LDAP Synchronization

Robert Colquhoun robert.colquhoun at gmail.com
Fri Jun 22 01:09:46 MDT 2012

 On Wed, Jun 20, 2012 at 6:24 AM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> Please *do* report any issues and work-arounds you encounter.

Had some other issues with ntp(minor), bind and idmap.

Our current environment is Samba 3 & Openldap all on mainly RHEL5 systems

Trying to migrate to RHEL6 with a Samba 4 domain controller with samba
3 file and print servers.

Firstly with ntp i downloaded 4.2.6p5 from ntp.org to replace the
RHEL6 default 4.2.4p5, apart from removing the redhat patches the diff
file for the spec was much simpler than the HOWTO indicated,

diff ntp.spec.orig ntp.spec
< Version: 4.2.4p8
> Version: 4.2.6p5
<       --enable-linuxcaps
>       --enable-linuxcaps --enable-ntp-signd
> %{_sbindir}/sntp

DNS was a bit more difficult.  The RHEL6 defaulted to a modified
9.7.0, which didn't work.  Was going to rebuild 9.9 from source, but
was nervous about getting the build right.  Instead as a temporary
measure found a 9.9.0 rpm present in the CentALT repository which i
used and which worked.

Previously all our systems have been installed with bind in a
chroot-ed configuration.  The samba-dlz module didn't really like the
chroot environment.  Basically had to map back a samba internal
directory and the system lib directories:

ie /etc/fstab
/usr/local/samba/lib/ /var/named/chroot/usr/local/samba/lib/  auto bind    0 0
/usr/local/samba/private/ /var/named/chroot/usr/local/samba/private/
auto    bind    0 0
/lib64/ /var/named/chroot/lib64/  auto    bind    0 0
/usr/lib64/ /var/named/chroot/usr/lib64/  auto    bind    0 0

Not sure if should abandon chroot altogether or there is a way to
build the samba-dlz module so that not so much of the machine is
opened up?   Possibly the HOWTO should say something about this, i
think bind in chroot is pretty common, even if the advice is simply
"don't do it".

Just as i write this i notice redhat has updated their repositories to
RHEL6.3 which appears to include bind 9.8.0, not sure if this is
suitable for use with samba 4?

Finally idmap....we have environment with lots of unix applications
which depend on consistent uid and gid mapping for each user and
group.  To get this working first had to write ldbmodify scripts to
fix idmap.ldb so that the entries present in there were consistent
with currently installed Openldap system.  "samba-tool user create"
did not seem to have the ability to manually specify these values when
creating/synchronizing users from the existing openldap system.

Secondly once above was done realized had to create a separate idmap
OU in the current openldap system for samba3 winbind to use on each of
the fileservers.  I am nervous that the different idmap systems
between samba 3, samba 4 and the original openldap(where uid/gid is
stored rfc2307) will become inconsistent and cause problems(ie users
and/or applications will lose access to their files).

 - Robert

More information about the samba-technical mailing list