[Samba] Samba PDC + OpenLDAP replica

Andrew Bartlett abartlet at samba.org
Fri Nov 4 12:15:48 GMT 2005

On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:
> Hi!
> I would like to ask you Samba gurus if it is possible to set up Samba 
> PDC which uses OpenLDAP replica as backend.


> I had two separate OpenLDAP master servers (2.2.13-4) for two different 
> Samba PDC servers (3.0.14a-2) with TLS support in different virtual 
> networks (VLANs), and all worked fine.
> However, I  decided that it would be nice (from an administrative point 
> of view) to have all user/client data on same departmental master 
> OpenLDAP server, which would work as a backend for division level Samba 
> PDC servers in different VLANs via LDAP replicas (our department 
> contains many subdepartments, or divisions, and most of them have their 
> own VLANs). So, I read Samba documentation and I understood that it is 
> possible to make such a system, where Samba server uses LDAP replica as 
> it's backend. First I transferred all user/client data to master LDAP 
> server, and created a slave server to be used by Samba PDC in different 
> VLAN. I tested connections with ldapsearch command and all worked well, 
> and changes written to master directory are propagated to slave server's 
> LDAP directory. Both servers are configured to use TLS transport, and 
> both server's have their own CA signed certificate files.

Self-signed, or a CA shared for your organisation?

> But when I tried to set up my division level Samba server to use replica 
> as it's backend, I got an error that Samba can't connect to replica's 
> directory. In log files I have messages like
>   slave.server.net smbd:   Failed to issue the StartTLS instruction: 
> Connect error

This is an SSL layer problem.  Are all the certificates correct?

> whenever I try to e.g. login to slave.server.net's Samba service. SSH 
> logins work fine (for SSH logins my slave uses also LDAP directory 
> replica). So my guess is that this has something to do with certificate 
> files. I don't understand what it could be, because I can browse LDAP 
> directory fine with e.g. ldapsearch command on both master and slave, 
> and logins with SSH work.
> So to my question. What certificate files Samba is using in order to 
> make TLS connections to replica server? I understand they should be 
> certificate files for my slave server, if Samba is using replica as it's 
> backend. 

It may be that a modification requested by the smbd normally attached to
the slave is requiring a rebind to the master.  Check connections to the
master with ldapsearch.

> Or is it possible at all (or even reasonable) to use LDAP 
> replica as a backend for Samba PDC server? 


> Should it be BDC server 
> instead of PDC? 

There should be one PDC per isolated netbios namespace.

> Should I set up one departmental level master server 
> with master LDAP and Samba PDC, and many LDAP slaves (replicas) with 
> Samba BDCs? But in this case the different VLANs are coing to be a 
> problem for traffic between Samba PDC and BDCs, or so I have understood, 
> since switches connecting different VLANs don't route NetBIOS traffic. 

Samba doesn't do netbios between it's various DCs, but clients will want
to see one PDC per netbios scope.

> And I have no administrative rights to make any changes to their 
> configuration. So, is it possible at all to make Samba to use LDAP 
> replica as it's backend?

Yes.  This is reasonable and regularly implemented.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051104/007a3dc4/attachment.bin

More information about the samba mailing list