Samba4/LDAP Backend/Replication With Fedora DS
Contents
Overview
This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.
This document assumes the following environment:
- Domain name: example.com
- Samba master: samba1.example.com
- Samba replica: samba2.example.com
Installation
Follow this page to install Samba and Fedora DS.
Configuration
Create /usr/local/samba/etc/smb.conf for the replica:
[globals] netbios name = samba2 ...
See also Fedora DS Configuration.
Provisioning Fedora DS
Setup Fedora DS instance for the replica:
% cd $SRC_DIR/samba/source4 % setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \ --ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds
Edit /usr/local/samba/private/ldap/fedorads.inf:
[General] FullMachineName = samba2.example.com SuiteSpotUserID = nobody SuiteSpotGroup = nobody ServerRoot = /usr/local/samba/private/ldap ConfigDirectoryLdapURL = ldap://samba2.example.com ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = Secret123 AdminDomain = example.com [slapd] ServerPort = 390 ServerIdentifier = samba4 Suffix = DC=example,DC=com RootDN = cn=Directory Manager RootDNPwd = Secret123 ldapifilepath = /usr/local/samba/private/ldap/ldapi start_server = 0 install_full_schema = 0 SchemaFile = /usr/local/samba/private/ldap/99_ad.ldif ConfigFile = /usr/local/samba/private/ldap/fedorads-partitions.ldif inst_dir = /usr/local/samba/private/ldap/slapd-samba4 config_dir = /usr/local/samba/private/ldap/slapd-samba4 schema_dir = /usr/local/samba/private/ldap/slapd-samba4/schema lock_dir = /usr/local/samba/private/ldap/slapd-samba4/lock log_dir = /usr/local/samba/private/ldap/slapd-samba4/logs run_dir = /usr/local/samba/private/ldap/slapd-samba4/logs db_dir = /usr/local/samba/private/ldap/slapd-samba4/db bak_dir = /usr/local/samba/private/ldap/slapd-samba4/bak tmp_dir = /usr/local/samba/private/ldap/slapd-samba4/tmp ldif_dir = /usr/local/samba/private/ldap/slapd-samba4/ldif cert_dir = /usr/local/samba/private/ldap/slapd-samba4
% cd $INSTALL_DIR/private/ldap % /usr/sbin/setup-ds.pl --file=fedorads.inf
Starting Fedora DS
% cd $INSTALL_DIR/private/ldap % slapd-samba/start-slapd
Configuring Multi-Master Replication
Samba uses 3 databases in Fedora DS. They require separate replication agreements.
Download mmr.pl script to configure replication:
% mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Configuration,dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Schema,cn=Configuration,dc=example,dc=com \ --create
Provisioning Samba
% cd $SRC_DIR/samba/source4 % setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \ --adminpass=Secret123 \ --ldap-backend-type=fedora-ds \ --ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \ --partitions-only
Server Role: domain controller Hostname: samba2 NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-3010954269-3145692404-1112636010 Admin password: Secret123
Joining Samba Domain
% cd /usr/local/samba/bin % net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)
Generate UUID:
% uuidgen
Create a file containing the following entry:
dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com objectClass: top objectClass: applicationSettings objectClass: nTDSDSA cn: NTDS Settings options: 1 showInAdvancedViewOnly: TRUE systemFlags: 33554432 dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com invocationId: <UUID> msDS-Behavior-Version: 2
Add the entry to Samba master:
% cd /usr/local/samba/bin % ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>
Starting Samba Replica
% cd /usr/local/samba/sbin % ./samba -i -M single -d 3
DNS
The DNS needs to be configured such that it points to both master and replica. So if the master fails, the client will be able to find the replica automatically.
$ORIGIN example.com. $TTL 1W @ IN SOA example.com. root.example.com. ( 2009070913 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS dns2 IN A 192.168.1.101 IN A 192.168.1.102 dns2 IN A 192.168.1.100 samba1 IN A 192.168.1.101 samba2 IN A 192.168.1.102 gc._msdcs IN CNAME samba1 ff3b280e-6caa-11de-ab0a-e44b8f038cdc._msdcs IN CNAME samba1 _gc._tcp IN SRV 0 100 3268 samba1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 samba1 _ldap._tcp.gc._msdcs IN SRV 0 100 389 samba1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 samba1 _ldap._tcp IN SRV 0 100 389 samba1 _ldap._tcp IN SRV 0 100 389 samba2 _ldap._tcp.dc._msdcs IN SRV 0 100 389 samba1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 samba2 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 samba1 _ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389 samba1 _ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389 samba2 _ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs IN SRV 0 100 389 samba1 _ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs IN SRV 0 100 389 samba2 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 samba1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 samba2 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 samba1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 samba2 _kerberos._tcp IN SRV 0 100 88 samba1 _kerberos._tcp IN SRV 0 100 88 samba2 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 samba1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 samba2 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 samba1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 samba2 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba2 _kerberos._udp IN SRV 0 100 88 samba1 _kerberos._udp IN SRV 0 100 88 samba2 _kerberos-master._tcp IN SRV 0 100 88 samba1 _kerberos-master._tcp IN SRV 0 100 88 samba2 _kerberos-master._udp IN SRV 0 100 88 samba1 _kerberos-master._udp IN SRV 0 100 88 samba2 _kpasswd._tcp IN SRV 0 100 464 samba1 _kpasswd._tcp IN SRV 0 100 464 samba2 _kpasswd._udp IN SRV 0 100 464 samba1 _kpasswd._udp IN SRV 0 100 464 samba2 _kerberos IN TXT EXAMPLE.COM
See also DNS.