samba - Mar 2018 - LDAP BDC- Classic Domain

Hi Guys,

We're trying to add a  BDC in Samb4 classic domain setup.  The Samba 3 How
-To and Samb3 by Example covers this but uses the old slapd.conf option, we are
using the slapd.d config. I couldn't find a similar document for Samba4

Can you please advise that the following steps will work?  LDAP in the existing
PDC is working using the smbldap tools


-          Setup the LDAP in BDC exactly like the PDC, including the ldifs.

-          Copy the /etc/passwd and /etc/groups from PDC to BDC

-          Remove the contents of the /var/lib/samba in BDC

-          Run the smbpasswd -a in BDC

-          net rpc getsid in BDC

-          Do we need join the BDC to the domain? If so , does the smb.conf in
BDC will only have the following in the smb.conf before the join? The confusion
on my part is if the machine is already a BDC with smb.conf stuff does it have
to be added to the domain?

  workgroup = LIN

    netbios name = LIN-BDC

    password server = LIN-PDC

    security = domain

    client ipc signing = auto

-          If not then do we setup smb.conf with the whole ldap settings ?
passdb backend = ldapsam : ldap: //LIN-PDC.LIN

-          How do we sync the ldap settings? Consumer-Provider model?  Setting
up ldifs.

-          This is more a general question about BDC. The PDC has folders that
have been shared. If we changed BDC to PDC, how will the folders be shared? If
we define the shares in the BDC do we then  have to go //unc path of the share?


Regards,

Praveen Ghimire

Hi Praveen,
> We're trying to add a  BDC in Samb4 classic domain setup.  The Samba
> 3 How -To and Samb3 by Example covers this but uses the old
> slapd.conf option, we are using the slapd.d config. I couldn't find
> a similar document for Samba4
>
> Can you please advise that the following steps will work?  LDAP in
> the existing PDC is working using the smbldap tools
>
>
> -          Setup the LDAP in BDC exactly like the PDC, including the
> ldifs.
>
> -          Copy the /etc/passwd and /etc/groups from PDC to BDC
>
> -          Remove the contents of the /var/lib/samba in BDC
>
> -          Run the smbpasswd -a in BDC
>
> -          net rpc getsid in BDC
>
> -          Do we need join the BDC to the domain? If so , does the
> smb.conf in BDC will only have the following in the smb.conf before
> the join? The confusion on my part is if the machine is already a
> BDC with smb.conf stuff does it have to be added to the domain?
If the two servers are not on the same network subnet, then you can
configure your BDC the same way as your PDC with a multi-master LDAP
configuration. It works great (at least it worked great when it was 
still in production, now it is upgraded to Samba-AD :-)

And you shouldn't need to add your users to /etc/passwd and /etc/group 
if your /etc/nsswitch.conf is properly configured (provided that you 
have uidnumber and gidnumber in your LDAP).

Cheers,

Denis



>
> workgroup = LIN
>
> netbios name = LIN-BDC
>
> password server = LIN-PDC
>
> security = domain
>
> client ipc signing = auto
>
> -          If not then do we setup smb.conf with the whole ldap
> settings ? passdb backend = ldapsam : ldap: //LIN-PDC.LIN
>
> -          How do we sync the ldap settings? Consumer-Provider
> model? Setting up ldifs.
>
> -          This is more a general question about BDC. The PDC has
> folders that have been shared. If we changed BDC to PDC, how will
> the folders be shared? If we define the shares in the BDC do we then
> have to go //unc path of the share?
>
>
> Regards,
>
> Praveen Ghimire
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

Hi Denis,
Thank you.

They are in the same subnet. The plan is to have dcs running LDAP. Promoting bdc
to pdc (existing pdc is running on old equipment ) and demoting the existing
pdc. Then do the AD migration.

 The catch is the pdc also has shares. I'm not sure if we can demote
existing pdc to become a file server only. My concept is based on Windows
servers not sure it'll work here though.



Regards,

Praveen Ghimire


-------- Original message --------
From: Denis Cardon <dcardon at tranquil.it>
Date: 8/03/2018 6:00 PM (GMT+10:00)
To: Praveen Ghimire <PGhimire at sundata.com.au>, samba at lists.samba.org
Subject: Re: [Samba] LDAP BDC- Classic Domain

Hi Praveen,
> We're trying to add a  BDC in Samb4 classic domain setup.  The Samba
> 3 How -To and Samb3 by Example covers this but uses the old
> slapd.conf option, we are using the slapd.d config. I couldn't find
> a similar document for Samba4
>
> Can you please advise that the following steps will work?  LDAP in
> the existing PDC is working using the smbldap tools
>
>
> -          Setup the LDAP in BDC exactly like the PDC, including the
> ldifs.
>
> -          Copy the /etc/passwd and /etc/groups from PDC to BDC
>
> -          Remove the contents of the /var/lib/samba in BDC
>
> -          Run the smbpasswd -a in BDC
>
> -          net rpc getsid in BDC
>
> -          Do we need join the BDC to the domain? If so , does the
> smb.conf in BDC will only have the following in the smb.conf before
> the join? The confusion on my part is if the machine is already a
> BDC with smb.conf stuff does it have to be added to the domain?
If the two servers are not on the same network subnet, then you can
configure your BDC the same way as your PDC with a multi-master LDAP
configuration. It works great (at least it worked great when it was
still in production, now it is upgraded to Samba-AD :-)

And you shouldn't need to add your users to /etc/passwd and /etc/group
if your /etc/nsswitch.conf is properly configured (provided that you
have uidnumber and gidnumber in your LDAP).

Cheers,

Denis



>
> workgroup = LIN
>
> netbios name = LIN-BDC
>
> password server = LIN-PDC
>
> security = domain
>
> client ipc signing = auto
>
> -          If not then do we setup smb.conf with the whole ldap
> settings ? passdb backend = ldapsam : ldap: //LIN-PDC.LIN
>
> -          How do we sync the ldap settings? Consumer-Provider
> model? Setting up ldifs.
>
> -          This is more a general question about BDC. The PDC has
> folders that have been shared. If we changed BDC to PDC, how will
> the folders be shared? If we define the shares in the BDC do we then
> have to go //unc path of the share?
>
>
> Regards,
>
> Praveen Ghimire
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

I've setup the ldap servers in PDC and BDC with the same config and ldifs.
How do we setup the replication?  Using the following ldif in PDC

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog

# Accesslog database definitions
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=lin
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00


The following in BDC

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://lin-pdc.lin bindmethod=simple
binddn="cn=admin,dc=lin"
  credentials=secret searchbase="dc=lin"
logbase="cn=accesslog"
  logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
  type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://lin-pdc.lin


The following only shows the name of the ldapsearch -z1 -LLLQY EXTERNAL -H
ldapi:/// -s base -b dc=lin contextCSN
dn: dc=lin
And I don’t see any replication in the BDC and nothing in /var/log/syslog

Any thoughts?


Regards,

Praveen Ghimire







-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen
Ghimire via samba
Sent: Thursday, 8 March 2018 1:02 PM
To: samba at lists.samba.org
Subject: [Samba] LDAP BDC- Classic Domain

Hi Guys,

We're trying to add a  BDC in Samb4 classic domain setup.  The Samba 3 How
-To and Samb3 by Example covers this but uses the old slapd.conf option, we are
using the slapd.d config. I couldn't find a similar document for Samba4

Can you please advise that the following steps will work?  LDAP in the existing
PDC is working using the smbldap tools


-          Setup the LDAP in BDC exactly like the PDC, including the ldifs.

-          Copy the /etc/passwd and /etc/groups from PDC to BDC

-          Remove the contents of the /var/lib/samba in BDC

-          Run the smbpasswd -a in BDC

-          net rpc getsid in BDC

-          Do we need join the BDC to the domain? If so , does the smb.conf in
BDC will only have the following in the smb.conf before the join? The confusion
on my part is if the machine is already a BDC with smb.conf stuff does it have
to be added to the domain?

  workgroup = LIN

    netbios name = LIN-BDC

    password server = LIN-PDC

    security = domain

    client ipc signing = auto

-          If not then do we setup smb.conf with the whole ldap settings ?
passdb backend = ldapsam : ldap: //LIN-PDC.LIN

-          How do we sync the ldap settings? Consumer-Provider model?  Setting
up ldifs.

-          This is more a general question about BDC. The PDC has folders that
have been shared. If we changed BDC to PDC, how will the folders be shared? If
we define the shares in the BDC do we then  have to go //unc path of the share?


Regards,

Praveen Ghimire

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________