Daniel Müller
2010-Aug-16 07:43 UTC
[Samba] WG: HOWTO samba4 centos5.5 named dnsupdate drbd simple failover
centOs5.5/samba4/named here is a short guide setting it up to work. First of all do not install the bind package coming with centos 5.5!! Install needs for samba yum install libacl* gnutls* readline* python* gdb* autoconf* Named installation: Here is a description on what to do: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-d nssec-nsec3-support/ The steps, yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto For named to compile correctly you need this 2 packages too: yum -y install curl* download.fedora.redhat.com/pub/fedora/epel/5/i386/python-dns-1.7.1-1.el5.noa rch.rpm cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/dnssec-conf-*.src.rpm cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/12/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/releases/12/Fedora/source/SRPMS/dnssec-c onf-*.src.rpm rpm -ivh --nomd5 bind-9.6.*.src.rpm dnssec-conf-*.src.rpm cd /usr/src/redhat/SPECS rpmbuild -ba ./bind.spec The built bind RPM is now in /usr/src/redhat/RPMS/i386/ or /usr/src/redhat/RPMS/x86_64/ depending on your Arch. rpmbuild --ba ./dnssec-conf.spec The built dnssec-conf RPM is now in /usr/src/redhat/RPMS/noarch/ cd /usr/src/redhat/RPMS/*86* rpm -Uvh bind-9.6.*.rpm bind-utils-9.6.*.rpm bind-libs-9.6.*.rpm ../noarch/dnssec-conf-1.21-*.noarch.rpm Now bind is installed Config-File in /etc/named.conf I disabled in options: //dnssec-enable yes; //dnssec-validation yes; //dnssec-lookaside . trust-anchor dlv.isc.org.; To make bind work you have to add user named to the group named. Set the rights to make named work correctly chmod 770 /etc/named.conf chmod 770 /etc/named.rfc1912.zones chown root:named /etc/named.conf chown named:named /etc/named.rfc1912.zones chmod -R 770 /var/named chown -R named:named /var/named chown named:named /etc/rndc.key chown named:named /var/run/named/ Now download and install samba: url: http://wiki.samba.org/index.php/Samba4/HOWTO mkdir samba4 cd samba4 rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ . cd /source4 ./autogen.sh ./configure.devloper make make install Samba4 is now installed in /usr/local/samba Provision it: Cd /samba4/source4 ./setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller' In my case: ./setup/provision --realm=tuebingen.tst.loc --domain=TUEBINGEN--adminpass=SOMEPASSWORD --server-role='domain controller' Now you nedd to add the PATH to roots .bash_profile in /root --> PATH=$PATH:$HOME/bin:/usr/local/samba/bin:/usr/local/samba/sbin ldconfig which samba must answer: /usr/local/samba/sbin/samba Now you must set the lib paths: echo "/usr/local/samba/lib" > /etc/ld.so.conf.d/samba4.conf The next things to do( named should have read and write) : Cd /usr/local/samba/private Chown named:named krb5.conf Chown -R named:named /usr/local/samba/private/dns Chown named:named named.conf Chown named:named named.conf.update Chown named:named dns.keytab Cp krb5.conf /etc # this will overwrite the org. krb5.conf cd /etc/sysconfig Vi named There add a line at the bootom: KEYTAB_FILE="/usr/local/samba/private/dns.keytab" export KEYTAB_FILE Now you must update your /etc/named.conf , Be sure to have em listen on a IP not only 127.0.0.1: Here is mine options { listen-on port 53 { 127.0.0.1;192.168.134.27; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost;allyoursubnetshere; }; recursion yes; forwarders { 192.168.134.253; };##put here your first dns if you have }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/usr/local/samba/private/named.conf";####samba4 link include "/etc/named.rfc1912.zones"; In your /etc/resolv.conf you have one single entry: ? nameserver localhost Now you have to put in your globals /usr/local/smba/etc/smb.conf Interfaces=eth0 # or Ipaddress Now samba -I -M single And you are done!!! Samba_dnsupdate --verbose will give you: [root at node1 etc]# samba_dnsupdate --verbose Looking for DNS entry A tuebingen.tst.loc 192.168.134.27 as tuebingen.tst.loc. Looking for DNS entry A node1.tuebingen.tst.loc 192.168.134.27 as node1.tuebingen.tst.loc. Looking for DNS entry CNAME 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc as 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs.tuebingen.tst.loc. Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc. Checking 0 100 88 node1.tuebingen.tst.loc. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 88 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc. The next step setting up the second samba4 on a centOs 5.5 and do replication: links:http://wiki.samba.org/index.php/Samba4_joining_a_domain First of all do all the same as for the first centOS samba4 but do not provision, no smb.conf in /usr/local/samba/etc. Important things: both servers must new each other. So if named is installed on the second (node2)you need to tell em in his named.conf that the first server(node1) is a forwarder to search for example ?tuebingen.tst.loc?: Example my named.conf on node2 - 192.168.135.27 is node1, options { listen-on port 53 { 127.0.0.1;192.168.134.28; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.135.0/24; 192.168.134.0/24; }; recursion yes; forwarders { 192.168.134.253;192.168.134.27; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; On node2 your /etc/hosts have entries like this: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.134.28 node2.local node2 192.168.134.27 node1.tuebingen.tst.loc node1 Now you try ping tuebingen.tst.loc. If it is possible you are on the right way: ping tuebingen.tst.loc PING tuebingen.tst.loc (192.168.134.27) 56(84) bytes of data. 64 bytes from node1.tuebingen.tst.loc (192.168.134.27): icmp_seq=1 ttl=64 time=0.138 ms Now you have to copy your /etc/krb5.conf from node1 to node2 /etc/krb5.conf scp krb5.conf root at node2:/etc edit krb5.conf. Make it look like that: [root at node2 ~]# cat /etc/krb5.conf [libdefaults] default_realm = TUEBINGEN.TST.LOC dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] TUEBINGEN.TST.LOC = { kdc = node1.tuebingen.tst.loc:88 admin_server = node1.tuebingen.tst.loc:749 default_domain = tuebingen.tst.loc } [domain_realm] .tuebingen.tst.loc = TUEBINGEN.TST.LOC tuebingen.tst.loc = TUEBINGEN.TST.LOC Important is setting dns_lookup_realm=true; dns_lookup_kdc=true Now a very important thing. On both servers the time must be equal. So do on both servers: date -s hhmm, ex: date-s 1952. Then try : kinit administrator Password for administrator at TUEBINGEN.TST.LOC: Must give you this: Warning: Your password will expire in 34 days on Fri Sep 3 11:11:06 2010 Now change to join domain: The place to join as dc to your domain is /samba4/source4. There type: bin/net vampire tuebingen.tst.loc -Uadministrator --realm=tuebingen.tst.loc If this is successful start samba . Now return no node1 the first server. Change to /samba4/source4 Now type: bin/ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs This must be the result of two dcs: [root at node1 source4]# bin/ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs # record 1 dn: CN=NTDS Settings,CN=NODE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tuebingen,DC=tst,DC=loc objectGUID: 365d2a9f-bfe6-462d-965e-8622bfefc190 # record 2 dn: CN=NTDS Settings,CN=NODE2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tuebingen,DC=tst,DC=loc objectGUID: d6160c39-0810-4026-aa24-91c91797d892 # returned 2 records # 2 entries # 0 referrals So record 2 is the new dc in the forest. Now you must update your /usr/local/samba/private/dns/yourzone.list . Mine after change: ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010072311 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 IN A 192.168.134.27 ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 #<----new dc entry gc._msdcs IN A 192.168.134.27 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs IN CNAME node1 d6160c39-0810-4026-aa24-91c91797d892._msdcs IN CNAME node2 <---new dc entry ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.e67cd6da-dbd0-492d-96e2-2dc778abaebe.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node1 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node1 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node1 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC (END) Now you have to put two new entries on node1 /usr/local/samba/etc/smb.conf in the global section: dreplsrv:periodic_interval = 10 . dreplsrv:periodic_startup_interval = 5. Then ssh in node2 to /usr/local/samba/etc. net vampire has placed there a smb.conf. There in the global section set this above entries too: dreplsrv:periodic_interval = 10 . dreplsrv:periodic_startup_interval = 5. My globals on node1: [globals] netbios name = NODE1 workgroup = TUEBINGEN realm = TUEBINGEN.TST.LOC server role = domain controller interfaces = 192.168.134.27 dreplsrv:periodic_interval = 10 dreplsrv:periodic_startup_interval = 5 My globals on node2: [globals] netbios name = NODE2 workgroup = TUEBINGEN realm = TUEBINGEN.TST.LOC server role = domain controller dreplsrv:periodic_interval=10 dreplsrv:periodic_startup_interval=5 Then on Both Servers: Restart samba service named restart. rndc flush. A litle bit testing: I put the a user Sammler to my domain using the win7 Domain-Tools: On second server node2 cd /samba4/source4 then: bin/ldbsearch -H ldap://node2 -Uadministrator%tornado_11 name='sam*' dn # record 1 dn: CN=Sammler sm. Sammler,OU=Keine Systemsteuerung,DC=tuebingen,DC=tst,DC=loc # Referral ref: ldap://tuebingen.tst.loc/CN=Configuration,DC=tuebingen,DC=tst,DC=loc # returned 2 records # 1 entries # 1 referrals Step 3: Configure home shares of the users. This was the greatest try and error. Since samba3 this changed. And it is not the same in samba4!!! A simple: [homes] path= /home read only=no This is all. All other ACLS is setting from the tool Active Directory Users and Groups within windows. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. In the Details pane, right-click the applicable user account, and then click Properties. In the Properties dialog box, click the Profile tab. Under Home folder, type the directory information: In my case ? \\tuebingen.tst.loc\homes and the tool will make the users directory setting the correct rights. Shares: The same for shares you do in your smb.conf [test] path= /windows/test read only= no Then login as administrator on your win-client. Head to your \\server\test and give the rights you want for groups or users. This is all. Password Policy Settings!! Along with Samba4 the Password Policy you can only set from console, with 'net pwsettings ' command. net pwsettings ?help: usage: (show | set <options>) options: -h, --help show this help message and exit -H H LDB URL for database or target server --quiet Be quiet --complexity=COMPLEXITY The password complexity (on | off | default). Default is 'on' --history-length=HISTORY_LENGTH The password history length (<integer> | default). Default is 24. --min-pwd-length=MIN_PWD_LENGTH The minimum password length (<integer> | default). Default is 7. --min-pwd-age=MIN_PWD_AGE The minimum password age (<integer in days> | default). Default is 1. --max-pwd-age=MAX_PWD_AGE The maximum password age (<integer in days> | default). Default is 43. Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos Version Options: --version Display version number So I set my Password Policy: net pwsettings set ?--complexity=off net pwsettings set ---max-pwd-age=60 #<---60 Days net pwsettings set ?min-pwd-length=5 net pwsettings show: [root at node1 ~]# net pwsettings show Password informations for domain 'DC=tuebingen,DC=tst,DC=loc' Password complexity: off Password history length: 24 Minimum password length: 5 Minimum password age (days): 1 Maximum password age (days): 60 Step 4. Want some more: make the DATA accessible from both samba PDCs. In case one is down. This will be real failover while dns is running ######### We need a second nic for cluster device and drbd On node1 this will be: 192.168.130.6 On nide2 this will be: 192.168.130.5 You need a second hardisk in my case it will be /dev/hdc Set on both node1 und node2 mkdir /windows. Fdisk /dev/hdc Chose n, then p, then 1, then always enter. Leave with w. You nedd to install drbd83-8.3.8-1.el5.centos. and kmod-drbd83-8.3.8-1.el5.centos yum install *drbd83* And yum install cman lvm2-cluster gfs-utils gfs2-utils kmod-gfs Set up your /etc/drbd.conf: #drbd.conf dm global { usage-count yes; } common { syncer { rate 20M; al-extents 257; } } resource r0 { protocol C; startup { become-primary-on both; degr-wfc-timeout 120; # 1 minute. #wfc-timeout 30; } disk { on-io-error detach; } net { allow-two-primaries; cram-hmac-alg "sha1"; shared-secret "yourpasswd"; after-sb-0pri discard-least-changes; #after-sb-0pri discard-zero-changes; after-sb-1pri violently-as0p; after-sb-2pri violently-as0p; #rr-conflict violently; } on node2.local { device /dev/drbd0; disk /dev/hdc1; address 192.168.130.5:7788; flexible-meta-disk internal; } on node1.local { device /dev/drbd0; disk /dev/hdc1; address 192.168.130.6:7788; flexible-meta-disk internal; } } The drbd.conf need to be the same on both hosts!! Imortant!?with ?on? in your drbd.conf you name your hosts, ex: on node1.local. After on you must set there the name that gives you ?uname ?n? on your machine. ?r0? ist the resource we are using According to the /etc/drbd.conf you need to initiate your resource first before you can use it like: drbdadm create-md r0. Example: [root at node2 etc]# drbdadm create-md r0 md_offset 500105211904 al_offset 500105179136 bm_offset 500089913344 Found some data ==> This might destroy existing data! <= Do you want to proceed? [need to type 'yes' to confirm] yes You want me to create a v08 style flexible-size internal meta data block. There appears to be a v08 flexible-size internal meta data block already in place on /dev/hdc1 at byte offset 500105211904 Do you really want to overwrite the existing v08 meta-data? [need to type 'yes' to confirm] yes Writing meta data... initializing activity log NOT initialized bitmap New drbd meta data block successfully created. On both nodes: service drbd start Then: cat /proc/drbd. [root at node1 ~]# cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Secondary/Secondary ds:Inconsistent/Inconsistent C r---- ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:488369056 Then on node1: drbdadm -- --overwrite-data-of-peer primary all /cat/proc/drbd will show you: [root at node1 ~]# cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:SyncSource ro:Primary/Secondary ds:UpToDate/Inconsistent C r---- ns:121460 nr:0 dw:0 dr:129632 al:0 bm:7 lo:1 pe:62 ua:256 ap:0 ep:1 wo:b oos:488249568 [>....................] sync'ed: 0.1% (476804/476920)M delay_probe: 8 finish: 22:36:14 speed: 5,632 (11,948) K/sec Now you must wait until both devices synced the first time. You can ?watch cat /proc/drbd? to see it progress. After the first sync has finished you will see: cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r---- ns:488369056 nr:0 dw:0 dr:488369056 al:0 bm:29808 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0 Now we can configure cluster. This is needed to run both drbd-nodes in primary mode. First of all we have to write our /etc/cluster/cluster.conf <?xml version="1.0" ?> <cluster config_version="3" name="samba-cluster"> <fence_daemon post_fail_delay="0" post_join_delay="3"/> <clusternodes> <clusternode name="node2" nodeid="1" votes="1"> <fence> <method name="single"> <device name="human" ipaddr="192.168.130.4"/> </method> </fence> </clusternode> <clusternode name="node1" nodeid="2" votes="1"> <fence> <method name="single"> <device name="human" ipaddr="192.168.130.6"/> </method> </fence> </clusternode> </clusternodes> <cman expected_votes="1" two_node="1"/> <fencedevices> <fenve_device name="human" agent="fence_manual"/> </fencedevices> <rm> <failoverdomains/> <resources/> </rm> </cluster> This cluster.conf must be the same on both node1 and node2. So copy it over: Ex: scp /etc/cluster/cluster.conf root at node1:/etc/cluster. Now start cam on both nodes: cman start. Now expect this: [root at node1 cluster]# service cman start Starting cluster: Enabling workaround for Xend bridged networking... done Loading modules... done Mounting configfs... done Starting ccsd... done Starting cman... done Starting daemons... done Starting fencing... done [ OK ] Now check if all is running well: Check nodes like this: cman_tool nodes [root at node1 cluster]# cman_tool nodes Node Sts Inc Joined Name 1 M 12 2010-08-05 08:37:22 node2 2 M 4 2010-08-05 08:37:22 node1 Now we make our clustered filesystem. Do it exactly like that: Now first on node1: For this we need the name of our cluster in cluster.conf, ?samba-cluster?, and ?/dev/drbd0?. mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0. [root at node1 cluster]# mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0 This will destroy any data on /dev/drbd0. Are you sure you want to proceed? [y/n] Device: /dev/drbd0 Blocksize: 4096 Device Size 465.75 GB (122092264 blocks) Filesystem Size: 465.75 GB (122092262 blocks) Journals: 2 Resource Groups: 1863 Locking Protocol: "lock_dlm" Lock Table: "samba-cluster:gfs2" UUID: BBAF2EC1-B0B8-0F82-DB5C-CA9273859610 Then service gfs start. Then change on node2. Remember this node runs in drbd ?secondary?. So we have to put it on primary. On node2: drbdadm primary r0. A cat /proc/drbd must show us: cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Primary/Primary ds:UpToDate/UpToDate C r---- ns:0 nr:488671336 dw:488671336 dr:0 al:0 bm:29808 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0 Now we can make on node2 our clustered filesystem: [root at node2 ~]# mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0 This will destroy any data on /dev/drbd0. It appears to contain a gfs2 filesystem. Are you sure you want to proceed? [y/n] Device: /dev/drbd0 Blocksize: 4096 Device Size 465.75 GB (122092264 blocks) Filesystem Size: 465.75 GB (122092262 blocks) Journals: 2 Resource Groups: 1863 Locking Protocol: "lock_dlm" Lock Table: "samba-cluster:gfs2" UUID: 885E2E87-90CE-B916-8A73-D66336CD98C0 Now start on node2 gfs: service gfs start. No make on both nodes in / the directory windows: mkdir windows. Then mount on both nodes the gfs filesystem to windows: mount -t gfs2 /dev/drbd0 /windows. Now lets do testing, on nod1: cd /windows. touch test.txt [root at node1 windows]# ls test.txt On node2 you must see in /windows: [root at node2 windows]# ls test.txt. On node2: vim test.txt, i, this is a test from node2,:, wq. On node1: /cat/windows/test.txt [root at node1 windows]# cat /windows/test.txt this is a test from node2 So you did it. Everything is synchronized. So you point hour home-directories and your shares in /usr/local/samba/etc/smb.conf to a directory in windows and you have a failover Data for your both samba4 controllers. The next thing to do is to add entries into fstab on both nodes : vim /etc/fstab Enter: /dev/drbd0 /windows gfs2 _netdev 0 0 At the end. This is my fstab: /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 /dev/drbd0 /windows gfs2 _netdev 0 0 The next step is to make shure DRBD is started on boot before GFS2. In my case I tried several hours befor I succeeded. You must do this on both nodes. You find the startup scripts in /etc/rc.d/init.d. First drbd: vim drbd. You find the start and stop option at #chkconfig_ - start stop. The original line here: #chkconfig: - 70 08. I changed it to: # chkconfig: - 55 08 #!/bin/bash # # chkconfig: - 55 08 # description: Loads and unloads the drbd module # # Copyright 2001-2010 LINBIT # # Philipp Reisner, Lars Ellenberg # ### BEGIN INIT INFO # Provides: drbd # Required-Start: $local_fs $network $syslog # Required-Stop: $local_fs $network $syslog # Should-Start: sshd multipathd # Should-Stop: sshd multipathd # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Start-Before: heartbeat corosync # X-Stop-After: heartbeat corosync # Short-Description: Control drbd resources. ### END INIT INFO Now vim gfs2: The original line here: #chkconfig: - 26 74. I changed it to: # chkconfig: - 70 07 #!/bin/bash # # # # chkconfig: - 70 07 # description: mount/unmount gfs2 filesystems configured in /etc/fstab # # ### BEGIN INIT INFO # Provides: ### END INIT INFO :q : Now cd /etc/rc.d/rc5.d. mv S26gfs2 S70gfs2 mv S70drbd S55drbd in all other rc0.d-rc4.d and rc.6.d, mv K74gfs2 K07gfs2 Now restart both nodes. Mkdir /windows/homes on both nodes.Point your [homes] in /usr/local/samba/etc/smb.conf to path= /windows/homes: [homes] path= /windows/homes read only=no Make as described in Step3: Add home derictories and rights. You will find your files synchronized on both node1 und node2 Now important to make your simple failover work you have to tune your named server on node1: This are the entries for your /usr/local/samba/private/dns/yourdomianzone EX mine : /usr/local/samba/private/dns/tuebingen.tst.loc.zone Change it according your settings: ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010080911 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 IN A 192.168.134.27 IN A 192.168.134.28 ;192.168.134.28 eingefuegt ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 gc._msdcs IN A 192.168.134.27 13ff0be8-50f6-45b8-858e-9a38872906e0._msdcs IN CNAME node1 aaf6380d-162e-4263-86b2-c4119457342c._mscds IN CNAME node2 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp IN SRV 0 100 389 node2 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node2 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 ;von mir eingefuegt _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node2 ;ende _ldap._tcp.fac1d707-a9a9-44a2-8b02-4ab6dda8cec7.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.fac1d707-a9a9-44a2-8b02-4ab6dda8cec7.domains._msdcs IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node2 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp IN SRV 0 100 88 node2 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node2 _kerberos._udp IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node2 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._tcp IN SRV 0 100 88 node2 _kerberos-master._udp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node2 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._tcp IN SRV 0 100 464 node2 _kpasswd._udp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node2 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC Now make your Netlogon failover: On node1: This will sync scripts to node2 on the fly. Put your logins script there ex: login.cmd My netlogon resides here: Attention be shure to put the right rights here to the sysvol directory On both nodes this has to be root:wheel!!!!!!!!!!!!!! Cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc Cp ?r scripts /windows Chown ?R root:wheel /windows/scripts. mv scripts scripts.org. ln ?s /windows/scipts scripts. Chown ?R root:wheel scripts. On node2: Important on node2, I had to do a chown ?R root:wheel to /usr/local/samba/var/locks/sysvol In /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc Mv scripts scripts.org Ln ?s /windows/scripts scripts Chown root:wheel scripts Next step about Policies: node1: /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc/Policies. On node1: cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc/ cp ?r Policies /windows chown ?R root:wheel /windows/Policies mv Policies Policies.org ln ?s /windows/Policies Policies chown ?R root:wheel Policies node2: If you have not done it before: chown ?R root:wheel /usr/local/samba/var/locks/sysvol cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc: On node2 as the 2nd dc there was done no Policies-directory. Now: ln ?s /windows/Policies Policies Chown ?R root:wheel Policies [root at node2 tuebingen.tst.loc]# ls -la insgesamt 12 drwxr-xr-x 3 root wheel 4096 12. Aug 11:22 . drwxr-xr-x 3 root wheel 4096 11. Aug 15:37 .. lrwxrwxrwx 1 root wheel 17 12. Aug 11:22 Policies -> /windows/Policies lrwxrwxrwx 1 root wheel 16 11. Aug 15:46 scripts -> /windows/scripts drwxr-xr-x 2 root wheel 4096 11. Aug 15:37 scripts.old Step 5 Making dns available Master/Slave- Server: The next step will be making the DNS-Server on node1 the master and the one on node2 the secondary (slave) server. And we create a reverse Zone. So when you put to your windows clients: node1 as your first dns and node 2 as your second your domain will always be found as long one of the server are running. Now on node1: Remember we point in our /etc/named.conf to our dns-samba-file in /usr/local/samba/private/named.conf. We have to change a little in this /usr/local/samba/private/named.conf: # This file should be included in your main BIND configuration file # # For example with # include "/usr/local/samba/private/named.conf"; zone "tuebingen.tst.loc." IN { type master; file "/usr/local/samba/private/dns/tuebingen.tst.loc.zone"; /* * the list of principals and what they can change is created * dynamically by Samba, based on the membership of the domain controllers * group. The provision just creates this file as an empty file. */ include "/usr/local/samba/private/named.conf.update"; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; allow-transfer { 192.168.134.28; };#<---------------- }; # The reverse zone configuration#<--------------reverse starts here zone "134.168.192.in-addr.arpa" in { type master; file "/usr/local/samba/private/dns/134.168.192.in-addr.arpa.zone"; allow-transfer { 192.168.134.28; }; update-policy { grant *.TST.LOC wildcard *.134.168.192.in-addr.arpa. PTR; }; }; Look at my file: allow-transfer { 192.168.134.28; };. Allow ?transfer here you must fit to your node2. This IP is allowed to pull a copy of the zone files. The reverse zone configuration, take it as example. I choosed a 192.168.134 subnet here, and I put the file exactly where the sama-dns-file was created. [root at node1 dns]# ls -la insgesamt 28 drwxrwxr-x 2 named named 4096 14. Aug 10:48 . drwxr-xr-x 7 root root 4096 16. Aug 09:15 .. -rwxrwxrwx 1 named named 626 13. Aug 09:34 134.168.192.in-addr.arpa.zone -rwxrwxrwx 1 named named 2977 13. Aug 12:25 tuebingen.tst.loc.zone There goes all the Clients in this Subnet. You have to do it manually. EX: My 134.168.192.in-addr.arpa.zone: $ORIGIN 134.168.192.in-addr.arpa. $TTL 1W @ IN SOA tuebingen.tst.loc. root.tuebingen.tst.loc. ( 01 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1.tuebingen.tst.loc. IN NS node2.tuebingen.tst.loc. 27 IN PTR node1.tuebingen.tst.loc. 28 IN PTR node2.tuebingen.tst.loc. Now my samba-dns-file: We have two dns!!! [root at node1 dns]# cat tuebingen.tst.loc.zone ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010081113 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 ;secondary eintrag IN NS node2 #<---secondary dns IN A 192.168.134.27 IN A 192.168.134.28 ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 gc._msdcs IN A 192.168.134.27 02284f45-de16-4125-a795-3b614f540ef7._msdcs IN CNAME node1 a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._mscds IN CNAME node2 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp IN SRV 0 100 389 node2 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node2 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node2 ;Eintrag fuer pdc _ldap._tcp.3d718df6-359c-4eb4-a0de-5a7aaf5b0d26.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.3d718df6-359c-4eb4-a0de-5a7aaf5b0d26.domains._msdcs IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node2 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp IN SRV 0 100 88 node2 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node2 _kerberos._udp IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node2 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._tcp IN SRV 0 100 88 node2 _kerberos-master._udp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node2 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._tcp IN SRV 0 100 464 node2 _kpasswd._udp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node2 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC Now we switch over to node2: We have to create the dns directory in /usr/local/samba/private: mkdir /usr/local/samba/private/dns. Chown ?R named:named /usr/local/samba/private/dns. Chmod ?R 770 /usr/local/samba/private/dns. Copy over /usr/local/samba/private/named.conf to your node2. scp /usr/local/samba/private/named.conf root at node2:/usr/local/samba/private. Then we have to edit this file. It should look like this: zone "tuebingen.tst.loc." IN { type slave; #<----------we mark it as slave file "/usr/local/samba/private/dns/tuebingen.tst.loc.zone"; masters { 192.168.134.27; };#<---we tell him were to pull the zone /* * the list of principals and what they can change is created * dynamically by Samba, based on the membership of the domain controllers * group. The provision just creates this file as an empty file. */ //and we had to remove the update section because a slave cannot. //include "/usr/local/samba/private/named.conf.update"; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; }; # The reverse zone configuration is optional. The following example assumes a # subnet of 192.168.123.0/24: zone "134.168.192.in-addr.arpa" in { type slave; file "/usr/local/samba/private/dns/134.168.192.in-addr.arpa.zone"; masters { 192.168.134.27; }; }; Now make shure /usr/local/samba/private/named.conf has the rights, named:named. Chown named:named /usr/local/samba/private/named.conf. And also your /etc/named.conf points to that file: // named.conf options { listen-on port 53 { 127.0.0.1;192.168.134.28; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.135.0/24; 192.168.134.0/24; }; recursion yes; forwarders { 192.168.134.253; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; #versuch raus genommen include "/usr/local/samba/private/named.conf"; #<---make it point the right way include "/etc/named.rfc1912.zones"; Now restart both dns-servers. On node2 you will find now in /usr/local/samba/private/dns: -rw-r--r-- 1 named 500 406 15. Aug 00:51 134.168.192.in-addr.arpa.zone -rw-r--r-- 1 named 500 2680 15. Aug 08:46 tuebingen.tst.loc.zone ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----------------------------------------------
Daniel Müller
2010-Sep-16 07:36 UTC
[Samba] WG: HOWTO samba4 centos5.5 named dnsupdate drbd simple failover
New Version 16-09-2010: centOs5.5/samba4/named here is a short guide setting it up to work. I added TSIG for bind-master amd bind-slave First of all do not install the bind package coming with centos 5.5!! Install needs for samba yum install libacl* gnutls* readline* python* gdb* autoconf* Named installation: Here is a description on what to do: http://jason.roysdon.net/2009/10/16/building-bind-9-6-on-rhel5-centos5-for-d nssec-nsec3-support/ The steps, yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto For named to compile correctly you need this 2 packages too: yum -y install curl* download.fedora.redhat.com/pub/fedora/epel/5/i386/python-dns-1.7.1-1.el5.noa rch.rpm cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/updates/11/SRPMS/dnssec-conf-*.src.rpm cd /usr/src/redhat/SRPMS wget -c ftp://mirrors.kernel.org/pub/fedora/updates/12/SRPMS/bind-9.6.*.src.rpm wget -c ftp://mirrors.kernel.org/pub/fedora/releases/12/Fedora/source/SRPMS/dnssec-c onf-*.src.rpm rpm -ivh --nomd5 bind-9.6.*.src.rpm dnssec-conf-*.src.rpm cd /usr/src/redhat/SPECS rpmbuild -ba ./bind.spec The built bind RPM is now in /usr/src/redhat/RPMS/i386/ or /usr/src/redhat/RPMS/x86_64/ depending on your Arch. rpmbuild --ba ./dnssec-conf.spec The built dnssec-conf RPM is now in /usr/src/redhat/RPMS/noarch/ cd /usr/src/redhat/RPMS/*86* rpm -Uvh bind-9.6.*.rpm bind-utils-9.6.*.rpm bind-libs-9.6.*.rpm ../noarch/dnssec-conf-1.21-*.noarch.rpm Now bind is installed Config-File in /etc/named.conf I disabled in options: //dnssec-enable yes; //dnssec-validation yes; //dnssec-lookaside . trust-anchor dlv.isc.org.; To make bind work you have to add user named to the group named. Set the rights to make named work correctly chmod 770 /etc/named.conf chmod 770 /etc/named.rfc1912.zones chown root:named /etc/named.conf chown named:named /etc/named.rfc1912.zones chmod -R 770 /var/named chown -R named:named /var/named chown named:named /etc/rndc.key chown named:named /var/run/named/ Now download and install samba: url: http://wiki.samba.org/index.php/Samba4/HOWTO mkdir samba4 cd samba4 rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ . cd /source4 ./autogen.sh ./configure.devloper make make install Samba4 is now installed in /usr/local/samba Provision it: Cd /samba4/source4 ./setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller' In my case: ./setup/provision --realm=tuebingen.tst.loc --domain=TUEBINGEN--adminpass=SOMEPASSWORD --server-role='domain controller' Now you nedd to add the PATH to roots .bash_profile in /root --> PATH=$PATH:$HOME/bin:/usr/local/samba/bin:/usr/local/samba/sbin ldconfig which samba must answer: /usr/local/samba/sbin/samba Now you must set the lib paths: echo "/usr/local/samba/lib" > /etc/ld.so.conf.d/samba4.conf The next things to do( named should have read and write) : Cd /usr/local/samba/private Chown named:named krb5.conf Chown -R named:named /usr/local/samba/private/dns Chown named:named named.conf Chown named:named named.conf.update Chown named:named dns.keytab Cp krb5.conf /etc # this will overwrite the org. krb5.conf cd /etc/sysconfig Vi named There add a line at the bootom: KEYTAB_FILE="/usr/local/samba/private/dns.keytab" export KEYTAB_FILE Now you must update your /etc/named.conf , Be sure to have em listen on a IP not only 127.0.0.1: Here is mine options { listen-on port 53 { 127.0.0.1;192.168.134.27; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost;allyoursubnetshere; }; recursion yes; forwarders { 192.168.134.253; };##put here your first dns if you have }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/usr/local/samba/private/named.conf";####samba4 link include "/etc/named.rfc1912.zones"; In your /etc/resolv.conf you have one single entry: ? nameserver localhost Now you have to put in your globals /usr/local/smba/etc/smb.conf Interfaces=eth0 # or Ipaddress Now samba -I -M single And you are done!!! Samba_dnsupdate --verbose will give you: [root at node1 etc]# samba_dnsupdate --verbose Looking for DNS entry A tuebingen.tst.loc 192.168.134.27 as tuebingen.tst.loc. Looking for DNS entry A node1.tuebingen.tst.loc 192.168.134.27 as node1.tuebingen.tst.loc. Looking for DNS entry CNAME 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc as 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs.tuebingen.tst.loc. Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc. Checking 0 100 88 node1.tuebingen.tst.loc. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 88 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc node1.tuebingen.tst.loc 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.tuebingen.tst.loc. The next step setting up the second samba4 on a centOs 5.5 and do replication: links:http://wiki.samba.org/index.php/Samba4_joining_a_domain First of all do all the same as for the first centOS samba4 but do not provision, no smb.conf in /usr/local/samba/etc. Important things: both servers must new each other. So if named is installed on the second (node2)you need to tell em in his named.conf that the first server(node1) is a forwarder to search for example ?tuebingen.tst.loc?: Example my named.conf on node2 - 192.168.135.27 is node1, options { listen-on port 53 { 127.0.0.1;192.168.134.28; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.135.0/24; 192.168.134.0/24; }; recursion yes; forwarders { 192.168.134.253;192.168.134.27; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; On node2 your /etc/hosts have entries like this: # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.134.28 node2.local node2 192.168.134.27 node1.tuebingen.tst.loc node1 Now you try ping tuebingen.tst.loc. If it is possible you are on the right way: ping tuebingen.tst.loc PING tuebingen.tst.loc (192.168.134.27) 56(84) bytes of data. 64 bytes from node1.tuebingen.tst.loc (192.168.134.27): icmp_seq=1 ttl=64 time=0.138 ms Now you have to copy your /etc/krb5.conf from node1 to node2 /etc/krb5.conf scp krb5.conf root at node2:/etc edit krb5.conf. Make it look like that: [root at node2 ~]# cat /etc/krb5.conf [libdefaults] default_realm = TUEBINGEN.TST.LOC dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] TUEBINGEN.TST.LOC = { kdc = node1.tuebingen.tst.loc:88 admin_server = node1.tuebingen.tst.loc:749 default_domain = tuebingen.tst.loc } [domain_realm] .tuebingen.tst.loc = TUEBINGEN.TST.LOC tuebingen.tst.loc = TUEBINGEN.TST.LOC Important is setting dns_lookup_realm=true; dns_lookup_kdc=true Now a very important thing. On both servers the time must be equal. So do on both servers: date -s hhmm, ex: date-s 1952. Then try : kinit administrator Password for administrator at TUEBINGEN.TST.LOC: Must give you this: Warning: Your password will expire in 34 days on Fri Sep 3 11:11:06 2010 Now change to join domain: The place to join as dc to your domain is /samba4/source4. There type: bin/net vampire tuebingen.tst.loc -Uadministrator --realm=tuebingen.tst.loc If this is successful start samba . Now return no node1 the first server. Change to /samba4/source4 Now type: bin/ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs This must be the result of two dcs: [root at node1 source4]# bin/ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs # record 1 dn: CN=NTDS Settings,CN=NODE1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tuebingen,DC=tst,DC=loc objectGUID: 365d2a9f-bfe6-462d-965e-8622bfefc190 # record 2 dn: CN=NTDS Settings,CN=NODE2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tuebingen,DC=tst,DC=loc objectGUID: d6160c39-0810-4026-aa24-91c91797d892 # returned 2 records # 2 entries # 0 referrals So record 2 is the new dc in the forest. Now you must update your /usr/local/samba/private/dns/yourzone.list . Mine after change: ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010072311 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 IN A 192.168.134.27 ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 #<----new dc entry gc._msdcs IN A 192.168.134.27 365d2a9f-bfe6-462d-965e-8622bfefc190._msdcs IN CNAME node1 d6160c39-0810-4026-aa24-91c91797d892._msdcs IN CNAME node2 <---new dc entry ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.e67cd6da-dbd0-492d-96e2-2dc778abaebe.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node1 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node1 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node1 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC (END) Now you have to put two new entries on node1 /usr/local/samba/etc/smb.conf in the global section: dreplsrv:periodic_interval = 10 . dreplsrv:periodic_startup_interval = 5. Then ssh in node2 to /usr/local/samba/etc. net vampire has placed there a smb.conf. There in the global section set this above entries too: dreplsrv:periodic_interval = 10 . dreplsrv:periodic_startup_interval = 5. My globals on node1: [globals] netbios name = NODE1 workgroup = TUEBINGEN realm = TUEBINGEN.TST.LOC server role = domain controller interfaces = 192.168.134.27 dreplsrv:periodic_interval = 10 dreplsrv:periodic_startup_interval = 5 My globals on node2: [globals] netbios name = NODE2 workgroup = TUEBINGEN realm = TUEBINGEN.TST.LOC server role = domain controller dreplsrv:periodic_interval=10 dreplsrv:periodic_startup_interval=5 Then on Both Servers: Restart samba service named restart. rndc flush. A litle bit testing: I put the a user Sammler to my domain using the win7 Domain-Tools: On second server node2 cd /samba4/source4 then: bin/ldbsearch -H ldap://node2 -Uadministrator%tornado_11 name='sam*' dn # record 1 dn: CN=Sammler sm. Sammler,OU=Keine Systemsteuerung,DC=tuebingen,DC=tst,DC=loc # Referral ref: ldap://tuebingen.tst.loc/CN=Configuration,DC=tuebingen,DC=tst,DC=loc # returned 2 records # 1 entries # 1 referrals Step 3: Configure home shares of the users. This was the greatest try and error. Since samba3 this changed. And it is not the same in samba4!!! A simple: [homes] path= /home read only=no This is all. All other ACLS is setting from the tool Active Directory Users and Groups within windows. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. In the Details pane, right-click the applicable user account, and then click Properties. In the Properties dialog box, click the Profile tab. Under Home folder, type the directory information: In my case ? \\tuebingen.tst.loc\homes and the tool will make the users directory setting the correct rights. Shares: The same for shares you do in your smb.conf [test] path= /windows/test read only= no Then login as administrator on your win-client. Head to your \\server\test and give the rights you want for groups or users. This is all. Password Policy Settings!! Along with Samba4 the Password Policy you can only set from console, with 'net pwsettings ' command. net pwsettings ?help: usage: (show | set <options>) options: -h, --help show this help message and exit -H H LDB URL for database or target server --quiet Be quiet --complexity=COMPLEXITY The password complexity (on | off | default). Default is 'on' --history-length=HISTORY_LENGTH The password history length (<integer> | default). Default is 24. --min-pwd-length=MIN_PWD_LENGTH The minimum password length (<integer> | default). Default is 7. --min-pwd-age=MIN_PWD_AGE The minimum password age (<integer in days> | default). Default is 1. --max-pwd-age=MAX_PWD_AGE The maximum password age (<integer in days> | default). Default is 43. Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos Version Options: --version Display version number So I set my Password Policy: net pwsettings set ?--complexity=off net pwsettings set ---max-pwd-age=60 #<---60 Days net pwsettings set ?min-pwd-length=5 net pwsettings show: [root at node1 ~]# net pwsettings show Password informations for domain 'DC=tuebingen,DC=tst,DC=loc' Password complexity: off Password history length: 24 Minimum password length: 5 Minimum password age (days): 1 Maximum password age (days): 60 Make profiles ready: In your smb.conf: [profiles] path= /windows/users/profiles read only= no mkdir /windows/users/profiles On your windows client start Active Directory Users and Comupters. Right click,properties, then profil tab: Profile path: Your path to the profiles along with %Username% EX: \\tuebingen.tst.loc\profiles\%USERNAME% Step 4. Want some more: make the DATA accessible from both samba PDCs. In case one is down. This will be real failover while dns is running ######### We need a second nic for cluster device and drbd On node1 this will be: 192.168.130.6 On nide2 this will be: 192.168.130.5 You need a second hardisk in my case it will be /dev/hdc Set on both node1 und node2 mkdir /windows. Fdisk /dev/hdc Chose n, then p, then 1, then always enter. Leave with w. You nedd to install drbd83-8.3.8-1.el5.centos. and kmod-drbd83-8.3.8-1.el5.centos yum install *drbd83* And yum install cman lvm2-cluster gfs-utils gfs2-utils kmod-gfs Set up your /etc/drbd.conf: #drbd.conf dm global { usage-count yes; } common { syncer { rate 20M; al-extents 257; } } resource r0 { protocol C; startup { become-primary-on both; degr-wfc-timeout 120; # 1 minute. #wfc-timeout 30; } disk { on-io-error detach; } net { allow-two-primaries; cram-hmac-alg "sha1"; shared-secret "yourpasswd"; after-sb-0pri discard-least-changes; #after-sb-0pri discard-zero-changes; after-sb-1pri violently-as0p; after-sb-2pri violently-as0p; #rr-conflict violently; } on node2.local { device /dev/drbd0; disk /dev/hdc1; address 192.168.130.5:7788; flexible-meta-disk internal; } on node1.local { device /dev/drbd0; disk /dev/hdc1; address 192.168.130.6:7788; flexible-meta-disk internal; } } The drbd.conf need to be the same on both hosts!! Imortant!?with ?on? in your drbd.conf you name your hosts, ex: on node1.local. After on you must set there the name that gives you ?uname ?n? on your machine. ?r0? ist the resource we are using According to the /etc/drbd.conf you need to initiate your resource first before you can use it like: drbdadm create-md r0. Example: [root at node2 etc]# drbdadm create-md r0 md_offset 500105211904 al_offset 500105179136 bm_offset 500089913344 Found some data ==> This might destroy existing data! <= Do you want to proceed? [need to type 'yes' to confirm] yes You want me to create a v08 style flexible-size internal meta data block. There appears to be a v08 flexible-size internal meta data block already in place on /dev/hdc1 at byte offset 500105211904 Do you really want to overwrite the existing v08 meta-data? [need to type 'yes' to confirm] yes Writing meta data... initializing activity log NOT initialized bitmap New drbd meta data block successfully created. On both nodes: service drbd start Then: cat /proc/drbd. [root at node1 ~]# cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Secondary/Secondary ds:Inconsistent/Inconsistent C r---- ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:488369056 Then on node1: drbdadm -- --overwrite-data-of-peer primary all /cat/proc/drbd will show you: [root at node1 ~]# cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:SyncSource ro:Primary/Secondary ds:UpToDate/Inconsistent C r---- ns:121460 nr:0 dw:0 dr:129632 al:0 bm:7 lo:1 pe:62 ua:256 ap:0 ep:1 wo:b oos:488249568 [>....................] sync'ed: 0.1% (476804/476920)M delay_probe: 8 finish: 22:36:14 speed: 5,632 (11,948) K/sec Now you must wait until both devices synced the first time. You can ?watch cat /proc/drbd? to see it progress. After the first sync has finished you will see: cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r---- ns:488369056 nr:0 dw:0 dr:488369056 al:0 bm:29808 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0 Now we can configure cluster. This is needed to run both drbd-nodes in primary mode. First of all we have to write our /etc/cluster/cluster.conf <?xml version="1.0" ?> <cluster config_version="3" name="samba-cluster"> <fence_daemon post_fail_delay="0" post_join_delay="3"/> <clusternodes> <clusternode name="node2" nodeid="1" votes="1"> <fence> <method name="single"> <device name="human" ipaddr="192.168.130.4"/> </method> </fence> </clusternode> <clusternode name="node1" nodeid="2" votes="1"> <fence> <method name="single"> <device name="human" ipaddr="192.168.130.6"/> </method> </fence> </clusternode> </clusternodes> <cman expected_votes="1" two_node="1"/> <fencedevices> <fenve_device name="human" agent="fence_manual"/> </fencedevices> <rm> <failoverdomains/> <resources/> </rm> </cluster> This cluster.conf must be the same on both node1 and node2. So copy it over: Ex: scp /etc/cluster/cluster.conf root at node1:/etc/cluster. Now start cam on both nodes: cman start. Now expect this: [root at node1 cluster]# service cman start Starting cluster: Enabling workaround for Xend bridged networking... done Loading modules... done Mounting configfs... done Starting ccsd... done Starting cman... done Starting daemons... done Starting fencing... done [ OK ] Now check if all is running well: Check nodes like this: cman_tool nodes [root at node1 cluster]# cman_tool nodes Node Sts Inc Joined Name 1 M 12 2010-08-05 08:37:22 node2 2 M 4 2010-08-05 08:37:22 node1 Now we make our clustered filesystem. Do it exactly like that: Now first on node1: For this we need the name of our cluster in cluster.conf, ?samba-cluster?, and ?/dev/drbd0?. mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0. [root at node1 cluster]# mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0 This will destroy any data on /dev/drbd0. Are you sure you want to proceed? [y/n] Device: /dev/drbd0 Blocksize: 4096 Device Size 465.75 GB (122092264 blocks) Filesystem Size: 465.75 GB (122092262 blocks) Journals: 2 Resource Groups: 1863 Locking Protocol: "lock_dlm" Lock Table: "samba-cluster:gfs2" UUID: BBAF2EC1-B0B8-0F82-DB5C-CA9273859610 Then service gfs start. Then change on node2. Remember this node runs in drbd ?secondary?. So we have to put it on primary. On node2: drbdadm primary r0. A cat /proc/drbd must show us: cat /proc/drbd version: 8.3.8 (api:88/proto:86-94) GIT-hash: d78846e52224fd00562f7c225bcc25b2d422321d build by mockbuild at builder10.centos.org, 2010-06-04 08:04:31 0: cs:Connected ro:Primary/Primary ds:UpToDate/UpToDate C r---- ns:0 nr:488671336 dw:488671336 dr:0 al:0 bm:29808 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0 Now we can make on node2 our clustered filesystem: [root at node2 ~]# mkfs.gfs2 -t samba-cluster:gfs2 -p lock_dlm -j 2 /dev/drbd0 This will destroy any data on /dev/drbd0. It appears to contain a gfs2 filesystem. Are you sure you want to proceed? [y/n] Device: /dev/drbd0 Blocksize: 4096 Device Size 465.75 GB (122092264 blocks) Filesystem Size: 465.75 GB (122092262 blocks) Journals: 2 Resource Groups: 1863 Locking Protocol: "lock_dlm" Lock Table: "samba-cluster:gfs2" UUID: 885E2E87-90CE-B916-8A73-D66336CD98C0 Now start on node2 gfs: service gfs start. No make on both nodes in / the directory windows: mkdir windows. Then mount on both nodes the gfs filesystem to windows: mount -t gfs2 /dev/drbd0 /windows. Now lets do testing, on nod1: cd /windows. touch test.txt [root at node1 windows]# ls test.txt On node2 you must see in /windows: [root at node2 windows]# ls test.txt. On node2: vim test.txt, i, this is a test from node2,:, wq. On node1: /cat/windows/test.txt [root at node1 windows]# cat /windows/test.txt this is a test from node2 So you did it. Everything is synchronized. So you point hour home-directories and your shares in /usr/local/samba/etc/smb.conf to a directory in windows and you have a failover Data for your both samba4 controllers. The next thing to do is to add entries into fstab on both nodes : vim /etc/fstab Enter: /dev/drbd0 /windows gfs2 _netdev 0 0 At the end. This is my fstab: /dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 /dev/drbd0 /windows gfs2 _netdev 0 0 The next step is to make shure DRBD is started on boot before GFS2. In my case I tried several hours befor I succeeded. You must do this on both nodes. You find the startup scripts in /etc/rc.d/init.d. First drbd: vim drbd. You find the start and stop option at #chkconfig_ - start stop. The original line here: #chkconfig: - 70 08. I changed it to: # chkconfig: - 55 08 #!/bin/bash # # chkconfig: - 55 08 # description: Loads and unloads the drbd module # # Copyright 2001-2010 LINBIT # # Philipp Reisner, Lars Ellenberg # ### BEGIN INIT INFO # Provides: drbd # Required-Start: $local_fs $network $syslog # Required-Stop: $local_fs $network $syslog # Should-Start: sshd multipathd # Should-Stop: sshd multipathd # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # X-Start-Before: heartbeat corosync # X-Stop-After: heartbeat corosync # Short-Description: Control drbd resources. ### END INIT INFO Now vim gfs2: The original line here: #chkconfig: - 26 74. I changed it to: # chkconfig: - 70 07 #!/bin/bash # # # # chkconfig: - 70 07 # description: mount/unmount gfs2 filesystems configured in /etc/fstab # # ### BEGIN INIT INFO # Provides: ### END INIT INFO :q : Now cd /etc/rc.d/rc5.d. mv S26gfs2 S70gfs2 mv S70drbd S55drbd in all other rc0.d-rc4.d and rc.6.d, mv K74gfs2 K07gfs2 Now restart both nodes. Mkdir /windows/homes on both nodes.Point your [homes] in /usr/local/samba/etc/smb.conf to path= /windows/homes: [homes] path= /windows/homes read only=no Make as described in Step3: Add home derictories and rights. You will find your files synchronized on both node1 und node2 Now important to make your simple failover work you have to tune your named server on node1: This are the entries for your /usr/local/samba/private/dns/yourdomianzone EX mine : /usr/local/samba/private/dns/tuebingen.tst.loc.zone Change it according your settings: ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010080911 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 IN A 192.168.134.27 IN A 192.168.134.28 ;192.168.134.28 eingefuegt ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 gc._msdcs IN A 192.168.134.27 13ff0be8-50f6-45b8-858e-9a38872906e0._msdcs IN CNAME node1 aaf6380d-162e-4263-86b2-c4119457342c._mscds IN CNAME node2 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp IN SRV 0 100 389 node2 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node2 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 ;von mir eingefuegt _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node2 ;ende _ldap._tcp.fac1d707-a9a9-44a2-8b02-4ab6dda8cec7.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.fac1d707-a9a9-44a2-8b02-4ab6dda8cec7.domains._msdcs IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node2 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp IN SRV 0 100 88 node2 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node2 _kerberos._udp IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node2 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._tcp IN SRV 0 100 88 node2 _kerberos-master._udp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node2 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._tcp IN SRV 0 100 464 node2 _kpasswd._udp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node2 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC Now make your Netlogon failover: On node1: This will sync scripts to node2 on the fly. Put your logins script there ex: login.cmd My netlogon resides here: Attention be shure to put the right rights here to the sysvol directory On both nodes this has to be root:wheel!!!!!!!!!!!!!! Cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc Cp ?r scripts /windows Chown ?R root:wheel /windows/scripts. mv scripts scripts.org. ln ?s /windows/scipts scripts. Chown ?R root:wheel scripts. On node2: Important on node2, I had to do a chown ?R root:wheel to /usr/local/samba/var/locks/sysvol In /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc Mv scripts scripts.org Ln ?s /windows/scripts scripts Chown root:wheel scripts Next step about Policies: node1: /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc/Policies. On node1: cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc/ cp ?r Policies /windows chown ?R root:wheel /windows/Policies mv Policies Policies.org ln ?s /windows/Policies Policies chown ?R root:wheel Policies node2: If you have not done it before: chown ?R root:wheel /usr/local/samba/var/locks/sysvol cd /usr/local/samba/var/locks/sysvol/tuebingen.tst.loc: On node2 as the 2nd dc there was done no Policies-directory. Now: ln ?s /windows/Policies Policies Chown ?R root:wheel Policies [root at node2 tuebingen.tst.loc]# ls -la insgesamt 12 drwxr-xr-x 3 root wheel 4096 12. Aug 11:22 . drwxr-xr-x 3 root wheel 4096 11. Aug 15:37 .. lrwxrwxrwx 1 root wheel 17 12. Aug 11:22 Policies -> /windows/Policies lrwxrwxrwx 1 root wheel 16 11. Aug 15:46 scripts -> /windows/scripts drwxr-xr-x 2 root wheel 4096 11. Aug 15:37 scripts.old Step 5 Making dns available Master/Slave- Server: The next step will be making the DNS-Server on node1 the master and the one on node2 the secondary (slave) server. And we create a reverse Zone. So when you put to your windows clients: node1 as your first dns and node 2 as your second your domain will always be found as long one of the server are running. Now on node1: Remember we point in our /etc/named.conf to our dns-samba-file in /usr/local/samba/private/named.conf. We have to change a little in this /usr/local/samba/private/named.conf: # This file should be included in your main BIND configuration file # # For example with # include "/usr/local/samba/private/named.conf"; zone "tuebingen.tst.loc." IN { type master; file "/usr/local/samba/private/dns/tuebingen.tst.loc.zone"; /* * the list of principals and what they can change is created * dynamically by Samba, based on the membership of the domain controllers * group. The provision just creates this file as an empty file. */ include "/usr/local/samba/private/named.conf.update"; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; allow-transfer { 192.168.134.28; };#<---------------- }; # The reverse zone configuration#<--------------reverse starts here zone "134.168.192.in-addr.arpa" in { type master; file "/usr/local/samba/private/dns/134.168.192.in-addr.arpa.zone"; allow-transfer { 192.168.134.28; }; update-policy { grant *.TST.LOC wildcard *.134.168.192.in-addr.arpa. PTR; }; }; Look at my file: allow-transfer { 192.168.134.28; };. Allow ?transfer here you must fit to your node2. This IP is allowed to pull a copy of the zone files. The reverse zone configuration, take it as example. I choosed a 192.168.134 subnet here, and I put the file exactly where the sama-dns-file was created. [root at node1 dns]# ls -la insgesamt 28 drwxrwxr-x 2 named named 4096 14. Aug 10:48 . drwxr-xr-x 7 root root 4096 16. Aug 09:15 .. -rwxrwxrwx 1 named named 626 13. Aug 09:34 134.168.192.in-addr.arpa.zone -rwxrwxrwx 1 named named 2977 13. Aug 12:25 tuebingen.tst.loc.zone There goes all the Clients in this Subnet. You have to do it manually. EX: My 134.168.192.in-addr.arpa.zone: $ORIGIN 134.168.192.in-addr.arpa. $TTL 1W @ IN SOA tuebingen.tst.loc. root.tuebingen.tst.loc. ( 01 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1.tuebingen.tst.loc. IN NS node2.tuebingen.tst.loc. 27 IN PTR node1.tuebingen.tst.loc. 28 IN PTR node2.tuebingen.tst.loc. Now my samba-dns-file: We have two dns!!! [root at node1 dns]# cat tuebingen.tst.loc.zone ; -*- zone -*- ; generated by provision.pl $ORIGIN tuebingen.tst.loc. $TTL 1W @ IN SOA @ hostmaster ( 2010081113 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS node1 ;secondary eintrag IN NS node2 #<---secondary dns IN A 192.168.134.27 IN A 192.168.134.28 ; node1 IN A 192.168.134.27 node2 IN A 192.168.134.28 gc._msdcs IN A 192.168.134.27 02284f45-de16-4125-a795-3b614f540ef7._msdcs IN CNAME node1 a441f8f9-629d-43c4-bce6-a5dfba1e4ad9._mscds IN CNAME node2 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 node1 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 node1 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 node1 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 node1 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 node1 _ldap._tcp IN SRV 0 100 389 node2 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.dc._msdcs IN SRV 0 100 389 node2 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 node2 ;Eintrag fuer pdc _ldap._tcp.3d718df6-359c-4eb4-a0de-5a7aaf5b0d26.domains._msdcs IN SRV 0 100 389 node1 _ldap._tcp.3d718df6-359c-4eb4-a0de-5a7aaf5b0d26.domains._msdcs IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 node2 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node1 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 node2 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 node1 _kerberos._tcp IN SRV 0 100 88 node2 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 node2 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node1 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 node2 _kerberos._udp IN SRV 0 100 88 node1 _kerberos._udp IN SRV 0 100 88 node2 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 node1 _kerberos-master._tcp IN SRV 0 100 88 node2 _kerberos-master._udp IN SRV 0 100 88 node1 _kerberos-master._udp IN SRV 0 100 88 node2 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 node1 _kpasswd._tcp IN SRV 0 100 464 node2 _kpasswd._udp IN SRV 0 100 464 node1 _kpasswd._udp IN SRV 0 100 464 node2 ; ; heimdal 'find realm for host' hack _kerberos IN TXT TUEBINGEN.TST.LOC Now we switch over to node2: We have to create the dns directory in /usr/local/samba/private: mkdir /usr/local/samba/private/dns. Chown ?R named:named /usr/local/samba/private/dns. Chmod ?R 770 /usr/local/samba/private/dns. Copy over /usr/local/samba/private/named.conf to your node2. scp /usr/local/samba/private/named.conf root at node2:/usr/local/samba/private. Then we have to edit this file. It should look like this: zone "tuebingen.tst.loc." IN { type slave; #<----------we mark it as slave file "/usr/local/samba/private/dns/tuebingen.tst.loc.zone"; masters { 192.168.134.27; };#<---we tell him were to pull the zone /* * the list of principals and what they can change is created * dynamically by Samba, based on the membership of the domain controllers * group. The provision just creates this file as an empty file. */ //and we had to remove the update section because a slave cannot. //include "/usr/local/samba/private/named.conf.update"; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; }; # The reverse zone configuration is optional. The following example assumes a # subnet of 192.168.123.0/24: zone "134.168.192.in-addr.arpa" in { type slave; file "/usr/local/samba/private/dns/134.168.192.in-addr.arpa.zone"; masters { 192.168.134.27; }; }; Now make shure /usr/local/samba/private/named.conf has the rights, named:named. Chown named:named /usr/local/samba/private/named.conf. And also your /etc/named.conf points to that file: // named.conf options { listen-on port 53 { 127.0.0.1;192.168.134.28; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.135.0/24; 192.168.134.0/24; }; recursion yes; forwarders { 192.168.134.253; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/usr/local/samba/private/named.conf"; #<---make it point the right way include "/etc/named.rfc1912.zones"; Now restart both dns-servers. On node2 you will find now in /usr/local/samba/private/dns: -rw-r--r-- 1 named 500 406 15. Aug 00:51 134.168.192.in-addr.arpa.zone -rw-r--r-- 1 named 500 2680 15. Aug 08:46 tuebingen.tst.loc.zone Making Bind (Secure)Transaction Signatures (TSIG): In /etc on node1: [root at node1 etc]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key This will give you: Krndc-key.+157+42092 The new keys are stored in /etc [root at node1 etc]# ls K* Krndc-key.+157+42092.key Krndc-key.+157+42092.private Krndc-key.+157+42092.key = Public key. The Key file contains a DNS KEY record that can de inserted into a zone file!!! Krndc-key.+157+42092.private = The private key. This file contains algorithm fields. Now you need the key. So do: cat /etc/Krndc-key.+157+42092.private [root at node1 etc]# cat Krndc-key.+157+42092.key rndc-key. IN KEY 512 3 157 XVPzLYeEgmaG57IXg7eHrA=[root at node1 etc]# cat Krndc-key.+157+42092.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: XVPzLYeEgmaG57IXg7eHrA=Bits: AAA You need the part after Key:,in my case: XVPzLYeEgmaG57IXg7eHrA= Now I made a file in /var/named called tsig.key vim /var/named/tsig.key IN my case: key "TRANSFER" { algorithm hmac-md5; secret "XVPzLYeEgmaG57IXg7eHrA=="; }; #Your Slave Server IP server 192.168.134.28 { keys { TRANSFER; }; }; Chown named:named /var/named/tsig.key. Now you must include in your /etc/named.conf the tsig.key file. include "/var/named/tsig.key"; On the SLAVE(NODE2): Now copy your /var/named/tsig.key to the bind-slave-server. In my case: [root at node1 named]# scp tsig.key root at node2:/var/named root at node2's password: tsig.key 100% 153 0.2KB/s 00:00 Do not forget chown named:named the tsig.key on the slave. You have to edit the tsig.key on the bind-slave-server: In my case: key "TRANSFER" { algorithm hmac-md5; secret "XVPzLYeEgmaG57IXg7eHrA=="; }; #Your Master Server IP server 192.168.134.27 { keys { TRANSFER; }; }; The difference between the key files is only the Ip.On the slave fill in the Ip of your Master Server. Fill in your /etc/named.conf: include "/var/named/tsig.key"; Now you need to edit your /usr/local/samba/private/named.conf You must restrict zone transfers to those signed with TRANSFER key as follows: zone "tuebingen.tst.loc." IN { type master; file "/usr/local/samba/private/dns/tuebingen.tst.loc.zone"; /* * the list of principals and what they can change is created * dynamically by Samba, based on the membership of the domain controllers * group. The provision just creates this file as an empty file. */ include "/usr/local/samba/private/named.conf.update"; /* we need to use check-names ignore so _msdcs A records can be created */ check-names ignore; #allow-transfer { 192.168.134.28; };##<-- old allow-transfer { key TRANSFER; };## ?-new }; zone "134.168.192.in-addr.arpa" in { type master; file "/usr/local/samba/private/dns/134.168.192.in-addr.arpa.zone"; allow-transfer { key TRANSFER; }; ##<-- new # allow-transfer { 192.168.134.28; };##<--- old update-policy { grant *.TST.LOC wildcard *.134.168.192.in-addr.arpa. PTR; }; }; The restart both master and slave. Look inside your log if it is working: In my case the log file resides in /var/named/data/ file named.run: ON NODE1: zone tuebingen.tst.loc/IN: sending notifies (serial 2010081113) zone 134.168.192.in-addr.arpa/IN: sending notifies (serial 1) client 192.168.134.28#20295: received notify for zone 'tuebingen.tst.loc': TSIG 'transfer' client 192.168.134.28#25099: received notify for zone '134.168.192.in-addr.arpa': TSIG 'transfer' ON NODE2: reloading zones succeeded client 192.168.134.27#18877: received notify for zone 'tuebingen.tst.loc': TSIG 'transfer' zone tuebingen.tst.loc/IN: notify from 192.168.134.27#18877: zone is up to date client 192.168.134.27#37510: received notify for zone '134.168.192.in-addr.arpa': TSIG 'transfer' zone 134.168.192.in-addr.arpa/IN: notify from 192.168.134.27#37510: zone is up to date ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----------------------------------------------