Hi! I would like to ask you Samba gurus if it is possible to set up Samba PDC which uses OpenLDAP replica as backend. I had two separate OpenLDAP master servers (2.2.13-4) for two different Samba PDC servers (3.0.14a-2) with TLS support in different virtual networks (VLANs), and all worked fine. However, I decided that it would be nice (from an administrative point of view) to have all user/client data on same departmental master OpenLDAP server, which would work as a backend for division level Samba PDC servers in different VLANs via LDAP replicas (our department contains many subdepartments, or divisions, and most of them have their own VLANs). So, I read Samba documentation and I understood that it is possible to make such a system, where Samba server uses LDAP replica as it's backend. First I transferred all user/client data to master LDAP server, and created a slave server to be used by Samba PDC in different VLAN. I tested connections with ldapsearch command and all worked well, and changes written to master directory are propagated to slave server's LDAP directory. Both servers are configured to use TLS transport, and both server's have their own CA signed certificate files. But when I tried to set up my division level Samba server to use replica as it's backend, I got an error that Samba can't connect to replica's directory. In log files I have messages like slave.server.net smbd: Failed to issue the StartTLS instruction: Connect error whenever I try to e.g. login to slave.server.net's Samba service. SSH logins work fine (for SSH logins my slave uses also LDAP directory replica). So my guess is that this has something to do with certificate files. I don't understand what it could be, because I can browse LDAP directory fine with e.g. ldapsearch command on both master and slave, and logins with SSH work. So to my question. What certificate files Samba is using in order to make TLS connections to replica server? I understand they should be certificate files for my slave server, if Samba is using replica as it's backend. Or is it possible at all (or even reasonable) to use LDAP replica as a backend for Samba PDC server? Should it be BDC server instead of PDC? Should I set up one departmental level master server with master LDAP and Samba PDC, and many LDAP slaves (replicas) with Samba BDCs? But in this case the different VLANs are coing to be a problem for traffic between Samba PDC and BDCs, or so I have understood, since switches connecting different VLANs don't route NetBIOS traffic. And I have no administrative rights to make any changes to their configuration. So, is it possible at all to make Samba to use LDAP replica as it's backend? Jukka Hienola University of Helsinki
On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:> Hi! > > I would like to ask you Samba gurus if it is possible to set up Samba > PDC which uses OpenLDAP replica as backend.Yes.> I had two separate OpenLDAP master servers (2.2.13-4) for two different > Samba PDC servers (3.0.14a-2) with TLS support in different virtual > networks (VLANs), and all worked fine. > > However, I decided that it would be nice (from an administrative point > of view) to have all user/client data on same departmental master > OpenLDAP server, which would work as a backend for division level Samba > PDC servers in different VLANs via LDAP replicas (our department > contains many subdepartments, or divisions, and most of them have their > own VLANs). So, I read Samba documentation and I understood that it is > possible to make such a system, where Samba server uses LDAP replica as > it's backend. First I transferred all user/client data to master LDAP > server, and created a slave server to be used by Samba PDC in different > VLAN. I tested connections with ldapsearch command and all worked well, > and changes written to master directory are propagated to slave server's > LDAP directory. Both servers are configured to use TLS transport, and > both server's have their own CA signed certificate files.Self-signed, or a CA shared for your organisation?> But when I tried to set up my division level Samba server to use replica > as it's backend, I got an error that Samba can't connect to replica's > directory. In log files I have messages like > > slave.server.net smbd: Failed to issue the StartTLS instruction: > Connect errorThis is an SSL layer problem. Are all the certificates correct?> whenever I try to e.g. login to slave.server.net's Samba service. SSH > logins work fine (for SSH logins my slave uses also LDAP directory > replica). So my guess is that this has something to do with certificate > files. I don't understand what it could be, because I can browse LDAP > directory fine with e.g. ldapsearch command on both master and slave, > and logins with SSH work. > > So to my question. What certificate files Samba is using in order to > make TLS connections to replica server? I understand they should be > certificate files for my slave server, if Samba is using replica as it's > backend.It may be that a modification requested by the smbd normally attached to the slave is requiring a rebind to the master. Check connections to the master with ldapsearch.> Or is it possible at all (or even reasonable) to use LDAP > replica as a backend for Samba PDC server?Yes.> Should it be BDC server > instead of PDC?There should be one PDC per isolated netbios namespace.> Should I set up one departmental level master server > with master LDAP and Samba PDC, and many LDAP slaves (replicas) with > Samba BDCs? But in this case the different VLANs are coing to be a > problem for traffic between Samba PDC and BDCs, or so I have understood, > since switches connecting different VLANs don't route NetBIOS traffic.Samba doesn't do netbios between it's various DCs, but clients will want to see one PDC per netbios scope.> And I have no administrative rights to make any changes to their > configuration. So, is it possible at all to make Samba to use LDAP > replica as it's backend?Yes. This is reasonable and regularly implemented. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051104/007a3dc4/attachment.bin
/Dear all, I'm sorry if I posted this reply twice, but I had to leave my office in a hurry and I'm not sure if I already did reply to Andrew's reply to my original message...>On Fri, Nov 4 12:15:48 GMT 2005, Andrew Bartlett wrote: >/>>On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote:>> >>/ I had two separate OpenLDAP master servers (2.2.13-4) for two different/>>/ Samba PDC servers (3.0.14a-2) with TLS support in different virtual />>/ networks (VLANs), and all worked fine. />>/ />>/ However, I decided that it would be nice (from an administrative point />>/ of view) to have all user/client data on same departmental master />>/ OpenLDAP server, which would work as a backend for division level Samba />>/ PDC servers in different VLANs via LDAP replicas (our department />>/ contains many subdepartments, or divisions, and most of them have their />>/ own VLANs). So, I read Samba documentation and I understood that it is />>/ possible to make such a system, where Samba server uses LDAP replica as />>/ it's backend. First I transferred all user/client data to master LDAP />>/ server, and created a slave server to be used by Samba PDC in different />>/ VLAN. I tested connections with ldapsearch command and all worked well, />>/ and changes written to master directory are propagated to slave server's />>/ LDAP directory. Both servers are configured to use TLS transport, and />>/ both server's have their own CA signed certificate files. />>Self-signed, or a CA shared for your organisation?Certificates are signed by the local CA at our university. So they are not self-signed certificates.>>/ But when I tried to set up my division level Samba server to use replica/>>/ as it's backend, I got an error that Samba can't connect to replica's />>/ directory. In log files I have messages like />>/ />>/ slave.server.net smbd: Failed to issue the StartTLS instruction: />>/ Connect error />>This is an SSL layer problem. Are all the certificates correct?I'm pretty sure, since I have used them successfully two months so far. However, I made changes to my master/slave TLS configuration. Now I get different errors when Samba is trying to bind to replica's LDAP directory. Errors are like Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] lib/smbldap.c:smbldap_open_connection(692) Nov 4 17:37:39 slave smbd[18093]: smbldap_open_connection: connection opened Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:fetch_ldap_pw(312) Nov 4 17:37:39 slave smbd[18093]: fetch_ldap_pw: neither ldap secret retrieved! Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_connect_system(813) Nov 4 17:37:39 slave smbd[18093]: ldap_connect_system: Failed to retrieve password from secrets.tdb Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_search_suffix(1176) Nov 4 17:37:39 slave smbd[18093]: smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] auth/auth.c:check_ntlm_password(312) Nov 4 17:37:39 slave smbd[18093]: check_ntlm_password: Authentication for user [dummy] -> [dummy] FAILED with error NT_STATUS_NO_SUCH_USER so I assume that Samba can now bind to LDAP directory, but fails when trying to get user's data. I don't know why Samba is trying to retrieve data from secrets.tdb, because in smb.conf I have set passdb backend = ldapsam:"ldap://slave.ldap.server ldap://master.ldap.server" and Samba is running on slave.ldap.server. Server slave has slapd configured as replica server. With ldapsearch command I can access the data in directory.>>/ whenever I try to e.g. login to slave.server.net's Samba service. SSH/>>/ logins work fine (for SSH logins my slave uses also LDAP directory />>/ replica). So my guess is that this has something to do with certificate />>/ files. I don't understand what it could be, because I can browse LDAP />>/ directory fine with e.g. ldapsearch command on both master and slave, />>/ and logins with SSH work. />>/ />>/ So to my question. What certificate files Samba is using in order to />>/ make TLS connections to replica server? I understand they should be />>/ certificate files for my slave server, if Samba is using replica as it's />>/ backend. />>It may be that a modification requested by the smbd normally attached to >the slave is requiring a rebind to the master. Check connections to the >master with ldapsearch.With ldapsearch connections work ok, so I still assume that I have something wrong in my Samba configuration.>>/ Should it be BDC server/>>/ instead of PDC? />>There should be one PDC per isolated netbios namespace.Ok.>>/ Should I set up one departmental level master server/>>/ with master LDAP and Samba PDC, and many LDAP slaves (replicas) with />>/ Samba BDCs? But in this case the different VLANs are coing to be a />>/ problem for traffic between Samba PDC and BDCs, or so I have understood, />>/ since switches connecting different VLANs don't route NetBIOS traffic. />>Samba doesn't do netbios between it's various DCs, but clients will want >to see one PDC per netbios scope.Ok.>>/ And I have no administrative rights to make any changes to their/>>/ configuration. So, is it possible at all to make Samba to use LDAP />>/ replica as it's backend? />>Yes. This is reasonable and regularly implemented.Well, that's good to hear. So I still have some hope :) Jukka Hienola University of Helsinki <http://hawkerc.net>