Difference between revisions of "Samba4/LDAP Backend/Replication With Fedora DS"
(→Provisioning Samba) |
(explain that this is no longer relevant) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | '''This is no longer an area of active development in Samba4, and is not supported, or expected to be supported''' | ||
+ | |||
+ | =(De)motivation= | ||
+ | This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code. '''You have been warned'''. | ||
+ | |||
+ | |||
= Overview = | = Overview = | ||
Line 94: | Line 100: | ||
Currently the script doesn't read all of the above parameters properly so you have to re-enter it. | Currently the script doesn't read all of the above parameters properly so you have to re-enter it. | ||
− | = Starting Fedora DS = | + | = Starting Fedora DS Replica = |
Start the Fedora DS replica. | Start the Fedora DS replica. | ||
Line 162: | Line 168: | ||
= Joining Samba Domain = | = Joining Samba Domain = | ||
− | The DNS must be configured before joining the replica to the domain. | + | The DNS must be configured before joining the replica to the domain. See also [[Samba4/DNS|this page]]. |
+ | |||
+ | Execute this on the replica: | ||
<pre> | <pre> | ||
Line 203: | Line 211: | ||
= Starting Samba Replica = | = Starting Samba Replica = | ||
+ | |||
+ | Execute this on the replica: | ||
<pre> | <pre> | ||
Line 209: | Line 219: | ||
</pre> | </pre> | ||
− | = DNS = | + | = Configuring DNS = |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | The DNS needs to be configured such that it points to both master and replica. See [[Samba4/DNS#Multiple_Samba_Instances|this page]]. | |
− | |||
− | + | = Issues = | |
− | |||
− | + | == SID Allocation == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the [http://directory.fedoraproject.org/wiki/DNA_Plugin DNA Plugin]. |
Latest revision as of 06:19, 25 July 2012
This is no longer an area of active development in Samba4, and is not supported, or expected to be supported
Contents
(De)motivation
This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code. You have been warned.
Overview
This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.
This document assumes the following environment:
- Domain name: example.com
- Samba master: samba1.example.com
- Samba replica: samba2.example.com
Installation
Follow this page to install Samba and Fedora DS on the replica.
Configuration
Create /usr/local/samba/etc/smb.conf for the replica:
[globals] netbios name = samba2 ...
See also this page.
Provisioning Fedora DS
Fix the schema problem as described in this page .
Setup Fedora DS instance for the replica:
% cd $SRC_DIR/samba/source4 % setup/provision-backend \ --realm=EXAMPLE.COM \ --domain=EXAMPLE \ --server-role='domain controller' \ --ldap-admin-pass=Secret123 \ --ldap-backend-type=fedora-ds
Edit /usr/local/samba/private/ldap/fedorads.inf:
[General] FullMachineName = samba2.example.com SuiteSpotUserID = nobody SuiteSpotGroup = nobody ServerRoot = /usr/local/samba/private/ldap ConfigDirectoryLdapURL = ldap://samba2.example.com ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = Secret123 AdminDomain = example.com [slapd] ServerPort = 390 ServerIdentifier = samba4 Suffix = DC=example,DC=com RootDN = cn=Directory Manager RootDNPwd = Secret123 ldapifilepath = /usr/local/samba/private/ldap/ldapi start_server = 0 install_full_schema = 0 SchemaFile = /usr/local/samba/private/ldap/99_ad.ldif ConfigFile = /usr/local/samba/private/ldap/fedorads-partitions.ldif inst_dir = /usr/local/samba/private/ldap/slapd-samba4 config_dir = /usr/local/samba/private/ldap/slapd-samba4 schema_dir = /usr/local/samba/private/ldap/slapd-samba4/schema lock_dir = /usr/local/samba/private/ldap/slapd-samba4/lock log_dir = /usr/local/samba/private/ldap/slapd-samba4/logs run_dir = /usr/local/samba/private/ldap/slapd-samba4/logs db_dir = /usr/local/samba/private/ldap/slapd-samba4/db bak_dir = /usr/local/samba/private/ldap/slapd-samba4/bak tmp_dir = /usr/local/samba/private/ldap/slapd-samba4/tmp ldif_dir = /usr/local/samba/private/ldap/slapd-samba4/ldif cert_dir = /usr/local/samba/private/ldap/slapd-samba4
Execute the following command:
% cd $INSTALL_DIR/private/ldap % /usr/sbin/setup-ds.pl --file=fedorads.inf
Currently the script doesn't read all of the above parameters properly so you have to re-enter it.
Starting Fedora DS Replica
Start the Fedora DS replica.
% cd $INSTALL_DIR/private/ldap % slapd-samba/start-slapd
Configuring Multi-Master Replication
Samba uses 3 databases in Fedora DS. They require separate replication agreements.
Download mmr.pl script to configure replication:
% mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Configuration,dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Schema,cn=Configuration,dc=example,dc=com \ --create
Provisioning Samba
Execute the following on the replica:
% cd $SRC_DIR/samba/source4 % setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \ --adminpass=Secret123 \ --ldap-backend-type=fedora-ds \ --ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \ --partitions-only
Server Role: domain controller Hostname: samba2 NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-3010954269-3145692404-1112636010 Admin password: Secret123
Joining Samba Domain
The DNS must be configured before joining the replica to the domain. See also this page.
Execute this on the replica:
% cd $INSTALL_DIR/bin % ./net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)
Generate UUID:
% /usr/bin/uuidgen
Create a file containing the following entry:
dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com objectClass: top objectClass: applicationSettings objectClass: nTDSDSA cn: NTDS Settings options: 1 showInAdvancedViewOnly: TRUE systemFlags: 33554432 dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com invocationId: <UUID> msDS-Behavior-Version: 2
Add the entry to Samba master:
% cd $INSTALL_DIR/bin % ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>
Starting Samba Replica
Execute this on the replica:
% cd $INSTALL_DIR/sbin % ./samba -i -M single -d 3
Configuring DNS
The DNS needs to be configured such that it points to both master and replica. See this page.
Issues
SID Allocation
SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the DNA Plugin.