Hi Andrew,
We decided to install LDAP on Samba Classic's existing DC (only one in the
first stage). To do so we did the following
- Installed slapd, ldap-tools, smblad-tools
- dpkg-reconfigure slapd
- ldapwhoami -H ldap:// -x, gave us anonymous
- Stopped the samba service
- Added the following to smb.conf
passdb backend = ldapsam:ldap://sam3dc.mydomain/
idmap backend = ldap://sam3dc.mydomain/
ldap admin dn = cn=root,dc=mydomain
ldap delete dn = no
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Hosts
ldap passwd sync = yes
ldap suffix = dc=mydomain
ldap user suffix = ou=Users
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap ssl = start tls
ldap passwd sync = yes
- Removed the bit about tdbsam being the backend
- Started samba
We're getting the following errors
root at sam3dc:/etc/smbldap-tools# pdbedit -Lv
Ignoring unknown parameter "dns forwarder"
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
Failed to issue the StartTLS instruction: Protocol error
Connection to LDAP server failed for the 1 try!
Failed to issue the StartTLS instruction: Protocol error
Connection to LDAP server failed for the 1 try!
Failed to issue the StartTLS instruction: Protocol error
Connection to LDAP server failed for the 1 try!
add_new_domain_info: failed to add domain dnsambaDomainName=MYDOMAIN,dc=mydomain
with: Invalid DN syntax
invalid DN
smbldap_search_domain_info: Adding domain info for MYDOMAIN failed with
NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistent SIDs
Failed to issue the StartTLS instruction: Protocol error
Connection to LDAP server failed for the 1 try!
root at sam3dc # ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
root at sam3dc/etc/smbldap-tools# cd /etc/smbldap-tools/
root at sam3dc/etc/smbldap-tools# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
The /etc/ldap/ldap.conf has the following
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=jellinbah
#URI ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
root at sam3dc # smbldap-populate
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
smbldap_tools.pm line 1423, <DATA> line 522.
Unable to open /etc/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/sbin/smbldap-populate line 30.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 30.
The file in question doesn't even exist. Any ideas?
Also, in one of the samba list articles, I read that we'll need to run
pdbedit -i tdbsam -e ldapsam to import the info from tdb to ldap. When do
we do this one?
Thank you
On Wed, Feb 21, 2018 at 7:11 PM, Rob Thoman <emailthomasrob at gmail.com>
wrote:
> Hi Andrew,
>
> I was able to domain join the server to the domain, had to add in
> client ipc signing = auto
> security = domain
> Then it comes up with Joined "sam4Dc" to the domain. What does
that step
> actually do?
>
> Coming back to your comments.
>
> At a point in time both servers will be DCs. The plan is that after that
> point Samba3 box will cease to become a DC and act as a file server only.
> So can we do the following?
> - Stop the smbd/nmbd/winbind services in both servers, this cause the
> shares to drop. Copy the .tdb/etc (passwd) and smb.conf file from 3 to 4
> - Change smb.conf file in the 3 server and remove the bits about it being
> the Domain Master,
> - Not a lot to change smb.conf in 4
> - Start the services in both the servers
> - Hope as hell that we got it right :)
> - Having Bind9 running on both servers won't be an issue?
>
> Have I got it correct?
>
> RT
>
>
>
>
>
> On Wed, Feb 21, 2018 at 5:04 PM, Andrew Bartlett <abartlet at
samba.org>
> wrote:
>
>> On Wed, 2018-02-21 at 16:27 +1000, Rob Thoman wrote:
>> > Hi Andrew,
>> > I can't shutdown the old samba box as it will still be hosting
the
>> shares.
>>
>> I think you need to split that off sooner rather than later. Your
>> first step needs to be to make it a domain member server.
>>
>> > Can I do any of the following?
>> > Would it make sense for me to migrate the backend to LDAP ?
>>
>> Probably, particularly if you can't split the server from being a
DC in
>> the short term.
>>
>> > Or following your first comment, can I setup rysnc every 5 minutes
to
>> replicate data.
>>
>> You can't do that with TDB files, that would be very unsafe.
>>
>> > You're right it is a migration path but I can't migrate
until this
>> works in the test environment
>>
>> OK. Either work in on a copy (taken when Samba is stopped on the
>> server) or use LDAP if you need it 'live'.
>>
>> Andrew Bartlett
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT http://catalyst.net.nz/service
>> s/samba
>>
>>
>