Re: [Samba] Samba PDC + OpenLDAP replica

--===============1387107928==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-AM4fgHcvDz3mzExsCvas"


--=-AM4fgHcvDz3mzExsCvas
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:
> Hi!
>=20
> I would like to ask you Samba gurus if it is possible to set up Samba=20
> PDC which uses OpenLDAP replica as backend.

Yes.

> I had two separate OpenLDAP master servers (2.2.13-4) for two different=20
> Samba PDC servers (3.0.14a-2) with TLS support in different virtual=20
> networks (VLANs), and all worked fine.
>=20
> However, I decided that it would be nice (from an administrative point=20
> of view) to have all user/client data on same departmental master=20
> OpenLDAP server, which would work as a backend for division level Samba=20
> PDC servers in different VLANs via LDAP replicas (our department=20
> contains many subdepartments, or divisions, and most of them have their=20
> own VLANs). So, I read Samba documentation and I understood that it is=20
> possible to make such a system, where Samba server uses LDAP replica as=20
> it's backend. First I transferred all user/client data to master LDAP=20
> server, and created a slave server to be used by Samba PDC in different=20
> VLAN. I tested connections with ldapsearch command and all worked well,=20
> and changes written to master directory are propagated to slave server's=20
> LDAP directory. Both servers are configured to use TLS transport, and=20
> both server's have their own CA signed certificate files.

Self-signed, or a CA shared for your organisation?

> But when I tried to set up my division level Samba server to use replica=20
> as it's backend, I got an error that Samba can't connect to replica's=20
> directory. In log files I have messages like
>=20
> slave.server.net smbd: Failed to issue the StartTLS instruction:=20
> Connect error

This is an SSL layer problem. Are all the certificates correct?

> whenever I try to e.g. login to slave.server.net's Samba service. SSH=20
> logins work fine (for SSH logins my slave uses also LDAP directory=20
> replica). So my guess is that this has something to do with certificate=20
> files. I don't understand what it could be, because I can browse LDAP=20
> directory fine with e.g. ldapsearch command on both master and slave,=20
> and logins with SSH work.
>=20
> So to my question. What certificate files Samba is using in order to=20
> make TLS connections to replica server? I understand they should be=20
> certificate files for my slave server, if Samba is using replica as it's=20
> backend.=20

It may be that a modification requested by the smbd normally attached to
the slave is requiring a rebind to the master. Check connections to the
master with ldapsearch.

> Or is it possible at all (or even reasonable) to use LDAP=20
> replica as a backend for Samba PDC server?=20

Yes.

> Should it be BDC server=20
> instead of PDC?=20

There should be one PDC per isolated netbios namespace.

> Should I set up one departmental level master server=20
> with master LDAP and Samba PDC, and many LDAP slaves (replicas) with=20
> Samba BDCs? But in this case the different VLANs are coing to be a=20
> problem for traffic between Samba PDC and BDCs, or so I have understood,=20
> since switches connecting different VLANs don't route NetBIOS traffic.=20

Samba doesn't do netbios between it's various DCs, but clients will want
to see one PDC per netbios scope.

> And I have no administrative rights to make any changes to their=20
> configuration. So, is it possible at all to make Samba to use LDAP=20
> replica as it's backend?

Yes. This is reasonable and regularly implemented.

Andrew Bartlett

--=20
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net

--=-AM4fgHcvDz3mzExsCvas
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBDa1D0z4A8Wyi0NrsRAgQoAJ4hVWsEA6lotFjR0fGIoJ DuQV8XKACfc8X+
Xqh17ZRVNi3Sy7z9HwgZMgw=
=qikE
-----END PGP SIGNATURE-----

--=-AM4fgHcvDz3mzExsCvas--


--===============1387107928==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============1387107928==--