName: Domain Admins
description: Domain Administrators
dn: cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-513
sambaGroupType: 2
displayName: Domain Users
description: Domain Users
dn: cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-514
sambaGroupType: 2
displayName: Domain Guests
description: Domain Guests
dn: cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-515
sambaGroupType: 2
displayName: Domain Computers
description: Domain Computers
dn: cn=Administrators,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-544
sambaGroupType: 5
displayName: Administrators
description: Administrators
dn: cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-548
sambaGroupType: 5
displayName: Account Operators
description: Account Operators
dn: cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-550
sambaGroupType: 5
displayName: Print Operators
description: Print Operators
dn: cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-551
sambaGroupType: 5
displayName: Backup Operators
description: Backup Operators
dn: cn=Replicators,ou=Groups,dc=differentialdesign,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
sambaSID: S-1-5-21-3809161173-2687474671-1432921517-552
sambaGroupType: 5
displayName: Replicators
description: Replicators
3.3: LDAP population
Now its time to populate the database with our ldif that we edited to match our domain details as per section 3.2: Preload LDIF
Step1.
Make sure LDAP is not running.
[root@node1]# vi /var/lib/ldap/DB_CONFIG
- DB_CONFIG
set_cachesize 0 150000000 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_flags DB_LOG_AUTOREMOVE
Step2.
This step is necessary if you are using delta-syncrepl as per section 2.1.2: slapd.conf Master delta-syncrepl Openldap2.3.
Because we are using multiple databases on the Provider it is nessassary to place an additional DB_CONFIG file insite the database directory.
[root@node1]# mkdir /var/lib/ldap/accesslog
[root@node1]# cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
Step3.
[root@node1]# cd /ldap-scripts/
[root@node1 scripts]# slapadd –b "dc=differentialdesign,dc=org" -v -l preload-differentialdesign.ldif
added: "dc=differentialdesign,dc=org" (00000001)
added: "cn=Manager,dc=differentialdesign,dc=org" (00000002)
added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003)
added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004)
added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005)
added: "ou=Users,dc=differentialdesign,dc=org" (00000006)
added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007)
added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008)
added: "ou=Groups,dc=differentialdesign,dc=org" (00000009)
added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a)
added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b)
added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c)
added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d)
added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e)
added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f)
added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010)
added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011)
added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012)
added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013)
added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)
Step4.
[root@node1]# chown –R ldap.ldap /var/lib/ldap
Step5.
The user to bind Samba to LDAP is defined in our smb.conf; this is sambaadmin’s password as set in samba
preload-differentialdesign.ldif.
The entry in the preload-differentialdesign.ldif sambaadmin has a password “SambaAdmin”
dn: cn=sambaadmin,dc=differentialdesign,dc=org
objectClass: person
cn: sambaadmin
sn: sambaadmin
userPassword: SambaAdmin
[root@node1 scripts]# smbpasswd -w SambaAdmin
Setting stored password for "cn=sambaadmin,dc=differentialdesign,dc=org" in secrets.tdb
[root@node1 ~]# service ldap restart
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Starting slurpd: [ OK ]
[root@node1 ~]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Step6.
Adding initial users with the smbldap-tools: Skip to section 4.1: smbldap-tools and install on node1.
[root@node1 scripts]# cd /opt/IDEALX/sbin/
[root@node1 sbin]# ./smbldap-useradd -m -a root
[root@node1 sbin]# ./smbldap-passwd root
Changing password for root
New password :
Retype new password
[root@node1 ]# smbpasswd -a
New SMB password:
Retype new SMB password:
Added user root.
[root@node1 sbin]# ./smbldap-groupmod -m root Domain\ Admins
adding user root to group Domain Admins
[root@node1 ~]# cd /opt/IDEALX/sbin/
[root@node1 sbin]# ./smbldap-useradd -m -a asender
[root@node1 sbin]#
[root@node1 sbin]# ./smbldap-passwd asender
Changing password for asender
New password :
Retype new password :
[root@node1 sbin]#
[root@node1 sbin]# smbpasswd asender
New SMB password:
Retype new SMB password:
[root@node1 sbin]#
[root@node1 sbin]# id asender
uid=1001(asender) gid=513(Domain Users) groups=513(Domain Users)
Step7
You are now ready to join a Windows machine to the domain with user ‘root’.
We will need to setup our BDC, Heartbeat and DRBD to match our configuration.
3.4: Database Replication
If we choose to use syncrepl instead of slurpd daemon as per sections 2.2.1 slapd.conf Slave Synrepl and 2.2.1.1 slapd.conf Slave delta-syncrepl 4 Openldap2.3 there is no need to do this section, the database will be copied across initially when the consumer requests is restarted.
Step1.
Dump the LDAP database, copy it across to node2.
[root@node1 ~]# slapcat –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
- id=00000001
- id=00000002
- id=00000003
- id=00000004
- id=00000005
- id=00000006
- id=00000007
- id=00000008
- id=00000009
- id=0000000a
- id=0000000b
- id=0000000c
- id=0000000d
- id=0000000e
- id=0000000f
- id=00000010
- id=00000011
- id=00000012
- id=00000013
- id=00000014
- id=00000015
- id=00000017
- id=00000018
[root@node1 ~]# scp transfer.ldif root@node2:/root/
Step2.
Transfer the database to node2.
[root@node2 ~]# slapadd –b “dc=differentialdesign,dc=org” -v -l transfer.ldif
added: "dc=differentialdesign,dc=org" (00000001)
added: "cn=Manager,dc=differentialdesign,dc=org" (00000002)
added: "cn=syncuser,dc=differentialdesign,dc=org" (00000003)
added: "cn=sambaadmin,dc=differentialdesign,dc=org" (00000004)
added: "cn=mailadmin,dc=differentialdesign,dc=org" (00000005)
added: "ou=Users,dc=differentialdesign,dc=org" (00000006)
added: "ou=People,ou=Users,dc=differentialdesign,dc=org" (00000007)
added: "ou=Computers,ou=Users,dc=differentialdesign,dc=org" (00000008)
added: "ou=Groups,dc=differentialdesign,dc=org" (00000009)
added: "ou=Domains,dc=differentialdesign,dc=org" (0000000a)
added: "sambaDomainName=DDESIGN,ou=Domains,dc=differentialdesign,dc=org" (0000000b)
added: "cn=Domain Admins,ou=Groups,dc=differentialdesign,dc=org" (0000000c)
added: "cn=Domain Users,ou=Groups,dc=differentialdesign,dc=org" (0000000d)
added: "cn=Domain Guests,ou=Groups,dc=differentialdesign,dc=org" (0000000e)
added: "cn=Domain Computers,ou=Groups,dc=differentialdesign,dc=org" (000000f)
added: "cn=Administrators,ou=Groups,dc=differentialdesign,dc=org" (00000010)
added: "cn=Account Operators,ou=Groups,dc=differentialdesign,dc=org" (00000011)
added: "cn=Print Operators,ou=Groups,dc=differentialdesign,dc=org" (00000012)
added: "cn=Backup Operators,ou=Groups,dc=differentialdesign,dc=org" (00000013)
added: "cn=Replicators,ou=Groups,dc=differentialdesign,dc=org" (00000014)
added: "uid=root,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000015)
added: "uid=asender,ou=People,ou=Users,dc=differentialdesign,dc=org" (00000016)
Step3.
Make sure LDAP database is owned by LDAP
[root@node2 ~]# chown –R ldap.ldap /var/lib/ldap
Step4.
[root@node1 ~]# service ldap restart
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
Starting slurpd: [ OK ]
[root@node1 ~]# service smb restart
Shutting down SMB services: [ OK ]
Shutting down NMB services: [ OK ]
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Step5.
Login to node1 or your Primary Domain Controller and add another user as done so in section 3.6 LDAP population Step5, we will then check replication by logging onto node2 and see if the user exists on that machine.
[root@node1 sbin]# ./smbldap-useradd -m -a testuser
[root@node1 sbin]# ./smbldap-passwd testuser
Changing password for testuser
New password :
Retype new password :
[root@node1 sbin]# smbpasswd testuser
New SMB password:
Retype new SMB password:
[root@node1 sbin]# ssh node2
root@node2's password:
Last login: Mon Dec 18 02:43:33 2006 from 192.168.0.2
[root@node2 ~]# id testuser
uid=1009(testuser) gid=513(Domain Users) groups=513(Domain Users)
4.0: User Management
4.1: smbldap-tools
We will not be using the smbldap-tools to populate the database; however we will use it to manage users & groups once the database has been populated. These scripts allow us to add users and machines using NT tools such as srvtools.exe, it also makes life easier to manage to add users on the fly. However it is possible to create LDIF file to add users to the database.
Smbldap-tools give us an advantage of been able to add machine accounts on the fly through the standard windows domain join. It also gives us the ability of been able to use srvtools.exe; however these tools lack custom control that can only be obtained through manually adding accounts through ldap.
This document configuration has been tested with smbldap-tools-0.9.1-1.
Install smbldap-tools-0.9.1-1on both nodes, this means we can add users and groups from either the PDC or BDC as long as the PDC is contactable.
You may need to satisfy any dependencies.
[root@node1 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
Preparing... ########################################### [100%]
1:smbldap-tools ########################################### [100%]
[root@node1 smbldap-tools]#
[root@node2 smbldap-tools]# rpm -Uvh smbldap-tools-0.9.1-1.noarch.rpm
Preparing... ########################################### [100%]
1:smbldap-tools ########################################### [100%]
[root@node2 smbldap-tools]#
4.1.1: smbldap.conf Master
Because we did not use smbldap-tools to populate our database, we must manually configure the smbldap.conf. This configuration file only applies to smbldap-tools-0.9.1-1. If you are using a different version alterations will need to be made.
We will need to configure this file to suit our init
- /etc/opt/IDEALX/sbin/smbldap.conf
- smbldap-tools.conf : Q & D configuration file for smbldap-tools
- This code was developped by IDEALX (http://IDEALX.org/) and
- contributors (their names can be found in the CONTRIBUTORS file).
- Copyright (C) 2001-2002 IDEALX
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version 2
- of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- USA.
- Purpose :
- . be the configuration file for all smbldap-tools scripts
- General Configuration
- Put your own SID. To obtain this number do: "net getlocalsid".
- If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3809161173-2687474671-1432921517"
- Domain name the Samba server is in charged.
- If not defined, parameter is taking from smb.conf configuration file
- Ex: sambaDomain="IDEALX-NT"
sambaDomain="DDESIGN"
- LDAP Configuration
- Notes: to use to dual ldap servers backend for Samba, you must patch
- Samba with the dual-head patch from IDEALX. If not using this patch
- just use the same server for slaveLDAP and masterLDAP.
- Those two servers declarations can also be used when you have
- . one master LDAP server where all writing operations must be done
- . one slave LDAP server where all reading operations must be done
- (typically a replication directory)
- Slave LDAP server
- Ex: slaveLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
slaveLDAP="192.168.0.3"
- Slave LDAP port
- If not defined, parameter is set to "389"
slavePort="389"
- Master LDAP server: needed for write operations
- Ex: masterLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
- Master LDAP port
- If not defined, parameter is set to "389"
masterPort="389"
- Use TLS for LDAP
- If set to 1, this option will use start_tls for connection
- (you should also used the port 389)
- If not defined, parameter is set to "1"
ldapTLS="0"
- How to verify the server's certificate (none, optional or require)
- see "man Net::LDAP" in start_tls section for more details
verify=""
- CA certificate
- see "man Net::LDAP" in start_tls section for more details
cafile=""
- certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientcert=""
- key certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientkey=""
- LDAP Suffix
- Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=differentialdesign,dc=org"
- Where are stored Users
- Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,ou=Users,${suffix}"
- Where are stored Computers
- Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,ou=Users,${suffix}"
- Where are stored Groups
- Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
- Where are stored Idmap entries (used if samba is a domain member server)
- Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
- Where to store next uidNumber and gidNumber available for new users and groups
- If not defined, entries are stored in sambaDomainName object.
- Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
- Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
- Default scope Used
scope="sub"
- Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
- if hash_encrypt is set to CRYPT, you may set a salt format.
- default is "%s", but many systems will generate MD5 hashed
- passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
- Unix Accounts Configuration
- Login defs
- Default Login Shell
- Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
- Home directory
- Ex: userHome="/home/%U"
userHome="/data/home/%U"
- Default mode used for user homeDirectory
userHomeDirectoryMode="700"
- Gecos
userGecos="System User"
- Default User (POSIX and Samba) GID
defaultUserGid="513"
- Default Computer (Samba) GID
defaultComputerGid="515"
- Skel dir
skeletonDir="/etc/skel"
- Default password validation time (time in days) Comment the next line if
- you don't want password to be enable for defaultMaxPasswordAge days (be
- careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
- SAMBA Configuration
- The UNC path to home drives location (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon home'
- directive and/or disable roaming profiles
- Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.4\%U"
- The UNC path to profiles locations (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon path'
- directive and/or disable roaming profiles
- Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.0.4\profiles\%U"
- The default Home Drive Letter mapping
- (will be automatically mapped at logon time if home directory exist)
- Ex: userHomeDrive="H:"
userHomeDrive="H:"
- The default user netlogon script name (%U username substitution)
- if not used, will be automatically username.cmd
- make sure script file is edited under dos
- Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
- Domain appended to the users "mail"-attribute
- when smbldap-useradd -M is used
- Ex: mailDomain="idealx.com"
mailDomain="differentialdesign.org"
- SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
- Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
- prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
- Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
- but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
- comment out the following line to get rid of the default banner
- no_banner="1"
4.1.2: smbldap.conf Slave
It is not necessary to install smbldap-tools on the backup domain controller. However this lets you add users from the BDC which will refer its update to the PDC ldap database.
- /etc/opt/IDEALX/sbin/smbldap.conf
- smbldap-tools.conf : Q & D configuration file for smbldap-tools
- This code was developped by IDEALX (http://IDEALX.org/) and
- contributors (their names can be found in the CONTRIBUTORS file).
- Copyright (C) 2001-2002 IDEALX
- This program is free software; you can redistribute it and/or
- modify it under the terms of the GNU General Public License
- as published by the Free Software Foundation; either version 2
- of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- USA.
- Purpose :
- . be the configuration file for all smbldap-tools scripts
- General Configuration
- Put your own SID. To obtain this number do: "net getlocalsid".
- If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3809161173-2687474671-1432921517"
- Domain name the Samba server is in charged.
- If not defined, parameter is taking from smb.conf configuration file
- Ex: sambaDomain="IDEALX-NT"
sambaDomain="DDESIGN"
- LDAP Configuration
- Notes: to use to dual ldap servers backend for Samba, you must patch
- Samba with the dual-head patch from IDEALX. If not using this patch
- just use the same server for slaveLDAP and masterLDAP.
- Those two servers declarations can also be used when you have
- . one master LDAP server where all writing operations must be done
- . one slave LDAP server where all reading operations must be done
- (typically a replication directory)
- Slave LDAP server
- Ex: slaveLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
- Slave LDAP port
- If not defined, parameter is set to "389"
slavePort="389"
- Master LDAP server: needed for write operations
- Ex: masterLDAP=127.0.0.1
- If not defined, parameter is set to "127.0.0.1"
masterLDAP="192.168.0.2"
- Master LDAP port
- If not defined, parameter is set to "389"
masterPort="389"
- Use TLS for LDAP
- If set to 1, this option will use start_tls for connection
- (you should also used the port 389)
- If not defined, parameter is set to "1"
ldapTLS="0"
- How to verify the server's certificate (none, optional or require)
- see "man Net::LDAP" in start_tls section for more details
verify=""
- CA certificate
- see "man Net::LDAP" in start_tls section for more details
cafile=""
- certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientcert=""
- key certificate to use to connect to the ldap server
- see "man Net::LDAP" in start_tls section for more details
clientkey=""
- LDAP Suffix
- Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=differentialdesign,dc=org"
- Where are stored Users
- Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,ou=Users,${suffix}"
- Where are stored Computers
- Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,ou=Users,${suffix}"
- Where are stored Groups
- Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
- Where are stored Idmap entries (used if samba is a domain member server)
- Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
- Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
- Where to store next uidNumber and gidNumber available for new users and groups
- If not defined, entries are stored in sambaDomainName object.
- Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
- Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=DDESIGN,ou=Domains,${suffix}"
- Default scope Used
scope="sub"
- Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
- if hash_encrypt is set to CRYPT, you may set a salt format.
- default is "%s", but many systems will generate MD5 hashed
- passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
- Unix Accounts Configuration
- Login defs
- Default Login Shell
- Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
- Home directory
- Ex: userHome="/home/%U"
userHome="/data/home/%U"
- Default mode used for user homeDirectory
userHomeDirectoryMode="700"
- Gecos
userGecos="System User"
- Default User (POSIX and Samba) GID
defaultUserGid="513"
- Default Computer (Samba) GID
defaultComputerGid="515"
- Skel dir
skeletonDir="/etc/skel"
- Default password validation time (time in days) Comment the next line if
- you don't want password to be enable for defaultMaxPasswordAge days (be
- careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
- SAMBA Configuration
- The UNC path to home drives location (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon home'
- directive and/or disable roaming profiles
- Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.4\%U"
- The UNC path to profiles locations (%U username substitution)
- Just set it to a null string if you want to use the smb.conf 'logon path'
- directive and/or disable roaming profiles
- Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.0.4\profiles\%U"
- The default Home Drive Letter mapping
- (will be automatically mapped at logon time if home directory exist)
- Ex: userHomeDrive="H:"
userHomeDrive="H:"
- The default user netlogon script name (%U username substitution)
- if not used, will be automatically username.cmd
- make sure script file is edited under dos
- Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.bat"
- Domain appended to the users "mail"-attribute
- when smbldap-useradd -M is used
- Ex: mailDomain="idealx.com"
mailDomain="differentialdesign.org"
- SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
- Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
- prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
- Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
- but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
- comment out the following line to get rid of the default banner
- no_banner="1"
5.0: Heartbeat HA Configuration
Heartbeat Configuration
- Node1
- Node2
The heartbeat solution is not needed for domain logons; however in mission critical environments it supports failover if a node becomes unavailable. It provides a heartbeat through a serial and a crossover connection directly connected to each server. A virtual IP is shared by the cluster; we connect to this virtual IP Address when accessing a Samba share.
There are 2 main differential versions of heartbeat - version 1.2.3 is limited to a two node cluster; version 2 can span many machines and can become quite complex. Heartbeat version 2 is however backwards compatible with version 1.2.3 configuration files using the “crm no” option in the ha.cf configuration file.
You must never mix different versions of heartbeat in a cluster; they must all run the same version. If you do it will create instability and may lead to random rebooting.
If you want to be completely safe I highly recommend using version 1.2.3, for this exercise however we will be using version heartbeat 2.
If you are looking for proven stability version 1.2.3 has been used with DRBD for a long time; it is often used in hospitals to store MRI and other data that needs to be readily accessible; currently this is limited to a 2 node cluster.
5.1: Requirements
Get the following RPM’s from the http://www.linux-ha.org web site.
Version 1.2.3 has proven rock solid in many mission critical environments.
You may need to satisfy dependencies.
If you chose to install heartbeat version 1.2.3 take note of the configuration file 4.3 Configuration PDC it differs slightly.
5.2: Installation
Heartbeat can now be downloaded with YUM, it will download version 2.
Repeat this process on node2 your backup domain controller, so they are both running identical versions of heartbeat.
Install heartbeat on both nodes
[root@node1 programs]# cd heartbeat-1.2.3/
[root@node1 heartbeat-1.2.3]# ls
heartbeat-1.2.3-2.rh.9.i386.rpm
heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm
heartbeat-pils-1.2.3-2.rh.9.i386.rpm
heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
[root@node1 heartbeat-1.2.3]#rpm -Uvh heartbeat-1.2.3-2.rh.9.i386.rpm heartbeat-ldirectord-1.2.3-2.rh.9.i386.rpm heartbeat-pils-1.2.3-2.rh.9.i386.rpm heartbeat-stonith-1.2.3-2.rh.9.i386.rpm
5.3: Configuration
Heartbeat running as version 1.2.3 is very easy to configure and manage. The never version 2 is able to support multiple nodes and uses xml type configuration files. If you are using version 2 I recommend running using crm = no option which provides 1.2.3 backwards compatability.
Just remember to always run the same version of heartbeat on both nodes.
5.3.1: ha.cf
Step1
On node1 login with root account; the ha.cf file needs to be the same on both nodes.
Note:
The option “crm no” in the ha.cf specifies heartbeat version 2 to behave as version 1.2.3; this means it is limited to a 2 node cluster.
If you choose to run version 1.2.3 you will need to comment out or delete the “crm no” in the ha.cf
[root@node1]# cd /etc/ha.d
[root@node1]# vi ha.cf
- /etc/ha.d/ha.cf on node1
- This configuration is to be the same on both machines
- This example is made for version 2, comment out crm if using version 1
keepalive 1
deadtime 5
warntime 3
initdead 20
serial /dev/ttyS0
bcast eth1
auto_failback yes
node node1
node node2
crm no # comment out if using version 1.2.3
Step2.
Copy the ha.cf to node2 so they both have the same configuration file.
[root@node1]# scp /etc/ha.d/ha.cf root@node2:/etc/ha.d/
5.3.2: haresources
The haresorces file is called when heartbeat starts. Throughout this document we have used /data as our mount point for replication raid1 over LAN.
We use node1, which is the master server and use 192.168.0.4 which is the clusters virtual IP address which will be displayed as eth0:0 on the primary node.
You will see drbddisk Filesystem::/dev/drbd0::/data::ext3 - /dev/drbd0 is our DRBD drive. We have chosen to mount our DRBD file system at /data – this is our replication mount point, which we configured in our samba and smbldap-tools configuration.
You can easily make services highly available by adding the appropriate name to the haresources file as specified below with DNS service named.
Step1
[root@node1]# vi haresources
- /etc/ha.d/haresources
- This configuration is to be the same on both nodes
node1 192.168.0.4 drbddisk Filesystem::/dev/drbd0::/data::ext3 named
Step2
Copy the haresources file across to node2 so they are both identical.
[root@node1]# scp /etc/ha.d/haresources root@node2:/etc/ha.d/
5.3.3: authkeys
The below method provides no security or authentication, so we recommended not to use. If however heartbeat communicates over a private link such as in our case (serial and crossover cable) there is no need to add this additional security.
Step1
[root@node1]# vi authkeys
- /etc/ha.d/authkeys
auth 1
1 crc
The preferred method is to sha encryption to authenticate nodes and their packets as below.
- /etc/ha.d/authkeys
auth 1
1 sha HeartbeatPassword
Step2
Give the authkeys file correct permissions.
[root@node1]# chmod 600 /etc/ha.d/authkeys
Step3
Copy the authkeys file to node2 so they can authenticate with each other.
[root@node1]# scp /etc/ha.d/authkeys root@node2:/etc/ha.d/
5.4: Testing
Now that we have heartbeat configured it is time to test ther
Step4.
Login to node2 – your backup domain controller, use the exact same configuration as the primary domain controllers configuration files for heartbeat.
6.0: DRBD
DRBD Configuration
- Primary
- Secondary
DRBD is a kernel module which has the ability to network 2 machines to provide Raid1 over LAN.
It is assumed that we have two identical drives in both machines; all data on this device will be destroyed.
If you are updating your kernel or version of DRBD, make sure DRBD is stopped on both machines.
Never attempt to run different versions of DRBD, this means both machines need the same kernel.
6.1: Requirements
You will need to install the DRBD kernel Module. We will build our own RPM kernel modules so it is optimized for our architecture.
I have tested many different kernels with DRBD, some are not stable so you will need to check Google to make sure your kernel is compatible with the particular DRBD release, most of the time this isn’t an issue.
Both the following kernels are recommended for Fedora Core 4; up to version drbd-0.7.23 I have used.
kernel-smp-2.6.14-1.1656_FC4
kernel-smp-2.6.11-1.1369_FC4
Please browse this list http://www.linbit.com/support/drbd-current/ and look for packages available.
Step1
Get a serial cable and connect it to each nodes com1 port.
Execute the following; you may see a lot of garbage on the screen.
[root@node1 ~]# cat </dev/ttyS0
Step2
You may have to repeat the below a couple of times in rapid succession to see the output on node1.
[root@node2 ~]# echo hello >/dev/ttyS0
6.2: Installation
Step1
Extract the latest stable version of DRBD.
[root@node1 stable]# tar zxvf drbd-0.7.20.tar.gz
[root@node1 stable]# cd drbd-0.7.20
[root@node1 drbd-0.7.20]#
Step2
. It is nice to make your own rpm for your distribution. It makes upgrades seamless.
This will give us a RPM build specifically to our kernel, it may take some time.
[root@node1 drbd-0.7.20]# make
[root@node1 drbd-0.7.20]# make rpm
Step3
[root@node1 drbd-0.7.20]# cd dist RPMS/i386/
[root@node1 i386]#/
[root@node1 i386]# ls
drbd-0.7.20-1.i386.rpm
drbd-debuginfo-0.7.20-1.i386.rpm
drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
Step4
We will now install DRBD and our Kernel module which we built earlier.
[root@node1 i386]# rpm -Uvh drbd-0.7.20-1.i386.rpm drbd-debuginfo-0.7.20-1.i386.rpm drbd-km-2.6.14_1.1656_FC4smp-0.7.20-1.i386.rpm
Step5
Login to node 2 the backup domain controller and do the same.
6.3: Configuration
In the example throughout this document we have linked /dev/hdd1 to /dev/drbd; your however may be a different device, it could be SCSI.
All data on the device /dev/hdd will be destroyed.
Step1
We are going to create a partition on /dev/hdd1 using fdisk.
[root@node1]# fdisk /dev/hdd1
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): d
No partition is defined yet!
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-8677, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-8677, default 8677):
Using default value 8677
Command (m for help): w
Step2
Now login to node2 the backup domain controller and fdisk /dev/hdd1 as per above; or your chosen device.
6.3.1: drbd.conf
Create this file on both you master and slave server, it should be identical however it is not a requirement. As long as the partition size is the same any mount point can be used.
Step1
The below file is fairly self explanatory, you see the real disk link to the DRBD kernel module device.
[root@node1]# vi /etc/drbd.conf
- Datadrive (/data) /dev/hdd1 80GB
resource drbd1 {
protocol C;
disk {
on-io-error panic;
}
net {
max-buffers 2048;
ko-count 4;
on-disconnect reconnect;
}
syncer {
rate 700000;
}
on node1 {
device /dev/drbd0;
disk /dev/hdd1;
address 10.0.0.1:7789;
meta-disk internal;
}
on node2 {
device /dev/drbd0;
disk /dev/hdd1;
address 10.0.0.2:7789;
meta-disk internal;
}
}
Step2
[root@node1]# scp /etc/drbd.conf root@node2:/etc/
6.3.2: Initialization
In the following steps we will configure the disks to synchronize and choose a master node.
Step1
On the Primary Domain Controller
[root@node1]# service drbd start
On the Backup Domain Controller
[root@node2]# service drbd start
Step2
[root@node1]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.17 (api:77/proto:74)
SVN Revision: 2093 build by root@node1, 2006-04-23 14:40:20
0: cs:Connected st:Secondary/Secondary ld:Inconsistent
ns:25127936 nr:3416 dw:23988760 dr:4936449 al:19624 bm:1038 lo:0 pe:0 ua:0 ap:0
You can see both devices are ready, and waiting for a Primary drive to be activated which will do an initial synchronization to the secondary device.
Step3
Stop the heartbeat service on both nodes.
Step4
We are now telling DRBD to make node1 the primary drive.
[root@node1]# drbdadm -- --do-what-I-say primary all
[root@node1 ~]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.23 (api:79/proto:74)
SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13
0: cs:SyncSource st:Primary/Secondary ld:Consistent
ns:67080 nr:85492 dw:91804 dr:72139 al:9 bm:268 lo:0 pe:30 ua:2019 ap:0
[==>.................] sync'ed: 12.5% (458848/520196)K
finish: 0:01:44 speed: 4,356 (4,088) K/sec
Step6
Create a filesystem on our RAID devices.
[root@node1]# mkfs.ext3 /dev/drbd0
6.4: Testing
We have a 2 node cluster replicating data, its time to test a failover.
Step1
Start the heartbeat service on both nodes.
Step2
On node1 we can see the status of DRBD.
[root@node1 ~]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.23 (api:79/proto:74)
0: cs:Connected st:Primary/Secondary ld:Consistent
ns:1536 nr:0 dw:1372 dr:801 al:4 bm:6 lo:0 pe:0 ua:0 ap:0
[root@node1 ~]#
On node2 we can see the status of DRBD.
[root@node2 ~]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.23 (api:79/proto:74)
SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03
0: cs:Connected st:Secondary/Primary ld:Consistent
ns:0 nr:1484 dw:1484 dr:0 al:0 bm:6 lo:0 pe:0 ua:0 ap:0
[root@node2 ~]#
That all looks good; we can see the devices are consistent and ready for use.
Step3
Now let’s check the mount point we created in the heartbeat haresources file.
We can see heartbeat has successfully mounted “/dev/drbd0 to the /data directory” of course your device will not have any data on it yet.
[root@node1 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
35G 14G 20G 41% /
/dev/hdc1 99M 21M 74M 22% /boot
/dev/shm 506M 0 506M 0% /dev/shm
/dev/drbd0 74G 37G 33G 53% /data
[root@node1 ~]#
Step4
Login to node1 and execute the following command; once heartbeat is stopped it should only take a few seconds to migrate the services to node2.
[root@node1 ~]# service heartbeat stop
Stopping High-Availability services:
[ OK ]
[root@node1 ~]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.23 (api:79/proto:74)
SVN Revision: 2686 build by root@node1, 2007-01-23 20:26:13
0: cs:Connected st:Secondary/Primary ld:Consistent
ns:5616 nr:85492 dw:90944 dr:2162 al:9 bm:260 lo:0 pe:0 ua:0 ap:0
We can see drbd change state to secondary on node1.
Step5
Now let’s check that status of DRBD on node2; we can see it has changed state and become the primary.
[root@node2 ~]# service drbd status
drbd driver loaded OK; device status:
version: 0.7.23 (api:79/proto:74)
SVN Revision: 2686 build by root@node2, 2007-01-23 20:26:03
0: cs:Connected st:Primary/Secondary ld:Consistent
ns:4 nr:518132 dw:518136 dr:17 al:0 bm:220 lo:0 pe:0 ua:0 ap:0
1: cs:Connected st:Primary/Secondary ld:Consistent
ns:28 nr:520252 dw:520280 dr:85 al:0 bm:199 lo:0 pe:0 ua:0 ap:0
Check that node2 has mounted the device.
[root@node2 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
35G 12G 22G 35% /
/dev/hdc1 99M 17M 78M 18% /boot
/dev/shm 506M 0 506M 0% /dev/shm
/dev/hdh1 111G 97G 7.6G 93% /storage
/dev/drbd0 74G 37G 33G 53% /data
[root@node2 ~]#
Step5
Finally start the heartbeat service on node1 and be sure that all processes migrate back.
7.0: BIND DNS
We can use BIND – The Berkley Internet Name Domain in a high availability configuration. We can make 2 nodes appear as one, zone files will we stored on a DRBD drive, if node1 fails node2 can take over and automatically start NAMED.
BIND is able to have its /var/named directory relocated to a more appropriate location such as /data/dnszones; this enables us to provide real time replication of the zone files; the standby node2 will have to have its default directory modified to /data/dnszones.
We have 2 servers, and we will refer to the cluster as cluster.differentialdesign.org. It is assumed that these machines are behind a firewall with NAT and port forwarding to the appropriate ports.
When setting up Domain Names through a registrar you would want 2 separate name servers. It is recommended to setup an additional slave DNS server.
An example may be
Name Server:CLUSTER.DIFFERENTIALDESIGN.ORG ß Primary Name Server(s)
Name Server:NS1.DIFFERENTIALDESIGN.ORG
Name Server:NS2.DIFFERENTIALDESIGN.ORG
7.1: Configuration
Step1
We will now create a directory on our DRBD drive /data/dnszones.
[root@node1 ~]# mkdir /data/dnszones
Step2
Change the location of the zone files to our replicated drive
[root@node1 ~]# named ?
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus]
[-p port] [-s] [-t chrootdir] [-u username]
[-m {usage|trace|record}]
[-D ]
named: extra command line arguments
[root@node1 ~]# named -t /data/dnszones/
Step3
Copy the default zone files to our new location and set the permissions.
[root@node1 ~]# rsync -avz /var/named/ /data/dnszones/
[root@node1 ~]# chown –R named.named /data/dnszones/
7.1.1: named.conf
It is important that all machines on the network use cluster.differentialdesign.org or its local IP address address as DNS servers. This way we can assure correct name resolution.
We will now edit the /etc/named.conf
Take note of the below file, you can see highlighted in red our secondary DNS servers, these are the IP addresses of ns1.differentialdesign.org and ns2.differentialdesign.org
The named.conf needs to be the same on both node1 and node2; you could manually copy the file over using SCP, or link it to the /data/dnszones directory using a symbolic link.
[root@node1 ~]# vi /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/data/dnszones";
dump-file "/data/dnszones/data/cache_dump.db";
statistics-file "/data/dnszones/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-transfer {
127.0.0.1; // localhost
202.161.90.250; // secondary DNS server for my zone
202.161.90.251; // secondary DNS server for my zone
};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "differentialdesign.org" {
type master;
file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
allow-update { none; };
};
7.1.2: zone file
In our named.conf file we have the following zone defined;
zone "differentialdesign.org" {
type master;
file "/data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts";
allow-update { none; };
We can see the zone file located in /data/dnszones/
Step1.
Create a sub folder where we will store our zone files.
[root@node1 ~]# mkdir /data/dnszones/differentialdesign.org/
Step2.
Create a new file called named.differentialdesign.org.hosts.
[root@node1 ~]# vi /data/dnszones/differentialdesign.org/named.differentialdesign.org.hosts
You will see below that nodes.differentialdesign.org. IN 192.168.0.4 is an “A record” which points us to the virtual IP address of the cluster. When setting up mapped drives it is best to use the name instead of IP address.
$TTL 8h
differentialdesign.org. IN SOA cluster.differentialdesign.org. asender.mail.samba.org. (
2006211201
10800
3600
3600000
86400 )
differentialdesign.org. IN NS cluster.differentialdesign.org.
differentialdesign.org. IN NS ns1.differentialdesign.org.
differentialdesign.org. IN NS ns2.differentialdesign.org.
differentialdesign.org. IN MX 50 mail.differentialdesign.org.
mail.differentialdesign.org. IN A 202.161.90.245
www.differentialdesign.org. IN A 202.161.90.245
cluster.differentialdesign.org. IN A 202.161.90.241
node1.differentialdesign.org. IN A 192.168.0.2
node2.differentialdesign.org. IN A 192.168.0.3
nodes.differentialdesign.org. IN A 192.168.0.4