Re: [Samba] Samba PDC + OpenLDAP replica

/Dear all,

I'm sorry if I posted this reply twice, but I had to leave my office in a
hurry and I'm not sure if I already did reply to Andrew's reply to my
original message...

>On Fri, Nov 4 12:15:48 GMT 2005, Andrew Bartlett wrote:
>
/>>On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:
>>
>>/ I had two separate OpenLDAP master servers (2.2.13-4) for two different
/>>/ Samba PDC servers (3.0.14a-2) with TLS support in different virtual
/>>/ networks (VLANs), and all worked fine.
/>>/
/>>/ However, I decided that it would be nice (from an administrative point
/>>/ of view) to have all user/client data on same departmental master
/>>/ OpenLDAP server, which would work as a backend for division level Samba
/>>/ PDC servers in different VLANs via LDAP replicas (our department
/>>/ contains many subdepartments, or divisions, and most of them have their
/>>/ own VLANs). So, I read Samba documentation and I understood that it is
/>>/ possible to make such a system, where Samba server uses LDAP replica as
/>>/ it's backend. First I transferred all user/client data to master LDAP
/>>/ server, and created a slave server to be used by Samba PDC in different
/>>/ VLAN. I tested connections with ldapsearch command and all worked well,
/>>/ and changes written to master directory are propagated to slave server's
/>>/ LDAP directory. Both servers are configured to use TLS transport, and
/>>/ both server's have their own CA signed certificate files.
/>
>Self-signed, or a CA shared for your organisation?

Certificates are signed by the local CA at our university. So they are not self-signed certificates.

>>/ But when I tried to set up my division level Samba server to use replica
/>>/ as it's backend, I got an error that Samba can't connect to replica's
/>>/ directory. In log files I have messages like
/>>/
/>>/ slave.server.net smbd: Failed to issue the StartTLS instruction:
/>>/ Connect error
/>
>This is an SSL layer problem. Are all the certificates correct?

I'm pretty sure, since I have used them successfully two months so far. However, I made
changes to my master/slave TLS configuration. Now I get different errors when Samba is
trying to bind to replica's LDAP directory. Errors are like

Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] lib/smbldap.c:smbldap_open_connection(692)
Nov 4 17:37:39 slave smbd[18093]: smbldap_open_connection: connection opened
Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:fetch_ldap_pw(312)
Nov 4 17:37:39 slave smbd[18093]: fetch_ldap_pw: neither ldap secret retrieved!
Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_connect_system(813)
Nov 4 17:37:39 slave smbd[18093]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_search_suffix(1176)
Nov 4 17:37:39 slave smbd[18093]: smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out)
Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] auth/auth.c:check_ntlm_password(312)
Nov 4 17:37:39 slave smbd[18093]: check_ntlm_password: Authentication for user [dummy] -> [dummy] FAILED with error NT_STATUS_NO_SUCH_USER

so I assume that Samba can now bind to LDAP directory, but fails when trying to get user's data. I don't know
why Samba is trying to retrieve data from secrets.tdb, because in smb.conf I have set

passdb backend = ldapsam:"ldap://slave.ldap.server ldap://master.ldap.server"

and Samba is running on slave.ldap.server. Server slave has slapd configured as
replica server. With ldapsearch command I can access the data in directory.

>>/ whenever I try to e.g. login to slave.server.net's Samba service. SSH
/>>/ logins work fine (for SSH logins my slave uses also LDAP directory
/>>/ replica). So my guess is that this has something to do with certificate
/>>/ files. I don't understand what it could be, because I can browse LDAP
/>>/ directory fine with e.g. ldapsearch command on both master and slave,
/>>/ and logins with SSH work.
/>>/
/>>/ So to my question. What certificate files Samba is using in order to
/>>/ make TLS connections to replica server? I understand they should be
/>>/ certificate files for my slave server, if Samba is using replica as it's
/>>/ backend.
/>
>It may be that a modification requested by the smbd normally attached to
>the slave is requiring a rebind to the master. Check connections to the
>master with ldapsearch.

With ldapsearch connections work ok, so I still assume that I have something
wrong in my Samba configuration.

>>/ Should it be BDC server
/>>/ instead of PDC?
/>
>There should be one PDC per isolated netbios namespace.

Ok.

>>/ Should I set up one departmental level master server
/>>/ with master LDAP and Samba PDC, and many LDAP slaves (replicas) with
/>>/ Samba BDCs? But in this case the different VLANs are coing to be a
/>>/ problem for traffic between Samba PDC and BDCs, or so I have understood,
/>>/ since switches connecting different VLANs don't route NetBIOS traffic.
/>
>Samba doesn't do netbios between it's various DCs, but clients will want
>to see one PDC per netbios scope.

Ok.

>>/ And I have no administrative rights to make any changes to their
/>>/ configuration. So, is it possible at all to make Samba to use LDAP
/>>/ replica as it's backend?
/>
>Yes. This is reasonable and regularly implemented.

Well, that's good to hear. So I still have some hope :)

Jukka Hienola
University of Helsinki
<http://hawkerc.net>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba