samba - Feb 2011 - making BDC samba + ldap server

Hi guys

Im looking to config a BDC server for the high traffic supported inside the
primary server. I never configured a BDC server inside ubuntu 9.04 and
OpenLdap and Im very lost. Looking for internet I found howtos for PDCs
server but not for BDC. Anyone can help me more? Im making a clean install
and I don't know how to create same users than PDC for samba and how to make
a slave ldap inside.

Any help will be appreciated

Thanks :-)

I've never attempted, but here it is:

http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP


On 02/17/2011 3:19 PM, marcos gonzalez wrote:
> Hi guys
>
> Im looking to config a BDC server for the high traffic supported inside the
> primary server. I never configured a BDC server inside ubuntu 9.04 and
> OpenLdap and Im very lost. Looking for internet I found howtos for PDCs
> server but not for BDC. Anyone can help me more? Im making a clean install
> and I don't know how to create same users than PDC for samba and how to
make
> a slave ldap inside.
>
> Any help will be appreciated
>
> Thanks :-)

>
>
> I've never attempted, but here it is:
>
>
http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP
Follow the LDAP stuff in the above article as a template. The 
smbldap_tools is a good idea too. The rest of the samba stuff is right 
out of the samba manual. Nothing real tricky in BDC v. PDC in 
smb.conf.
>
>
>
>
> On 02/17/2011 3:19 PM, marcos gonzalez wrote:
>>
>> Hi guys
>>
>> Im looking to config a BDC server for the high traffic supported 
>> inside the
>> primary server. I never configured a BDC server inside ubuntu 9.04 and
>> OpenLdap and Im very lost. Looking for internet I found howtos for 
>> PDCs
>> server but not for BDC. Anyone can help me more? Im making a clean 
>> install
>> and I don't know how to create same users than PDC for samba and
how
>> to make
>> a slave ldap inside.
>>
>> Any help will be appreciated
>>
>> Thanks :-)
>> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

>
>
> In my hint I think your samba PDC/Ldap is cuurently working well!
> First of all install a second machine with the samba and ldap.
> Do not start samba, do not start ldap.
> The ldap database should be nearly empty ex:/var/lib/ldap
>
> Now copy your smb.conf to your new machine ex: scp 
> root at 2machine:/etc/samba
> Edit the smb.conf to your needs and adjust it to be a bdc:
> domain master=NO
> domain logons=YES
> Make a testparm it should succed like this:
> testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[netlogon]"
> WARNING: The "share modes" option is deprecated
> Processing section "[sysvol]"
> WARNING: The "share modes" option is deprecated
> Processing section "[homes]"
> Processing section "[profiles]"
> Processing section "[alles]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_BDC  <----------------------------you are a 
> BDC
> Press enter to see a dump of your service definitions
Yes very nice!
>
>
>
> Now you are on to copy your slapd.conf and ldap.conf to your new 
> machine:
> Ex: scp slapd.conf root at 2machine:/etc/openldap
>
> Now important I do the trick with slurpd.
Sorry, but Slurpd is depricated and no longer available in Openldap 
since 2.3
http://www.openldap.org/doc/admin24/replication.html#Replacing%20Slurpd

Here is nice overview of the way LDAP currently works:

http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html

Once you have sync-repl set up on the current master, and a proper 
slapd.conf and ldap.conf file on the new machine, start ldap, then

smbpasswd -w <ldap-master-passwd>
net rpc join -U<administrator> <domain name>

Done.

>
>
> Now you are on to copy your slapd.conf and ldap.conf to your new 
> machine:
> Ex: scp slapd.conf root at 2machine:/etc/openldap
>
> ---------------------------HOw I can make this If slurpd is 
> deprecated? The guide
>
>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>
> not's easy to understand, not exist other howto more simple?
Here is another guide. The first link is quite comprehensive.
http://www.zytrax.com/books/ldap/ch7/

The entire online manual is a good read. I highly recommend it.
>
>
>
> >>>>Now important I do the trick with slurpd. There are many
other
> ways but this
> >>>>is easy.
> >>>>Slurpd should be installed on your Master an only there.
> >>>>So go in to the slapd.conf on your master and put a few
lines in
> it at the
> >>>>end.
> >>>>Be carefull all tabs must fit exact as this example:
>
> replica uri=ldap://IPOFYOUR2MACHINE:389
> binddn="cn=youradmin,dc=your,dc=ldap"
>  suffix="dc=yourc,dc=ldap"
>  bindmethod=simple
>  credentials=securepassword
>
> I understand the part of backup slapd only works with the service 
> stopped?
>
> Well Im grateful for all your time :-)
>
> Thanks and Best Regards
>
>
> 2011/2/18 <tms3 at tms3.com>
>>
>>
>>
>>>
>>>
>>> In my hint I think your samba PDC/Ldap is cuurently working well!
>>> First of all install a second machine with the samba and ldap.
>>> Do not start samba, do not start ldap.
>>> The ldap database should be nearly empty ex:/var/lib/ldap
>>>
>>> Now copy your smb.conf to your new machine ex: scp 
>>> root at 2machine:/etc/samba
>>> Edit the smb.conf to your needs and adjust it to be a bdc:
>>> domain master=NO
>>> domain logons=YES
>>> Make a testparm it should succed like this:
>>> testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> Processing section "[netlogon]"
>>> WARNING: The "share modes" option is deprecated
>>> Processing section "[sysvol]"
>>> WARNING: The "share modes" option is deprecated
>>> Processing section "[homes]"
>>> Processing section "[profiles]"
>>> Processing section "[alles]"
>>> Processing section "[printers]"
>>> Processing section "[print$]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_BDC  <----------------------------you
are a
>>> BDC
>>> Press enter to see a dump of your service definitions
>>
>> Yes very nice!
>>
>>>
>>>
>>>
>>> Now you are on to copy your slapd.conf and ldap.conf to your new 
>>> machine:
>>> Ex: scp slapd.conf root at 2machine:/etc/openldap
>>>
>>> Now important I do the trick with slurpd.
>> Sorry, but Slurpd is depricated and no longer available in Openldap 
>> since 2.3
>> http://www.openldap.org/doc/admin24/replication.html#Replacing%20Slurpd
>>
>> Here is nice overview of the way LDAP currently works:
>>
>>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>>
>> Once you have sync-repl set up on the current master, and a proper 
>> slapd.conf and ldap.conf file on the new machine, start ldap, then
>>
>> smbpasswd -w <ldap-master-passwd>
>> net rpc join -U<administrator> <domain name>
>>
>> Done.
>

>
>
> Hi
>
> Thanks, this howto for me its better. I have other doubt, syncrepl 
> needs to be installed or comes integrated with slapd daemon?
It is all part of the openldap suite.
>
>
>
> And to transfer all shared samba folders and profile content, when 
> it's the better moment? I understand when samba is down or when is up?
Depends on the permissions. However, so long as ALL the files to be 
transferred belong to users in LDAP then, with nss_ldap properly 
configured, any copy that preserves permissions should be
fine.
>
>
>
> Thanks and Best Regards
>
>
> 2011/2/20 <tms3 at tms3.com>
>>
>>
>>
>>>
>>>
>>> Now you are on to copy your slapd.conf and ldap.conf to your new 
>>> machine:
>>> Ex: scp slapd.conf root at 2machine:/etc/openldap
>>>
>>> ---------------------------HOw I can make this If slurpd is 
>>> deprecated? The guide
>>>
>>>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>>>
>>> not's easy to understand, not exist other howto more simple?
>> Here is another guide. The first link is quite comprehensive.
>> http://www.zytrax.com/books/ldap/ch7/
>>
>> The entire online manual is a good read. I highly recommend it.
>>
>>
>>
>>
>>>
>>>
>>>
>>> >>>>Now important I do the trick with slurpd. There are
many other
>>> ways but this
>>> >>>>is easy.
>>> >>>>Slurpd should be installed on your Master an only
there.
>>> >>>>So go in to the slapd.conf on your master and put a
few lines in
>>> it at the
>>> >>>>end.
>>> >>>>Be carefull all tabs must fit exact as this
example:
>>>
>>> replica uri=ldap://IPOFYOUR2MACHINE:389
>>> binddn="cn=youradmin,dc=your,dc=ldap"
>>>  suffix="dc=yourc,dc=ldap"
>>>  bindmethod=simple
>>>  credentials=securepassword
>>>
>>> I understand the part of backup slapd only works with the service 
>>> stopped?
>>>
>>> Well Im grateful for all your time :-)
>>>
>>> Thanks and Best Regards
>>>
>>
>>
>>>
>>> 2011/2/18 <tms3 at tms3.com>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> In my hint I think your samba PDC/Ldap is cuurently working
well!
>>>>> First of all install a second machine with the samba and
ldap.
>>>>> Do not start samba, do not start ldap.
>>>>> The ldap database should be nearly empty ex:/var/lib/ldap
>>>>>
>>>>> Now copy your smb.conf to your new machine ex: scp 
>>>>> root at 2machine:/etc/samba
>>>>> Edit the smb.conf to your needs and adjust it to be a bdc:
>>>>> domain master=NO
>>>>> domain logons=YES
>>>>> Make a testparm it should succed like this:
>>>>> testparm
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> Processing section "[netlogon]"
>>>>> WARNING: The "share modes" option is deprecated
>>>>> Processing section "[sysvol]"
>>>>> WARNING: The "share modes" option is deprecated
>>>>> Processing section "[homes]"
>>>>> Processing section "[profiles]"
>>>>> Processing section "[alles]"
>>>>> Processing section "[printers]"
>>>>> Processing section "[print$]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_DOMAIN_BDC 
<----------------------------you are a
>>>>> BDC
>>>>> Press enter to see a dump of your service definitions
>>>>
>>>> Yes very nice!
>>>>
>>>>>
>>>>>
>>>>>
>>>>> Now you are on to copy your slapd.conf and ldap.conf to
your new
>>>>> machine:
>>>>> Ex: scp slapd.conf root at 2machine:/etc/openldap
>>>>>
>>>>> Now important I do the trick with slurpd.
>>>> Sorry, but Slurpd is depricated and no longer available in
Openldap
>>>> since 2.3
>>>>
http://www.openldap.org/doc/admin24/replication.html#Replacing%20Slurpd
>>>>
>>>> Here is nice overview of the way LDAP currently works:
>>>>
>>>>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>>>>
>>>> Once you have sync-repl set up on the current master, and a
proper
>>>> slapd.conf and ldap.conf file on the new machine, start ldap,
then
>>>>
>>>> smbpasswd -w <ldap-master-passwd>
>>>> net rpc join -U<administrator> <domain name>
>>>>
>>>> Done.
>>>
>>
>

>
>
>
> Hi
>
> Ok, and how I config nss_ldap? When I copy all database is included?
Well, the easiest way, for Samba use, is to simply cp your ldap.conf 
file for the ldap client application to nss_ldap.conf--cp ldap.conf 
nss_ldap.conf (this can be a bit confusing, as openldap uses a file 
called ldap.conf for configuring the ldap client as well as a file 
called ldap.conf for configuring basic ldap server process.  The 
server file is generally contained in the directory where 
configuration files are kept in a subdirectory called openldap along 
with files like slapd.conf and is generally a small file witch looks 
something like this:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=mydomain,dc=com
URI     ldapi://%2fvar%2frun%2fopenldap%2fldapi 
ldap://192.168.64.2:389
# TLS_CACERT /usr/local/etc/openldap/cacert.pem

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

whereas the ldap.conf for the client is rather lengthy and contains 
quite a bit of information for contacting the ldap server, how the dit 
should be searched, etc.)

And, no, nss_ldap.conf has nothing to do with the ldap server. 
nss_ldap.conf can be used to contact an external ldap server, just as 
the ldap.conf for the ldap client application can/
>
> Sorry for the newbie questions, If any time comes to barcelona contact 
> me, you has a beer paid (Daniel too)  :-)
Well, now that's quite a generous offer. Much
appreciated.
>
>
>
> Thanks and Best Regards
>
>
> 2011/2/20 <tms3 at tms3.com>
>>
>>
>>
>>>
>>>
>>> Hi
>>>
>>> Thanks, this howto for me its better. I have other doubt, syncrepl 
>>> needs to be installed or comes integrated with slapd daemon?
>>
>> It is all part of the openldap suite.
>>
>>>
>>>
>>>
>>> And to transfer all shared samba folders and profile content, when 
>>> it's the better moment? I understand when samba is down or when
is up?
>>
>> Depends on the permissions. However, so long as ALL the files to be 
>> transferred belong to users in LDAP then, with nss_ldap properly 
>> configured, any copy that preserves permissions should be fine.
>>
>>
>>
>>>
>>>
>>>
>>> Thanks and Best Regards
>>>
>>>
>>> 2011/2/20 <tms3 at tms3.com>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> Now you are on to copy your slapd.conf and ldap.conf to
your new
>>>>> machine:
>>>>> Ex: scp slapd.conf root at 2machine:/etc/openldap
>>>>>
>>>>> ---------------------------HOw I can make this If slurpd is
>>>>> deprecated? The guide
>>>>>
>>>>>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>>>>>
>>>>> not's easy to understand, not exist other howto more
simple?
>>>> Here is another guide. The first link is quite comprehensive.
>>>> http://www.zytrax.com/books/ldap/ch7/
>>>>
>>>> The entire online manual is a good read. I highly recommend it.
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> >>>>Now important I do the trick with slurpd.
There are many other
>>>>> ways but this
>>>>> >>>>is easy.
>>>>> >>>>Slurpd should be installed on your Master
an only there.
>>>>> >>>>So go in to the slapd.conf on your master
and put a few lines in
>>>>> it at the
>>>>> >>>>end.
>>>>> >>>>Be carefull all tabs must fit exact as this
example:
>>>>>
>>>>> replica uri=ldap://IPOFYOUR2MACHINE:389
>>>>> binddn="cn=youradmin,dc=your,dc=ldap"
>>>>>  suffix="dc=yourc,dc=ldap"
>>>>>  bindmethod=simple
>>>>>  credentials=securepassword
>>>>>
>>>>> I understand the part of backup slapd only works with the
service
>>>>> stopped?
>>>>>
>>>>> Well Im grateful for all your time :-)
>>>>>
>>>>> Thanks and Best Regards
>>>>>
>>>>
>>>>
>>>>>
>>>>> 2011/2/18 <tms3 at tms3.com>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In my hint I think your samba PDC/Ldap is cuurently
working well!
>>>>>>> First of all install a second machine with the
samba and ldap.
>>>>>>> Do not start samba, do not start ldap.
>>>>>>> The ldap database should be nearly empty
ex:/var/lib/ldap
>>>>>>>
>>>>>>> Now copy your smb.conf to your new machine ex: scp 
>>>>>>> root at 2machine:/etc/samba
>>>>>>> Edit the smb.conf to your needs and adjust it to be
a bdc:
>>>>>>> domain master=NO
>>>>>>> domain logons=YES
>>>>>>> Make a testparm it should succed like this:
>>>>>>> testparm
>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>> Processing section "[netlogon]"
>>>>>>> WARNING: The "share modes" option is
deprecated
>>>>>>> Processing section "[sysvol]"
>>>>>>> WARNING: The "share modes" option is
deprecated
>>>>>>> Processing section "[homes]"
>>>>>>> Processing section "[profiles]"
>>>>>>> Processing section "[alles]"
>>>>>>> Processing section "[printers]"
>>>>>>> Processing section "[print$]"
>>>>>>> Loaded services file OK.
>>>>>>> Server role: ROLE_DOMAIN_BDC 
<----------------------------you are a
>>>>>>> BDC
>>>>>>> Press enter to see a dump of your service
definitions
>>>>>>
>>>>>> Yes very nice!
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Now you are on to copy your slapd.conf and
ldap.conf to your new
>>>>>>> machine:
>>>>>>> Ex: scp slapd.conf root at 2machine:/etc/openldap
>>>>>>>
>>>>>>> Now important I do the trick with slurpd.
>>>>>> Sorry, but Slurpd is depricated and no longer available
in Openldap
>>>>>> since 2.3
>>>>>>
http://www.openldap.org/doc/admin24/replication.html#Replacing%20Slurpd
>>>>>>
>>>>>> Here is nice overview of the way LDAP currently works:
>>>>>>
>>>>>>
http://blog.suretecsystems.com/archives/129-Replacing-Slurpd-using-OpenLDAP-2.4.html
>>>>>>
>>>>>> Once you have sync-repl set up on the current master,
and a proper
>>>>>> slapd.conf and ldap.conf file on the new machine, start
ldap, then
>>>>>>
>>>>>> smbpasswd -w <ldap-master-passwd>
>>>>>> net rpc join -U<administrator> <domain
name>
>>>>>>
>>>>>> Done.
>>>>>
>>>>
>>>
>>
>