Difference between revisions of "Samba4/LDAP Backend/Replication With Fedora DS"

(Provisioning Samba)
(explain that this is no longer relevant)
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
'''This is no longer an area of active development in Samba4, and is not supported, or expected to be supported'''
 +
 +
=(De)motivation=
 +
This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code.  '''You have been warned'''.
 +
 +
 
= Overview =
 
= Overview =
  
Line 94: Line 100:
 
Currently the script doesn't read all of the above parameters properly so you have to re-enter it.
 
Currently the script doesn't read all of the above parameters properly so you have to re-enter it.
  
= Starting Fedora DS =
+
= Starting Fedora DS Replica =
  
 
Start the Fedora DS replica.
 
Start the Fedora DS replica.
Line 162: Line 168:
 
= Joining Samba Domain =
 
= Joining Samba Domain =
  
The DNS must be configured before joining the replica to the domain.
+
The DNS must be configured before joining the replica to the domain. See also [[Samba4/DNS|this page]].
 +
 
 +
Execute this on the replica:
  
 
<pre>
 
<pre>
Line 203: Line 211:
  
 
= Starting Samba Replica =
 
= Starting Samba Replica =
 +
 +
Execute this on the replica:
  
 
<pre>
 
<pre>
Line 209: Line 219:
 
</pre>
 
</pre>
  
= DNS =
+
= Configuring DNS =
 
 
The DNS needs to be configured such that it points to both master and replica. So if the master fails, the client will be able to find the replica automatically.
 
 
 
<pre>
 
$ORIGIN example.com.
 
$TTL 1W
 
@              IN SOA  example.com. root.example.com. (
 
                                2009070913  ; serial
 
                                2D          ; refresh
 
                                4H          ; retry
 
                                6W          ; expiry
 
                                1W )        ; minimum
 
                IN NS  dns2
 
 
 
                IN A    192.168.1.101
 
                IN A    192.168.1.102
 
 
 
dns2            IN A    192.168.1.100
 
samba1          IN A    192.168.1.101
 
samba2          IN A    192.168.1.102
 
 
 
gc._msdcs      IN CNAME        samba1
 
ff3b280e-6caa-11de-ab0a-e44b8f038cdc._msdcs    IN CNAME        samba1
 
 
 
_gc._tcp        IN SRV 0 100 3268      samba1
 
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268      samba1
 
 
 
_ldap._tcp.gc._msdcs    IN SRV 0 100 389        samba1
 
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs    IN SRV 0 100 389 samba1
 
 
 
_ldap._tcp              IN SRV 0 100 389        samba1
 
_ldap._tcp              IN SRV 0 100 389        samba2
 
 
 
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba1
 
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        samba2
 
 
 
_ldap._tcp.pdc._msdcs  IN SRV 0 100 389        samba1
 
 
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba1
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389        samba2
 
 
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba1
 
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs          IN SRV 0 100 389 samba2
 
 
 
_ldap._tcp.Default-First-Site-Name._sites              IN SRV 0 100 389 samba1
 
_ldap._tcp.Default-First-Site-Name._sites              IN SRV 0 100 389 samba2
 
 
 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs    IN SRV 0 100 389 samba1
 
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs    IN SRV 0 100 389 samba2
 
 
 
_kerberos._tcp          IN SRV 0 100 88        samba1
 
_kerberos._tcp          IN SRV 0 100 88        samba2
 
 
 
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba1
 
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 samba2
 
 
 
_kerberos._tcp.Default-First-Site-Name._sites  IN SRV 0 100 88 samba1
 
_kerberos._tcp.Default-First-Site-Name._sites  IN SRV 0 100 88 samba2
 
 
 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba1
 
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba2
 
  
_kerberos._udp          IN SRV 0 100 88        samba1
+
The DNS needs to be configured such that it points to both master and replica. See [[Samba4/DNS#Multiple_Samba_Instances|this page]].
_kerberos._udp          IN SRV 0 100 88        samba2
 
  
_kerberos-master._tcp          IN SRV 0 100 88        samba1
+
= Issues =
_kerberos-master._tcp          IN SRV 0 100 88        samba2
 
  
_kerberos-master._udp          IN SRV 0 100 88        samba1
+
== SID Allocation ==
_kerberos-master._udp          IN SRV 0 100 88        samba2
 
 
 
_kpasswd._tcp          IN SRV 0 100 464        samba1
 
_kpasswd._tcp          IN SRV 0 100 464        samba2
 
 
 
_kpasswd._udp          IN SRV 0 100 464        samba1
 
_kpasswd._udp          IN SRV 0 100 464        samba2
 
 
 
_kerberos              IN TXT  EXAMPLE.COM
 
</pre>
 
  
See also [[Samba 4 - DNS|DNS]].
+
SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the [http://directory.fedoraproject.org/wiki/DNA_Plugin DNA Plugin].

Latest revision as of 06:19, 25 July 2012

This is no longer an area of active development in Samba4, and is not supported, or expected to be supported

(De)motivation

This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations. Even if you provision Samba4 with the LDAP backend, the clients will still communicate with the LDAP service provided by Samba4 on port 389 (this is necessary for correct operation as an Active Directory Domain Controller) and you'll still be forced to use the Active Directory schema. What's more, using the LDAP backend is incompatible with DRS replication. The team is now removing the supporting code. You have been warned.


Overview

This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.

This document assumes the following environment:

  • Domain name: example.com
  • Samba master: samba1.example.com
  • Samba replica: samba2.example.com

Installation

Follow this page to install Samba and Fedora DS on the replica.

Configuration

Create /usr/local/samba/etc/smb.conf for the replica: 

[globals]
        netbios name    = samba2
        ...

See also this page.

Provisioning Fedora DS

Fix the schema problem as described in this page .

Setup Fedora DS instance for the replica: 

% cd $SRC_DIR/samba/source4
% setup/provision-backend \
--realm=EXAMPLE.COM \
--domain=EXAMPLE \
--server-role='domain controller' \
--ldap-admin-pass=Secret123 \
--ldap-backend-type=fedora-ds

Edit /usr/local/samba/private/ldap/fedorads.inf: 

[General]
FullMachineName         = samba2.example.com
SuiteSpotUserID         = nobody
SuiteSpotGroup          = nobody
ServerRoot              = /usr/local/samba/private/ldap

ConfigDirectoryLdapURL  = ldap://samba2.example.com
ConfigDirectoryAdminID  = admin
ConfigDirectoryAdminPwd = Secret123

AdminDomain             = example.com

[slapd]
ServerPort              = 390
ServerIdentifier        = samba4
Suffix                  = DC=example,DC=com

RootDN                  = cn=Directory Manager
RootDNPwd               = Secret123

ldapifilepath           = /usr/local/samba/private/ldap/ldapi

start_server            = 0
install_full_schema     = 0

SchemaFile              = /usr/local/samba/private/ldap/99_ad.ldif
ConfigFile              = /usr/local/samba/private/ldap/fedorads-partitions.ldif

inst_dir                = /usr/local/samba/private/ldap/slapd-samba4
config_dir              = /usr/local/samba/private/ldap/slapd-samba4
schema_dir              = /usr/local/samba/private/ldap/slapd-samba4/schema
lock_dir                = /usr/local/samba/private/ldap/slapd-samba4/lock
log_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
run_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
db_dir                  = /usr/local/samba/private/ldap/slapd-samba4/db
bak_dir                 = /usr/local/samba/private/ldap/slapd-samba4/bak
tmp_dir                 = /usr/local/samba/private/ldap/slapd-samba4/tmp
ldif_dir                = /usr/local/samba/private/ldap/slapd-samba4/ldif
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4

Execute the following command: 

% cd $INSTALL_DIR/private/ldap
% /usr/sbin/setup-ds.pl --file=fedorads.inf

Currently the script doesn't read all of the above parameters properly so you have to re-enter it.

Starting Fedora DS Replica

Start the Fedora DS replica. 

% cd $INSTALL_DIR/private/ldap
% slapd-samba/start-slapd

Configuring Multi-Master Replication

Samba uses 3 databases in Fedora DS. They require separate replication agreements.

Download mmr.pl script to configure replication: 

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Configuration,dc=example,dc=com \
--create

% mmr.pl \
--host1 samba1.example.com --host2 samba2.example.com --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Schema,cn=Configuration,dc=example,dc=com \
--create

Provisioning Samba

Execute the following on the replica: 

% cd $SRC_DIR/samba/source4
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass=Secret123 \
--ldap-backend-type=fedora-ds \
--ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \
--partitions-only

Server Role:    domain controller
Hostname:       samba2
NetBIOS Domain: EXAMPLE
DNS Domain:     example.com
DOMAIN SID:     S-1-5-21-3010954269-3145692404-1112636010
Admin password: Secret123

Joining Samba Domain

The DNS must be configured before joining the replica to the domain. See also this page.

Execute this on the replica: 

% cd $INSTALL_DIR/bin
% ./net join EXAMPLE BDC -U Administrator --password=Secret123

Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)

Generate UUID: 

% /usr/bin/uuidgen

Create a file containing the following entry: 

dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
options: 1
showInAdvancedViewOnly: TRUE
systemFlags: 33554432
dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com
invocationId: <UUID>
msDS-Behavior-Version: 2

Add the entry to Samba master: 

% cd $INSTALL_DIR/bin
% ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>

Starting Samba Replica

Execute this on the replica: 

% cd $INSTALL_DIR/sbin
% ./samba -i -M single -d 3

Configuring DNS

The DNS needs to be configured such that it points to both master and replica. See this page.

Issues

SID Allocation

SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the DNA Plugin.

Retrieved from "https://wiki.samba.org/index.php?title=Samba4/LDAP_Backend/Replication_With_Fedora_DS&oldid=6759"