Samba4/LDAP Backend/Replication With Fedora DS
Contents
Overview
This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.
This document assumes the following environment:
- Domain name: example.com
- Samba master: samba1.example.com
- Samba replica: samba2.example.com
Installation
Follow this page to install Samba and Fedora DS.
Configuration
Create /usr/local/samba/etc/smb.conf for the replica:
[globals]
netbios name = samba2
...
See also Fedora DS Configuration.
Provisioning Fedora DS
Setup Fedora DS instance for the replica:
% cd $SRC_DIR/samba/source4 % setup/provision-backend --realm=EXAMPLE.COM --domain=EXAMPLE --server-role='domain controller' \ --ldap-admin-pass=Secret123 --ldap-backend-type=fedora-ds
Edit /usr/local/samba/private/ldap/fedorads.inf:
[General] FullMachineName = samba2.example.com SuiteSpotUserID = nobody SuiteSpotGroup = nobody ServerRoot = /usr/local/samba/private/ldap ConfigDirectoryLdapURL = ldap://samba2.example.com ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = Secret123 AdminDomain = example.com [slapd] ServerPort = 390 ServerIdentifier = samba4 Suffix = DC=example,DC=com RootDN = cn=Directory Manager RootDNPwd = Secret123 ldapifilepath = /usr/local/samba/private/ldap/ldapi start_server = 0 install_full_schema = 0 SchemaFile = /usr/local/samba/private/ldap/99_ad.ldif ConfigFile = /usr/local/samba/private/ldap/fedorads-partitions.ldif inst_dir = /usr/local/samba/private/ldap/slapd-samba4 config_dir = /usr/local/samba/private/ldap/slapd-samba4 schema_dir = /usr/local/samba/private/ldap/slapd-samba4/schema lock_dir = /usr/local/samba/private/ldap/slapd-samba4/lock log_dir = /usr/local/samba/private/ldap/slapd-samba4/logs run_dir = /usr/local/samba/private/ldap/slapd-samba4/logs db_dir = /usr/local/samba/private/ldap/slapd-samba4/db bak_dir = /usr/local/samba/private/ldap/slapd-samba4/bak tmp_dir = /usr/local/samba/private/ldap/slapd-samba4/tmp ldif_dir = /usr/local/samba/private/ldap/slapd-samba4/ldif cert_dir = /usr/local/samba/private/ldap/slapd-samba4
% cd $INSTALL_DIR/private/ldap % /usr/sbin/setup-ds.pl --file=fedorads.inf
Starting Fedora DS
% cd $INSTALL_DIR/private/ldap % slapd-samba/start-slapd
Configuring Multi-Master Replication
Samba uses 3 databases in Fedora DS. They require separate replication agreements.
Download mmr.pl script to configure replication:
% mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Configuration,dc=example,dc=com \ --create % mmr.pl \ --host1 samba1.example.com --host2 samba2.example.com --port 390 \ --host1_id 1 --host2_id 2 \ --binddn 'cn=Directory Manager' \ --bindpw Secret123 \ --repmanpw Secret123 \ --base cn=Schema,cn=Configuration,dc=example,dc=com \ --create
Provisioning Samba
% cd $SRC_DIR/samba/source4 % setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \ --adminpass=Secret123 \ --ldap-backend-type=fedora-ds \ --ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \ --partitions-only
Server Role: domain controller Hostname: samba2 NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-3010954269-3145692404-1112636010 Admin password: Secret123
Joining Samba Domain
% cd /usr/local/samba/bin % net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)
Generate UUID:
% uuidgen
Create a file containing the following entry:
dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com objectClass: top objectClass: applicationSettings objectClass: nTDSDSA cn: NTDS Settings options: 1 showInAdvancedViewOnly: TRUE systemFlags: 33554432 dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com invocationId: <UUID> msDS-Behavior-Version: 2
Add the entry to Samba master:
% cd /usr/local/samba/bin % ./ldbadd -H ldap://samba1.example.com -p -U Administrator --password=Secret123 <file>
Starting Samba Replica
% cd /usr/local/samba/sbin % ./samba -i -M single -d 3
DNS
The DNS needs to be configured such that it points to both master and replica. So if the master fails, the client will be able to find the replica automatically.
$ORIGIN example.com.
$TTL 1W
@ IN SOA example.com. root.example.com. (
2009070913 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS dns2
IN A 192.168.1.101
IN A 192.168.1.102
dns2 IN A 192.168.1.100
samba1 IN A 192.168.1.101
samba2 IN A 192.168.1.102
gc._msdcs IN CNAME samba1
ff3b280e-6caa-11de-ab0a-e44b8f038cdc._msdcs IN CNAME samba1
_gc._tcp IN SRV 0 100 3268 samba1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 samba1
_ldap._tcp.gc._msdcs IN SRV 0 100 389 samba1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389 samba1
_ldap._tcp IN SRV 0 100 389 samba1
_ldap._tcp IN SRV 0 100 389 samba2
_ldap._tcp.dc._msdcs IN SRV 0 100 389 samba1
_ldap._tcp.dc._msdcs IN SRV 0 100 389 samba2
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 samba1
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389 samba1
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc IN SRV 0 100 389 samba2
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs IN SRV 0 100 389 samba1
_ldap._tcp.ff3b2587-6caa-11de-ab0a-e44b8f038cdc.domains._msdcs IN SRV 0 100 389 samba2
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 samba1
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 samba2
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 samba1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 samba2
_kerberos._tcp IN SRV 0 100 88 samba1
_kerberos._tcp IN SRV 0 100 88 samba2
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 samba1
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 samba2
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 samba1
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 samba2
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 samba2
_kerberos._udp IN SRV 0 100 88 samba1
_kerberos._udp IN SRV 0 100 88 samba2
_kerberos-master._tcp IN SRV 0 100 88 samba1
_kerberos-master._tcp IN SRV 0 100 88 samba2
_kerberos-master._udp IN SRV 0 100 88 samba1
_kerberos-master._udp IN SRV 0 100 88 samba2
_kpasswd._tcp IN SRV 0 100 464 samba1
_kpasswd._tcp IN SRV 0 100 464 samba2
_kpasswd._udp IN SRV 0 100 464 samba1
_kpasswd._udp IN SRV 0 100 464 samba2
_kerberos IN TXT EXAMPLE.COM
See also DNS.