[Samba] Samba PDC + OpenLDAP replica

Jukka Hienola jukka.hienola at helsinki.fi
Fri Nov 4 08:23:43 GMT 2005 

Hi!

I would like to ask you Samba gurus if it is possible to set up Samba 
PDC which uses OpenLDAP replica as backend.

I had two separate OpenLDAP master servers (2.2.13-4) for two different 
Samba PDC servers (3.0.14a-2) with TLS support in different virtual 
networks (VLANs), and all worked fine.

However, I  decided that it would be nice (from an administrative point 
of view) to have all user/client data on same departmental master 
OpenLDAP server, which would work as a backend for division level Samba 
PDC servers in different VLANs via LDAP replicas (our department 
contains many subdepartments, or divisions, and most of them have their 
own VLANs). So, I read Samba documentation and I understood that it is 
possible to make such a system, where Samba server uses LDAP replica as 
it's backend. First I transferred all user/client data to master LDAP 
server, and created a slave server to be used by Samba PDC in different 
VLAN. I tested connections with ldapsearch command and all worked well, 
and changes written to master directory are propagated to slave server's 
LDAP directory. Both servers are configured to use TLS transport, and 
both server's have their own CA signed certificate files.

But when I tried to set up my division level Samba server to use replica 
as it's backend, I got an error that Samba can't connect to replica's 
directory. In log files I have messages like

  slave.server.net smbd:   Failed to issue the StartTLS instruction: 
Connect error

whenever I try to e.g. login to slave.server.net's Samba service. SSH 
logins work fine (for SSH logins my slave uses also LDAP directory 
replica). So my guess is that this has something to do with certificate 
files. I don't understand what it could be, because I can browse LDAP 
directory fine with e.g. ldapsearch command on both master and slave, 
and logins with SSH work.

So to my question. What certificate files Samba is using in order to 
make TLS connections to replica server? I understand they should be 
certificate files for my slave server, if Samba is using replica as it's 
backend. Or is it possible at all (or even reasonable) to use LDAP 
replica as a backend for Samba PDC server? Should it be BDC server 
instead of PDC? Should I set up one departmental level master server 
with master LDAP and Samba PDC, and many LDAP slaves (replicas) with 
Samba BDCs? But in this case the different VLANs are coing to be a 
problem for traffic between Samba PDC and BDCs, or so I have understood, 
since switches connecting different VLANs don't route NetBIOS traffic. 
And I have no administrative rights to make any changes to their 
configuration. So, is it possible at all to make Samba to use LDAP 
replica as it's backend?

Jukka Hienola
University of Helsinki

More information about the samba mailing list