[Samba] Samba PDC + OpenLDAP replica

Jukka Hienola jukka.hienola at hitsyscon.com
Fri Nov 4 15:50:11 GMT 2005

/Dear all,

I'm sorry if I posted this reply twice, but I had to leave my office in a 
hurry and I'm not sure if I already did reply to Andrew's reply to my
original message...

>On Fri, Nov  4 12:15:48 GMT 2005, Andrew Bartlett wrote:
/>>On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:
>>/ I had two separate OpenLDAP master servers (2.2.13-4) for two different 
/>>/ Samba PDC servers (3.0.14a-2) with TLS support in different virtual 
/>>/ networks (VLANs), and all worked fine.
/>>/ However, I  decided that it would be nice (from an administrative point 
/>>/ of view) to have all user/client data on same departmental master 
/>>/ OpenLDAP server, which would work as a backend for division level Samba 
/>>/ PDC servers in different VLANs via LDAP replicas (our department 
/>>/ contains many subdepartments, or divisions, and most of them have their 
/>>/ own VLANs). So, I read Samba documentation and I understood that it is 
/>>/ possible to make such a system, where Samba server uses LDAP replica as 
/>>/ it's backend. First I transferred all user/client data to master LDAP 
/>>/ server, and created a slave server to be used by Samba PDC in different 
/>>/ VLAN. I tested connections with ldapsearch command and all worked well, 
/>>/ and changes written to master directory are propagated to slave server's 
/>>/ LDAP directory. Both servers are configured to use TLS transport, and 
/>>/ both server's have their own CA signed certificate files.
>Self-signed, or a CA shared for your organisation?

Certificates are signed by the local CA at our university. So they are not self-signed certificates.

>>/ But when I tried to set up my division level Samba server to use replica 
/>>/ as it's backend, I got an error that Samba can't connect to replica's 
/>>/ directory. In log files I have messages like
/>>/   slave.server.net smbd:   Failed to issue the StartTLS instruction: 
/>>/ Connect error
>This is an SSL layer problem.  Are all the certificates correct?

I'm pretty sure, since I have used them successfully two months so far. However, I made
changes to my master/slave TLS configuration. Now I get different errors when Samba is
trying to bind to replica's LDAP directory. Errors are like

Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] lib/smbldap.c:smbldap_open_connection(692)
Nov  4 17:37:39 slave smbd[18093]:   smbldap_open_connection: connection opened
Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:fetch_ldap_pw(312)
Nov  4 17:37:39 slave smbd[18093]:   fetch_ldap_pw: neither ldap secret retrieved!
Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_connect_system(813)
Nov  4 17:37:39 slave smbd[18093]:   ldap_connect_system: Failed to retrieve password from secrets.tdb
Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_search_suffix(1176)
Nov  4 17:37:39 slave smbd[18093]:   smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out)
Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] auth/auth.c:check_ntlm_password(312)
Nov  4 17:37:39 slave smbd[18093]:   check_ntlm_password:  Authentication for user [dummy] -> [dummy] FAILED with error NT_STATUS_NO_SUCH_USER

so I assume that Samba can now bind to LDAP directory, but fails when trying to get user's data. I don't know
why Samba is trying to retrieve data from secrets.tdb, because in smb.conf I have set 

passdb backend = ldapsam:"ldap://slave.ldap.server ldap://master.ldap.server"

and Samba is running on slave.ldap.server. Server slave has slapd configured as 
replica server. With ldapsearch command I can access the data in directory. 

>>/ whenever I try to e.g. login to slave.server.net's Samba service. SSH 
/>>/ logins work fine (for SSH logins my slave uses also LDAP directory 
/>>/ replica). So my guess is that this has something to do with certificate 
/>>/ files. I don't understand what it could be, because I can browse LDAP 
/>>/ directory fine with e.g. ldapsearch command on both master and slave, 
/>>/ and logins with SSH work.
/>>/ So to my question. What certificate files Samba is using in order to 
/>>/ make TLS connections to replica server? I understand they should be 
/>>/ certificate files for my slave server, if Samba is using replica as it's 
/>>/ backend. 
>It may be that a modification requested by the smbd normally attached to
>the slave is requiring a rebind to the master.  Check connections to the
>master with ldapsearch.

With ldapsearch connections work ok, so I still assume that I have something
wrong in my Samba configuration. 

>>/ Should it be BDC server 
/>>/ instead of PDC? 
>There should be one PDC per isolated netbios namespace.


>>/ Should I set up one departmental level master server 
/>>/ with master LDAP and Samba PDC, and many LDAP slaves (replicas) with 
/>>/ Samba BDCs? But in this case the different VLANs are coing to be a 
/>>/ problem for traffic between Samba PDC and BDCs, or so I have understood, 
/>>/ since switches connecting different VLANs don't route NetBIOS traffic. 
>Samba doesn't do netbios between it's various DCs, but clients will want
>to see one PDC per netbios scope.


>>/ And I have no administrative rights to make any changes to their 
/>>/ configuration. So, is it possible at all to make Samba to use LDAP 
/>>/ replica as it's backend?
>Yes.  This is reasonable and regularly implemented.

Well, that's good to hear. So I still have some hope :)

Jukka Hienola
University of Helsinki

More information about the samba mailing list