[Samba] Samba PDC + OpenLDAP replica
jukka.hienola at helsinki.fi
Fri Nov 4 08:23:43 GMT 2005
I would like to ask you Samba gurus if it is possible to set up Samba
PDC which uses OpenLDAP replica as backend.
I had two separate OpenLDAP master servers (2.2.13-4) for two different
Samba PDC servers (3.0.14a-2) with TLS support in different virtual
networks (VLANs), and all worked fine.
However, I decided that it would be nice (from an administrative point
of view) to have all user/client data on same departmental master
OpenLDAP server, which would work as a backend for division level Samba
PDC servers in different VLANs via LDAP replicas (our department
contains many subdepartments, or divisions, and most of them have their
own VLANs). So, I read Samba documentation and I understood that it is
possible to make such a system, where Samba server uses LDAP replica as
it's backend. First I transferred all user/client data to master LDAP
server, and created a slave server to be used by Samba PDC in different
VLAN. I tested connections with ldapsearch command and all worked well,
and changes written to master directory are propagated to slave server's
LDAP directory. Both servers are configured to use TLS transport, and
both server's have their own CA signed certificate files.
But when I tried to set up my division level Samba server to use replica
as it's backend, I got an error that Samba can't connect to replica's
directory. In log files I have messages like
slave.server.net smbd: Failed to issue the StartTLS instruction:
whenever I try to e.g. login to slave.server.net's Samba service. SSH
logins work fine (for SSH logins my slave uses also LDAP directory
replica). So my guess is that this has something to do with certificate
files. I don't understand what it could be, because I can browse LDAP
directory fine with e.g. ldapsearch command on both master and slave,
and logins with SSH work.
So to my question. What certificate files Samba is using in order to
make TLS connections to replica server? I understand they should be
certificate files for my slave server, if Samba is using replica as it's
backend. Or is it possible at all (or even reasonable) to use LDAP
replica as a backend for Samba PDC server? Should it be BDC server
instead of PDC? Should I set up one departmental level master server
with master LDAP and Samba PDC, and many LDAP slaves (replicas) with
Samba BDCs? But in this case the different VLANs are coing to be a
problem for traffic between Samba PDC and BDCs, or so I have understood,
since switches connecting different VLANs don't route NetBIOS traffic.
And I have no administrative rights to make any changes to their
configuration. So, is it possible at all to make Samba to use LDAP
replica as it's backend?
University of Helsinki
More information about the samba