samba4-ol-mmr
Oliver Liebel
oliver at itc.li
Mon Aug 11 12:34:49 GMT 2008
hi andrew,
i have created a simple slapd.conf for the needs of mmr with 2 dcs
(ldapmaster + ldapslave),
based on the standalone-template.
i have attached a complete one from my test-setup and my idea for a
template.
please take a look on it.
the corresponding steps during provisioning maybe could be done in the
following way:
(just the mmr-specific settings below)
setup dc1:
#> provision-backend --ol-mmr="yes"
--ol-mmr-url1="ldap://ldapmaster.local.site"
--ol-mmr-url2="ldap://ldapslave.local.site" ...
--ol-mmr="yes" forces the use of the slapd.conf.mmr as
slapd.conf-template, serverid should be increased for every url,
starting from "1")
i think we should generate the rids automatic too, depending on how much
dcs are involved, starting from 1.
next starting slapd on ldapmaster listening on port 9000, then provision
ldapmaster with:
#> provision --ldap-backend="ldap://ldapmaster.local.site:9000/"
--ldap-backend-type=openldap ...
setup dc2:
provisioning-backend <same mmr-parameters as above>
next starting slapd on ldapslave listening on port 9000,
provision (initial content load) on ldapslave is started automatic
through replication.
next starting smbd on ldapmaster (slapd still running) and join
ldapslave as bdc
/usr/local/samba/bin/net join LDAP BDC -U administrator%linux -d 3
"....
We still need to perform a DsAddEntry() so that we can create the
CN=NTDS Settings container.
Joined domain LDAP (S-1-5-21-61934931-241975640-940257882)"
-> but the ntds entry already seems to be created correctly.
i have tested replication between both servers in both directions by
modifiying the description of the
administrator object, works fine.
could you please point me in the right direction, of how to add new
parameters to the
provision-backend script und what files (excluding slapd.conf template)
are used during
the backend provision too? i have attached a modified version of the
provision-backend script, as far as
i could set it up (hopefully not to bad...).
thanks,
oliver
Andrew Bartlett schrieb:
> On Fri, 2008-08-08 at 10:38 +0200, Oliver Liebel wrote:
>
>> my proposal:
>> in this early test-stage (unencrypted sync)
>> we could set up three (ssha-crypted) rootpws for the corresponding
>> subcontexts: schema, config, user in slapd.conf
>> so we dont need the samba-admin for replication purposes.
>> in a later stage (e.g. using sasl-bind with TLS/External) the
>> cert-dn can be mapped by authz-regexp to the account we want/need.
>>
>
> That all seems very reasonable. I would like to see SASL used in the end.
>
> Andrew Bartlett
>
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 18.4903 from 11.08.2008
Virus news: www.antiviruslab.com
-------------- next part --------------
loglevel 0
### needed for replication of the sub-contexts ###
sizelimit unlimited
include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
#authz-regexp
# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
#authz-regexp
# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
ldap:///cn=samba??one?(cn=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
ldap:///cn=samba??one?(cn=\$1)
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
by dn=cn=samba-admin,cn=samba manage
by dn=cn=manager manage
by * none
password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
defaultsearchbase ${DOMAINDN}
rootdn cn=Manager
${REFINT_CONFIG}
${MEMBEROF_CONFIG}
########################################################
### mmr-specific server-ids/urls (2 node setup)###
########################################################
ServerID 1 "${LDAPSERVER_1}:9000/"
ServerID 2 "${LDAPSERVER_2}:9000/"
########################################################
database ldif
suffix cn=Samba
directory ${LDAPDIR}/db/samba
rootdn cn=Manager,cn=Samba
######################################################################
### cn=schema ###
######################################################################
database hdb
suffix ${SCHEMADN}
rootdn cn=Manager,${SCHEMADN}
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory ${LDAPDIR}/db/schema
index objectClass eq
index samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
## syncprov-checkpoint should not be used with mmr and early ol-2.4 versions
syncrepl rid=1
provider="${LDAPSERVER_1}:9000/"
searchbase="${SCHEMADN}"
bindmethod=simple
binddn="cn=Manager,${SCHEMADN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=2
provider="${LDAPSERVER_2}:9000/"
searchbase="${SCHEMADN}"
bindmethod=simple
binddn="cn=Manager,${SCHEMADN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
#####################################################################
######################################################################
### cn=schema ###
######################################################################
database hdb
suffix ${CONFIGDN}
rootdn cn=Manager,${CONFIGDN}
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory ${LDAPDIR}/db/config
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
## syncprov-checkpoint should not be used with mmr and early ol-2.4 versions
syncrepl rid=3
provider="${LDAPSERVER_1}:9000/"
searchbase="${CONFIGDN}"
bindmethod=simple
binddn="cn=Manager,${CONFIGDN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=4
provider="${LDAPSERVER_2}:9000/"
searchbase="${CONFIGDN}"
bindmethod=simple
binddn="cn=Manager,${CONFIGDN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
#####################################################################
######################################################################
### cn=user ###
######################################################################
database hdb
suffix ${DOMAINDN}
rootdn cn=Manager,${DOMAINDN}
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory ${LDAPDIR}/db/user
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
## syncprov-checkpoint should not be used with mmr and early ol-2.4 versions
syncrepl rid=5
provider="${LDAPSERVER_1}:9000/"
searchbase="${DOMAINDN}"
bindmethod=simple
binddn="cn=Manager,${DOMAINDN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=6
provider="${LDAPSERVER_2}:9000/"
searchbase="${DOMAINDN}"
bindmethod=simple
binddn="cn=Manager,${DOMAINDN}"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
#####################################################################
-------------- next part --------------
### needed for replication of the sub-contexts ###
sizelimit unlimited
loglevel 0
include /usr/local/samba/private/ldap/backend-schema.schema
pidfile /usr/local/samba/private/ldap/slapd.pid
argsfile /usr/local/samba/private/ldap/slapd.args
sasl-realm ldap.local.site
#authz-regexp
# uid=([^,]*),cn=ldap.local.site,cn=digest-md5,cn=auth
# ldap:///DC=ldap,DC=local,DC=site??sub?(samAccountName=\$1)
#authz-regexp
# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
# ldap:///DC=ldap,DC=local,DC=site??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
ldap:///cn=samba??one?(cn=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
ldap:///cn=samba??one?(cn=\$1)
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="DC=ldap,DC=local,DC=site"
by dn=cn=samba-admin,cn=samba manage
by dn=cn=manager manage
by * none
password-hash {CLEARTEXT}
include /usr/local/samba/private/ldap/modules.conf
defaultsearchbase DC=ldap,DC=local,DC=site
rootdn cn=Manager
## do we need this one (globally) without corresponding suffix ? ###
overlay refint
refint_modifiersName cn=samba-admin,cn=samba
refint_attributes msDS-ObjectReferenceBL msDS-ObjectReference memberOf member siteObjectBL siteObject managedObjects managedBy queryPolicyBL queryPolicyObject masteredBy hasMasterNCs nonSecurityMemberBL nonSecurityMember msDs-masteredBy msDS-hasMasterNCs msCOM-UserLink msCOM-UserPartitionSetLink directReports manager bridgeheadServerListBL bridgeheadTransportList serverReferenceBL serverReference msDS-NonMembersBL msDS-NonMembers
# Generated from schema in /usr/local/samba/private/ldap/schema-tmp.ldb
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-ObjectReference
memberof-memberof-ad msDS-ObjectReferenceBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad siteObject
memberof-memberof-ad siteObjectBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad managedBy
memberof-memberof-ad managedObjects
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad queryPolicyObject
memberof-memberof-ad queryPolicyBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad hasMasterNCs
memberof-memberof-ad masteredBy
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad nonSecurityMember
memberof-memberof-ad nonSecurityMemberBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-hasMasterNCs
memberof-memberof-ad msDs-masteredBy
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msCOM-UserPartitionSetLink
memberof-memberof-ad msCOM-UserLink
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad manager
memberof-memberof-ad directReports
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad bridgeheadTransportList
memberof-memberof-ad bridgeheadServerListBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad serverReference
memberof-memberof-ad serverReferenceBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-NonMembers
memberof-memberof-ad msDS-NonMembersBL
memberof-dangling-error 32
######################################################################
### mmr-specific server-ids and urls ###
#
ServerID 1 "ldap://ldapmaster.local.site:9000/"
ServerID 2 "ldap://ldapslave.local.site:9000/"
######################################################################
database ldif
suffix cn=Samba
directory /usr/local/samba/private/ldap/db/samba
rootdn cn=Manager,cn=Samba
######################################################################
### cn=schema ###
######################################################################
database hdb
suffix CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site
rootdn cn=Manager,CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory /usr/local/samba/private/ldap/db/schema
index objectClass eq
index samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
# checkpoint should not be used with mmr in ol-versions <=2.4.
# syncprov-checkpoint 100 10
# one syncrepl-block for every involved dc and sub-context, rids must be always unique.
# directives are pre-generated from template, ldap-urls will be filled in from
# the values given in the server-ids above
syncrepl rid=1
provider="ldap://ldapmaster.local.site:9000/"
searchbase="CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=2
provider="ldap://ldapslave.local.site:9000/"
searchbase="CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,CN=Schema,CN=Configuration,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
#########################################################################
#########################################################################
### cn=configuration
#########################################################################
database hdb
suffix CN=Configuration,DC=ldap,DC=local,DC=site
rootdn cn=Manager,CN=Configuration,DC=ldap,DC=local,DC=site
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory /usr/local/samba/private/ldap/db/config
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
### seee above
# syncprov-checkpoint 100 10
syncrepl rid=3
provider="ldap://ldapmaster.local.site:9000/"
searchbase="CN=Configuration,DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,CN=Configuration,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=4
provider="ldap://ldapslave.local.site:9000/"
searchbase="CN=Configuration,DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,CN=Configuration,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
#########################################################################
#########################################################################
### cn=user
#########################################################################
database hdb
suffix DC=ldap,DC=local,DC=site
rootdn cn=Manager,DC=ldap,DC=local,DC=site
rootpw "{SSHA}Pa6ydspJq3+aY/3m6QgK4Ccigf15Crtb"
directory /usr/local/samba/private/ldap/db/user
index objectClass eq
index samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq
index entryUUID,entryCSN eq
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-sessionlog 100
### see above
# syncprov-checkpoint 100 10
syncrepl rid=5
provider="ldap://ldapmaster.local.site:9000/"
searchbase="DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
syncrepl rid=6
provider="ldap://ldapslave.local.site:9000/"
searchbase="DC=ldap,DC=local,DC=site"
bindmethod=simple
binddn="cn=Manager,DC=ldap,DC=local,DC=site"
credentials="linux"
type=refreshAndPersist
retry="10 +"
MirrorMode On
######################################################################
-------------- next part --------------
#!/usr/bin/python
#
# Unix SMB/CIFS implementation.
# provision a Samba4 server
# Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2007-2008
# Copyright (C) Andrew Bartlett <abartlet at samba.org> 2008
#
# Based on the original in EJS:
# Copyright (C) Andrew Tridgell 2005
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os, sys
sys.path.insert(0, "bin/python")
import getopt
import optparse
import samba
from samba import param
from samba.auth import system_session
import samba.getopt as options
from samba.provision import (provision_backend)
parser = optparse.OptionParser("provision [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--setupdir", type="string", metavar="DIR",
help="directory with setup files")
parser.add_option("--realm", type="string", metavar="REALM", help="set realm")
parser.add_option("--domain", type="string", metavar="DOMAIN",
help="set domain")
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
help="set hostname")
parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD",
help="choose LDAP admin password (otherwise random)")
parser.add_option("--root", type="string", metavar="USERNAME",
help="choose 'root' unix username")
parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
help="LDB mapping module to use for the LDAP backend",
choices=["fedora-ds", "openldap"])
parser.add_option("--ldap-backend-port", type="int", metavar="PORT",
help="TCP Port LDAP server should listen to (default ldapi only)")
parser.add_option("--server-role", type="choice", metavar="ROLE",
choices=["domain controller", "dc", "member server", "member", "standalone"],
help="Set server role to provision for (default standalone)")
parser.add_option("--targetdir", type="string", metavar="DIR",
help="Set target directory")
parser.add_option("--ol-mmr", type="string", metavar="MMR",
help="With OpenLDAP-Multi-Master Replication [=yes/no]")
parser.add_option("--ol-mmr-url1", type="string", metavar="LDAPSERVER_1",
help="LDAP-URL (DC1) corresponding to Server-ID for Use with OpenLDAP-MMR")
parser.add_option("--ol-mmr-url2", type="string", metavar="LDAPSERVER_2",
help="LDAP-URL (DC2) corresponding to Server-ID for Use with OpenLDAP-MMR")
opts = parser.parse_args()[0]
def message(text):
"""print a message if quiet is not set."""
if not opts.quiet:
print text
if opts.realm is None or opts.domain is None:
if opts.realm is None:
print >>sys.stderr, "No realm set"
if opts.domain is None:
print >>sys.stderr, "No domain set"
parser.print_usage()
sys.exit(1)
smbconf = sambaopts.get_loadparm().configfile()
if opts.server_role == "dc":
server_role = "domain controller"
elif opts.server_role == "member":
server_role = "member server"
else:
server_role = opts.server_role
setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = "setup"
provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir,
realm=opts.realm, domain=opts.domain,
hostname=opts.host_name,
adminpass=opts.ldap_admin_pass,
root=opts.root, serverrole=server_role,
ldap_backend_type=opts.ldap_backend_type,
ldap_backend_port=opts.ldap_backend_port,
ldap_ol_mmr_yesno=opts.ldap_ol_mmr_yesno,
ldap_ol_mmr_url1=opts.ldap_ol_mmr_url1,
ldap_ol_mmr_url2=opts.ldap_ol_mmr_url2,)
More information about the samba-technical
mailing list