Difference between revisions of "Samba4/LDAP Backend/Replication With Fedora DS"

(Installation)
(explain that this is no longer relevant)
 
(24 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
'''This is no longer an area of active development in Samba4, and is not supported, or expected to be supported'''
 +
 +
=(De)motivation=
 +
This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code.  '''You have been warned'''.
 +
 +
 
= Overview =
 
= Overview =
  
Line 11: Line 17:
 
= Installation =
 
= Installation =
  
Follow [[Samba4/LDAP Backend/Fedora DS 2|this page]] to install Samba and Fedora DS.
+
Follow [[Samba4/LDAP Backend/Fedora DS 2|this page]] to install Samba and Fedora DS on the replica.
  
 
= Configuration =
 
= Configuration =
Line 23: Line 29:
 
</pre>
 
</pre>
  
See also [[Samba4/Fedora DS 2#Configuration|Fedora DS Configuration]].
+
See also [[Samba4/LDAP_Backend/Fedora_DS_2#Configuring Samba|this page]].
  
= Provisioning Fedora DS Backend =
+
= Provisioning Fedora DS =
 +
 
 +
Fix the schema problem as described in [[Samba4/LDAP_Backend/Fedora_DS_2#Unsupported_Attribute_Syntaxes|this page]] .
  
 
Setup Fedora DS instance for the replica:
 
Setup Fedora DS instance for the replica:
  
 
<pre>
 
<pre>
% cd samba/source4
+
% cd $SRC_DIR/samba/source4
% setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \
+
% setup/provision-backend \
--ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds
+
--realm=EXAMPLE.COM \
 +
--domain=EXAMPLE \
 +
--server-role='domain controller' \
 +
--ldap-admin-pass=Secret123 \
 +
--ldap-backend-type=fedora-ds
 
</pre>
 
</pre>
  
Line 78: Line 90:
 
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4
 
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4
 
</pre>
 
</pre>
 +
 +
Execute the following command:
  
 
<pre>
 
<pre>
% cd /usr/local/samba/private/ldap
+
% cd $INSTALL_DIR/private/ldap
 
% /usr/sbin/setup-ds.pl --file=fedorads.inf
 
% /usr/sbin/setup-ds.pl --file=fedorads.inf
 
</pre>
 
</pre>
  
= Starting Fedora DS =
+
Currently the script doesn't read all of the above parameters properly so you have to re-enter it.
 +
 
 +
= Starting Fedora DS Replica =
 +
 
 +
Start the Fedora DS replica.
  
 
<pre>
 
<pre>
% cd /usr/local/samba/private/ldap
+
% cd $INSTALL_DIR/private/ldap
 
% slapd-samba/start-slapd
 
% slapd-samba/start-slapd
 
</pre>
 
</pre>
Line 95: Line 113:
 
Samba uses 3 databases in Fedora DS. They require separate replication agreements.
 
Samba uses 3 databases in Fedora DS. They require separate replication agreements.
  
Download [[Media:mmr.txt|mmr.pl]] script to configure MMR:
+
Download [[Media:mmr.txt|mmr.pl]] script to configure replication:
  
 
<pre>
 
<pre>
Line 127: Line 145:
  
 
= Provisioning Samba =
 
= Provisioning Samba =
 +
 +
Execute the following on the replica:
  
 
<pre>
 
<pre>
 +
% cd $SRC_DIR/samba/source4
 
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
 
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
 
--adminpass=Secret123 \
 
--adminpass=Secret123 \
Line 146: Line 167:
  
 
= Joining Samba Domain =
 
= Joining Samba Domain =
 +
 +
The DNS must be configured before joining the replica to the domain. See also [[Samba4/DNS|this page]].
 +
 +
Execute this on the replica:
  
 
<pre>
 
<pre>
% cd /usr/local/samba/bin
+
% cd $INSTALL_DIR/bin
% net join EXAMPLE BDC -U Administrator --password=Secret123
+
% ./net join EXAMPLE BDC -U Administrator --password=Secret123
 
</pre>
 
</pre>
  
Line 159: Line 184:
  
 
<pre>
 
<pre>
% uuidgen
+
% /usr/bin/uuidgen
 
</pre>
 
</pre>
  
Line 181: Line 206:
  
 
<pre>
 
<pre>
% cd /usr/local/samba/bin
+
% cd $INSTALL_DIR/bin
 
% ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>
 
% ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>
 
</pre>
 
</pre>
  
 
= Starting Samba Replica =
 
= Starting Samba Replica =
 +
 +
Execute this on the replica:
  
 
<pre>
 
<pre>
% cd /usr/local/samba/sbin
+
% cd $INSTALL_DIR/sbin
 
% ./samba -i -M single -d 3
 
% ./samba -i -M single -d 3
 
</pre>
 
</pre>
  
= DNS =
+
= Configuring DNS =
 
 
The DNS needs to be configured such that it points to both master and replica. So if the master fails, the client will be able to find the replica automatically.
 
 
 
<pre>
 
$ORIGIN example.com.
 
$TTL 1W
 
@              IN SOA  example.com. root.example.com. (
 
                                2009070913  ; serial
 
                                2D          ; refresh
 
                                4H          ; retry
 
                                6W          ; expiry
 
                                1W )        ; minimum
 
                IN NS  dns2
 
 
 
                IN A    192.168.1.101
 
                IN A    192.168.1.102
 
 
 
dns2            IN A    192.168.1.100
 
samba1          IN A    192.168.1.101
 
samba2          IN A    192.168.1.102
 
 
 
gc._msdcs      IN CNAME        samba1
 
ff3b280e-6caa-11de-ab0a-e44b8f038cdc._msdcs    IN CNAME        samba1
 
 
 
_gc._tcp        IN SRV 0 100 3268      samba1
 
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268      samba1
 
  
_ldap._tcp.gc._msdcs    IN SRV 0 100 389        samba1
+
The DNS needs to be configured such that it points to both master and replica. See [[Samba4/DNS#Multiple_Samba_Instances|this page]].
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs    IN SRV 0 100 389 samba1
 
  
_ldap._tcp              IN SRV 0 100 389        samba1
+
= Issues =
_ldap._tcp              IN SRV 0 100 389        samba2
 
  
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba1
+
== SID Allocation ==
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba2
 
 
 
_ldap._tcp.pdc._msdcs  IN SRV 0 100 389        samba1
 
 
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba1
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba2
 
 
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba1
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba2
 
 
 
_ldap._tcp.Default-First-Site-Name._sites              IN SRV 0 100 389 samba1
 
_ldap._tcp.Default-First-Site-Name._sites              IN SRV 0 100 389 samba2
 
 
 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs    IN SRV 0 100 389 samba1
 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs    IN SRV 0 100 389 samba2
 
 
 
_kerberos._tcp          IN SRV 0 100 88        samba1
 
_kerberos._tcp          IN SRV 0 100 88        samba2
 
 
 
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba1
 
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba2
 
 
 
_kerberos._tcp.Default-First-Site-Name._sites  IN SRV 0 100 88 samba1
 
_kerberos._tcp.Default-First-Site-Name._sites  IN SRV 0 100 88 samba2
 
 
 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba1
 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba2
 
 
 
_kerberos._udp          IN SRV 0 100 88        samba1
 
_kerberos._udp          IN SRV 0 100 88        samba2
 
 
 
_kerberos-master._tcp          IN SRV 0 100 88        samba1
 
_kerberos-master._tcp          IN SRV 0 100 88        samba2
 
 
 
_kerberos-master._udp          IN SRV 0 100 88        samba1
 
_kerberos-master._udp          IN SRV 0 100 88        samba2
 
 
 
_kpasswd._tcp          IN SRV 0 100 464        samba1
 
_kpasswd._tcp          IN SRV 0 100 464        samba2
 
 
 
_kpasswd._udp          IN SRV 0 100 464        samba1
 
_kpasswd._udp          IN SRV 0 100 464        samba2
 
 
 
_kerberos              IN TXT  EXAMPLE.COM
 
</pre>
 
  
See also [[Samba 4 - DNS|DNS]].
+
SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the [http://directory.fedoraproject.org/wiki/DNA_Plugin DNA Plugin].

Latest revision as of 06:19, 25 July 2012

This is no longer an area of active development in Samba4, and is not supported, or expected to be supported

(De)motivation

This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code. You have been warned.


Overview

This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.

This document assumes the following environment:

  • Domain name: example.com
  • Samba master: samba1.example.com
  • Samba replica: samba2.example.com

Installation

Follow this page to install Samba and Fedora DS on the replica.

Configuration

Create /usr/local/samba/etc/smb.conf for the replica:

[globals]
        netbios name    = samba2
        ...

See also this page.

Provisioning Fedora DS

Fix the schema problem as described in this page .

Setup Fedora DS instance for the replica:

% cd $SRC_DIR/samba/source4
% setup/provision-backend \
--realm=EXAMPLE.COM \
--domain=EXAMPLE \
--server-role='domain controller' \
--ldap-admin-pass=Secret123 \
--ldap-backend-type=fedora-ds

Edit /usr/local/samba/private/ldap/fedorads.inf:

[General]
FullMachineName         = samba2.example.com
SuiteSpotUserID         = nobody
SuiteSpotGroup          = nobody
ServerRoot              = /usr/local/samba/private/ldap

ConfigDirectoryLdapURL  = ldap://samba2.example.com
ConfigDirectoryAdminID  = admin
ConfigDirectoryAdminPwd = Secret123

AdminDomain             = example.com

[slapd]
ServerPort              = 390
ServerIdentifier        = samba4
Suffix                  = DC=example,DC=com

RootDN                  = cn=Directory Manager
RootDNPwd               = Secret123

ldapifilepath           = /usr/local/samba/private/ldap/ldapi

start_server            = 0
install_full_schema     = 0

SchemaFile              = /usr/local/samba/private/ldap/99_ad.ldif
ConfigFile              = /usr/local/samba/private/ldap/fedorads-partitions.ldif

inst_dir                = /usr/local/samba/private/ldap/slapd-samba4
config_dir              = /usr/local/samba/private/ldap/slapd-samba4
schema_dir              = /usr/local/samba/private/ldap/slapd-samba4/schema
lock_dir                = /usr/local/samba/private/ldap/slapd-samba4/lock
log_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
run_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
db_dir                  = /usr/local/samba/private/ldap/slapd-samba4/db
bak_dir                 = /usr/local/samba/private/ldap/slapd-samba4/bak
tmp_dir                 = /usr/local/samba/private/ldap/slapd-samba4/tmp
ldif_dir                = /usr/local/samba/private/ldap/slapd-samba4/ldif
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4

Execute the following command:

% cd $INSTALL_DIR/private/ldap
% /usr/sbin/setup-ds.pl --file=fedorads.inf

Currently the script doesn't read all of the above parameters properly so you have to re-enter it.

Starting Fedora DS Replica

Start the Fedora DS replica.

% cd $INSTALL_DIR/private/ldap
% slapd-samba/start-slapd

Configuring Multi-Master Replication

Samba uses 3 databases in Fedora DS. They require separate replication agreements.

Download mmr.pl script to configure replication:

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Configuration,dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Schema,cn=Configuration,dc=example,dc=com \
--create

Provisioning Samba

Execute the following on the replica:

% cd $SRC_DIR/samba/source4
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass=Secret123 \
--ldap-backend-type=fedora-ds \
--ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \
--partitions-only
Server Role:    domain controller
Hostname:       samba2
NetBIOS Domain: EXAMPLE
DNS Domain:     example.com
DOMAIN SID:     S-1-5-21-3010954269-3145692404-1112636010
Admin password: Secret123

Joining Samba Domain

The DNS must be configured before joining the replica to the domain. See also this page.

Execute this on the replica:

% cd $INSTALL_DIR/bin
% ./net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)

Generate UUID:

% /usr/bin/uuidgen

Create a file containing the following entry:

dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
options: 1
showInAdvancedViewOnly: TRUE
systemFlags: 33554432
dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com
invocationId: <UUID>
msDS-Behavior-Version: 2

Add the entry to Samba master:

% cd $INSTALL_DIR/bin
% ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>

Starting Samba Replica

Execute this on the replica:

% cd $INSTALL_DIR/sbin
% ./samba -i -M single -d 3

Configuring DNS

The DNS needs to be configured such that it points to both master and replica. See this page.

Issues

SID Allocation

SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the DNA Plugin.