Difference between revisions of "Samba4/LDAP Backend/Replication With Fedora DS"

(Installation)
(Provisioning Fedora DS Backend)
Line 25: Line 25:
 
See also [[Samba4/Fedora DS 2#Configuration|Fedora DS Configuration]].
 
See also [[Samba4/Fedora DS 2#Configuration|Fedora DS Configuration]].
  
= Provisioning Fedora DS Backend =
+
= Provisioning Fedora DS =
  
 
Setup Fedora DS instance for the replica:
 
Setup Fedora DS instance for the replica:
  
 
<pre>
 
<pre>
% cd samba/source4
+
% cd $SRC_DIR/samba/source4
 
% setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \
 
% setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \
 
--ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds
 
--ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds

Revision as of 17:07, 14 August 2009

Overview

This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.

This document assumes the following environment:

  • Domain name: example.com
  • Samba master: samba1.example.com
  • Samba replica: samba2.example.com

Installation

Follow this page to install Samba and Fedora DS.

Configuration

Create /usr/local/samba/etc/smb.conf for the replica:

[globals]
        netbios name    = samba2
        ...

See also Fedora DS Configuration.

Provisioning Fedora DS

Setup Fedora DS instance for the replica:

% cd $SRC_DIR/samba/source4
% setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \
--ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds

Edit /usr/local/samba/private/ldap/fedorads.inf:

[General]
FullMachineName         = samba2.example.com
SuiteSpotUserID         = nobody
SuiteSpotGroup          = nobody
ServerRoot              = /usr/local/samba/private/ldap

ConfigDirectoryLdapURL  = ldap://samba2.example.com
ConfigDirectoryAdminID  = admin
ConfigDirectoryAdminPwd = Secret123

AdminDomain             = example.com

[slapd]
ServerPort              = 390
ServerIdentifier        = samba4
Suffix                  = DC=example,DC=com

RootDN                  = cn=Directory Manager
RootDNPwd               = Secret123

ldapifilepath           = /usr/local/samba/private/ldap/ldapi

start_server            = 0
install_full_schema     = 0

SchemaFile              = /usr/local/samba/private/ldap/99_ad.ldif
ConfigFile              = /usr/local/samba/private/ldap/fedorads-partitions.ldif

inst_dir                = /usr/local/samba/private/ldap/slapd-samba4
config_dir              = /usr/local/samba/private/ldap/slapd-samba4
schema_dir              = /usr/local/samba/private/ldap/slapd-samba4/schema
lock_dir                = /usr/local/samba/private/ldap/slapd-samba4/lock
log_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
run_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
db_dir                  = /usr/local/samba/private/ldap/slapd-samba4/db
bak_dir                 = /usr/local/samba/private/ldap/slapd-samba4/bak
tmp_dir                 = /usr/local/samba/private/ldap/slapd-samba4/tmp
ldif_dir                = /usr/local/samba/private/ldap/slapd-samba4/ldif
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4
% cd /usr/local/samba/private/ldap
% /usr/sbin/setup-ds.pl --file=fedorads.inf

Starting Fedora DS

% cd /usr/local/samba/private/ldap
% slapd-samba/start-slapd

Configuring Multi-Master Replication

Samba uses 3 databases in Fedora DS. They require separate replication agreements.

Download mmr.pl script to configure MMR:

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Configuration,dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Schema,cn=Configuration,dc=example,dc=com \
--create

Provisioning Samba

% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass=Secret123 \
--ldap-backend-type=fedora-ds \
--ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \
--partitions-only
Server Role:    domain controller
Hostname:       samba2
NetBIOS Domain: EXAMPLE
DNS Domain:     example.com
DOMAIN SID:     S-1-5-21-3010954269-3145692404-1112636010
Admin password: Secret123

Joining Samba Domain

% cd /usr/local/samba/bin
% net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)

Generate UUID:

% uuidgen

Create a file containing the following entry:

dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
options: 1
showInAdvancedViewOnly: TRUE
systemFlags: 33554432
dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com
invocationId: <UUID>
msDS-Behavior-Version: 2

Add the entry to Samba master:

% cd /usr/local/samba/bin
% ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>

Starting Samba Replica

% cd /usr/local/samba/sbin
% ./samba -i -M single -d 3

DNS

The DNS needs to be configured such that it points to both master and replica. So if the master fails, the client will be able to find the replica automatically.

$ORIGIN example.com.
$TTL 1W
@               IN SOA  example.com. root.example.com. (
                                2009070913   ; serial
                                2D           ; refresh
                                4H           ; retry
                                6W           ; expiry
                                1W )         ; minimum
                IN NS   dns2

                IN A    192.168.1.101
                IN A    192.168.1.102

dns2            IN A    192.168.1.100
samba1          IN A    192.168.1.101
samba2          IN A    192.168.1.102

gc._msdcs       IN CNAME        samba1
ff3b280e-6caa-11de-ab0a-e44b8f038cdc._msdcs     IN CNAME        samba1

_gc._tcp        IN SRV 0 100 3268       samba1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       samba1

_ldap._tcp.gc._msdcs    IN SRV 0 100 389        samba1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 389 samba1

_ldap._tcp              IN SRV 0 100 389        samba1
_ldap._tcp              IN SRV 0 100 389        samba2

_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba1
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba2

_ldap._tcp.pdc._msdcs   IN SRV 0 100 389        samba1

_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba1
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba2

_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba1
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba2

_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 samba1
_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 samba2

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 samba1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 samba2

_kerberos._tcp          IN SRV 0 100 88         samba1
_kerberos._tcp          IN SRV 0 100 88         samba2

_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba1
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba2

_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 samba1
_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 samba2

_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba2

_kerberos._udp          IN SRV 0 100 88         samba1
_kerberos._udp          IN SRV 0 100 88         samba2

_kerberos-master._tcp           IN SRV 0 100 88         samba1
_kerberos-master._tcp           IN SRV 0 100 88         samba2

_kerberos-master._udp           IN SRV 0 100 88         samba1
_kerberos-master._udp           IN SRV 0 100 88         samba2

_kpasswd._tcp           IN SRV 0 100 464        samba1
_kpasswd._tcp           IN SRV 0 100 464        samba2

_kpasswd._udp           IN SRV 0 100 464        samba1
_kpasswd._udp           IN SRV 0 100 464        samba2

_kerberos               IN TXT  EXAMPLE.COM

See also DNS.