[Samba] Samba PDC + OpenLDAP replica
abartlet at samba.org
Fri Nov 4 12:15:48 GMT 2005
On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:
> I would like to ask you Samba gurus if it is possible to set up Samba
> PDC which uses OpenLDAP replica as backend.
> I had two separate OpenLDAP master servers (2.2.13-4) for two different
> Samba PDC servers (3.0.14a-2) with TLS support in different virtual
> networks (VLANs), and all worked fine.
> However, I decided that it would be nice (from an administrative point
> of view) to have all user/client data on same departmental master
> OpenLDAP server, which would work as a backend for division level Samba
> PDC servers in different VLANs via LDAP replicas (our department
> contains many subdepartments, or divisions, and most of them have their
> own VLANs). So, I read Samba documentation and I understood that it is
> possible to make such a system, where Samba server uses LDAP replica as
> it's backend. First I transferred all user/client data to master LDAP
> server, and created a slave server to be used by Samba PDC in different
> VLAN. I tested connections with ldapsearch command and all worked well,
> and changes written to master directory are propagated to slave server's
> LDAP directory. Both servers are configured to use TLS transport, and
> both server's have their own CA signed certificate files.
Self-signed, or a CA shared for your organisation?
> But when I tried to set up my division level Samba server to use replica
> as it's backend, I got an error that Samba can't connect to replica's
> directory. In log files I have messages like
> slave.server.net smbd: Failed to issue the StartTLS instruction:
> Connect error
This is an SSL layer problem. Are all the certificates correct?
> whenever I try to e.g. login to slave.server.net's Samba service. SSH
> logins work fine (for SSH logins my slave uses also LDAP directory
> replica). So my guess is that this has something to do with certificate
> files. I don't understand what it could be, because I can browse LDAP
> directory fine with e.g. ldapsearch command on both master and slave,
> and logins with SSH work.
> So to my question. What certificate files Samba is using in order to
> make TLS connections to replica server? I understand they should be
> certificate files for my slave server, if Samba is using replica as it's
It may be that a modification requested by the smbd normally attached to
the slave is requiring a rebind to the master. Check connections to the
master with ldapsearch.
> Or is it possible at all (or even reasonable) to use LDAP
> replica as a backend for Samba PDC server?
> Should it be BDC server
> instead of PDC?
There should be one PDC per isolated netbios namespace.
> Should I set up one departmental level master server
> with master LDAP and Samba PDC, and many LDAP slaves (replicas) with
> Samba BDCs? But in this case the different VLANs are coing to be a
> problem for traffic between Samba PDC and BDCs, or so I have understood,
> since switches connecting different VLANs don't route NetBIOS traffic.
Samba doesn't do netbios between it's various DCs, but clients will want
to see one PDC per netbios scope.
> And I have no administrative rights to make any changes to their
> configuration. So, is it possible at all to make Samba to use LDAP
> replica as it's backend?
Yes. This is reasonable and regularly implemented.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051104/007a3dc4/attachment.bin
More information about the samba