Re: [Samba] Samba PDC + OpenLDAP replica
Hi again! Finally got it working... For some reason my RHEL4 servers change certificate file permissions by default when restarting/reloading services. Andrew Bartlett wrote: On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote: Should it be BDC server instead of PDC? There should be one PDC per isolated netbios namespace. Ok. Should I set up one departmental level master server with master LDAP and Samba PDC, and many LDAP slaves (replicas) with Samba BDCs? But in this case the different VLANs are coing to be a problem for traffic between Samba PDC and BDCs, or so I have understood, since switches connecting different VLANs don't route NetBIOS traffic. Samba doesn't do netbios between it's various DCs, but clients will want to see one PDC per netbios scope. So, Samba PDC and BDCs could communicate with each other, but Samba clients can't communicate with PDC, if they are in a different VLAN? In my case it would be much more easier (again from administrative point of view) if I could set up only BDCs in different VLANs, since I'm planning to use a single organization level LDAP directory to store user/client data in it (which of course will be replicated to slave/BDC servers). At the moment I'm having a PDC per every sub-organizational VLAN, but different sambaSIDs on different PDCs give me a headache. If I could have a single LDAP based user/client pool on PDC, with BDCs and LDAP replicas on every VLAN, I could control user/client accesses to different services or subtrees simply by ACLs on my master LDAP server. Jukka Hienola University of Helsinki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + OpenLDAP replica
/Dear all, I'm sorry if I posted this reply twice, but I had to leave my office in a hurry and I'm not sure if I already did reply to Andrew's reply to my original message... On Fri, Nov 4 12:15:48 GMT 2005, Andrew Bartlett wrote: />>On Fri, 2005-11-04 at 10:23 +0200, Jukka Hienola wrote: / I had two separate OpenLDAP master servers (2.2.13-4) for two different />>/ Samba PDC servers (3.0.14a-2) with TLS support in different virtual />>/ networks (VLANs), and all worked fine. />>/ />>/ However, I decided that it would be nice (from an administrative point />>/ of view) to have all user/client data on same departmental master />>/ OpenLDAP server, which would work as a backend for division level Samba />>/ PDC servers in different VLANs via LDAP replicas (our department />>/ contains many subdepartments, or divisions, and most of them have their />>/ own VLANs). So, I read Samba documentation and I understood that it is />>/ possible to make such a system, where Samba server uses LDAP replica as />>/ it's backend. First I transferred all user/client data to master LDAP />>/ server, and created a slave server to be used by Samba PDC in different />>/ VLAN. I tested connections with ldapsearch command and all worked well, />>/ and changes written to master directory are propagated to slave server's />>/ LDAP directory. Both servers are configured to use TLS transport, and />>/ both server's have their own CA signed certificate files. /> Self-signed, or a CA shared for your organisation? Certificates are signed by the local CA at our university. So they are not self-signed certificates. / But when I tried to set up my division level Samba server to use replica />>/ as it's backend, I got an error that Samba can't connect to replica's />>/ directory. In log files I have messages like />>/ />>/ slave.server.net smbd: Failed to issue the StartTLS instruction: />>/ Connect error /> This is an SSL layer problem. Are all the certificates correct? I'm pretty sure, since I have used them successfully two months so far. However, I made changes to my master/slave TLS configuration. Now I get different errors when Samba is trying to bind to replica's LDAP directory. Errors are like Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] lib/smbldap.c:smbldap_open_connection(692) Nov 4 17:37:39 slave smbd[18093]: smbldap_open_connection: connection opened Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:fetch_ldap_pw(312) Nov 4 17:37:39 slave smbd[18093]: fetch_ldap_pw: neither ldap secret retrieved! Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_connect_system(813) Nov 4 17:37:39 slave smbd[18093]: ldap_connect_system: Failed to retrieve password from secrets.tdb Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0] lib/smbldap.c:smbldap_search_suffix(1176) Nov 4 17:37:39 slave smbd[18093]: smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) Nov 4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 2] auth/auth.c:check_ntlm_password(312) Nov 4 17:37:39 slave smbd[18093]: check_ntlm_password: Authentication for user [dummy] -> [dummy] FAILED with error NT_STATUS_NO_SUCH_USER so I assume that Samba can now bind to LDAP directory, but fails when trying to get user's data. I don't know why Samba is trying to retrieve data from secrets.tdb, because in smb.conf I have set passdb backend = ldapsam:"ldap://slave.ldap.server ldap://master.ldap.server"; and Samba is running on slave.ldap.server. Server slave has slapd configured as replica server. With ldapsearch command I can access the data in directory. / whenever I try to e.g. login to slave.server.net's Samba service. SSH />>/ logins work fine (for SSH logins my slave uses also LDAP directory />>/ replica). So my guess is that this has something to do with certificate />>/ files. I don't understand what it could be, because I can browse LDAP />>/ directory fine with e.g. ldapsearch command on both master and slave, />>/ and logins with SSH work. />>/ />>/ So to my question. What certificate files Samba is using in order to />>/ make TLS connections to replica server? I understand they should be />>/ certificate files for my slave server, if Samba is using replica as it's />>/ backend. /> It may be that a modification requested by the smbd normally attached to the slave is requiring a rebind to the master. Check connections to the master with ldapsearch. With ldapsearch connections work ok, so I still assume that I have something wrong in my Samba configuration. / Should it be BDC serve
[Samba] Samba PDC + OpenLDAP replica
Hi! I would like to ask you Samba gurus if it is possible to set up Samba PDC which uses OpenLDAP replica as backend. I had two separate OpenLDAP master servers (2.2.13-4) for two different Samba PDC servers (3.0.14a-2) with TLS support in different virtual networks (VLANs), and all worked fine. However, I decided that it would be nice (from an administrative point of view) to have all user/client data on same departmental master OpenLDAP server, which would work as a backend for division level Samba PDC servers in different VLANs via LDAP replicas (our department contains many subdepartments, or divisions, and most of them have their own VLANs). So, I read Samba documentation and I understood that it is possible to make such a system, where Samba server uses LDAP replica as it's backend. First I transferred all user/client data to master LDAP server, and created a slave server to be used by Samba PDC in different VLAN. I tested connections with ldapsearch command and all worked well, and changes written to master directory are propagated to slave server's LDAP directory. Both servers are configured to use TLS transport, and both server's have their own CA signed certificate files. But when I tried to set up my division level Samba server to use replica as it's backend, I got an error that Samba can't connect to replica's directory. In log files I have messages like slave.server.net smbd: Failed to issue the StartTLS instruction: Connect error whenever I try to e.g. login to slave.server.net's Samba service. SSH logins work fine (for SSH logins my slave uses also LDAP directory replica). So my guess is that this has something to do with certificate files. I don't understand what it could be, because I can browse LDAP directory fine with e.g. ldapsearch command on both master and slave, and logins with SSH work. So to my question. What certificate files Samba is using in order to make TLS connections to replica server? I understand they should be certificate files for my slave server, if Samba is using replica as it's backend. Or is it possible at all (or even reasonable) to use LDAP replica as a backend for Samba PDC server? Should it be BDC server instead of PDC? Should I set up one departmental level master server with master LDAP and Samba PDC, and many LDAP slaves (replicas) with Samba BDCs? But in this case the different VLANs are coing to be a problem for traffic between Samba PDC and BDCs, or so I have understood, since switches connecting different VLANs don't route NetBIOS traffic. And I have no administrative rights to make any changes to their configuration. So, is it possible at all to make Samba to use LDAP replica as it's backend? Jukka Hienola University of Helsinki -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Hienola wrote: | So, our name server was unavailable this morning due | to OS update. Division's Samba and LDAP services are | running on same server, and Samba is using TLS in | connecting to LDAP service. Because some of the network | names were not resolvable, I changed "passdb backend = | ldapsam:ldap://ldap.server.name/"; to "passdb backend = | ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have | ldap.server.name also in /etc/hosts, just in case. In | file /etc/nsswitch.conf I have line "hosts: files dns". | After I restarted Samba, I just couldn't login to | domain anymore either with any machine or domain user accounts. | Samba gave me errors like | | smbd[1956]: [2005/10/24 11:03:17, 0] | lib/smbldap.c:smbldap_open_connection(677) | smbd[1956]: Failed to issue the StartTLS instruction: Connect error My immediate guess would be that the conect failed due to a mismatch in the server name's cert. Make sure you can run 'ldapsearch -ZZ -h 127.0.0.1 ...' Yes I can. Any other way to connect to LDAP service via TLS works fine except Samba. Jukka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP + TLS
Hi! I'm a bit new to Samba+LDAP integration, and most likely because of that I experienced this morning something I can't fully understand. I would appreciate if someone could explain to me what was really wrong. So, our name server was unavailable this morning due to OS update. Division's Samba and LDAP services are running on same server, and Samba is using TLS in connecting to LDAP service. Because some of the network names were not resolvable, I changed "passdb backend = ldapsam:ldap://ldap.server.name/"; to "passdb backend = ldapsam:ldap://127.0.0.1/"; in smb.conf, although I have ldap.server.name also in /etc/hosts, just in case. In file /etc/nsswitch.conf I have line "hosts: files dns". After I restarted Samba, I just couldn't login to domain anymore either with any machine or domain user accounts. Samba gave me errors like smbd[1956]: [2005/10/24 11:03:17, 0] lib/smbldap.c:smbldap_open_connection(677) smbd[1956]: Failed to issue the StartTLS instruction: Connect error smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011) smbd[1956]: Connection to LDAP server failed for the 1 try! smbd[1956]: [2005/10/24 11:03:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) smbd[1956]: init_sam_from_ldap: Entry found for user: myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:init_sam_from_ldap(553) smbd[1956]: init_sam_from_ldap: no sambaSID or sambaSID attribute found for this user myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1346) smbd[1956]: ldapsam_getsampwnam: init_sam_from_ldap failed for user 'myusr'! smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312) smbd[1956]: check_ntlm_password: Authentication for user [myusr] -> [myusr] FAILED with error NT_STATUS_NO_SUCH_USER so I assume that this issue was somehow related to changes I made in smb.conf file. At the same time I could login to server using ssh, and also e,g, command "smbclient -L ldap.server.name -U myusr" gave me list of all available services. Also I could authenticate myself through Apache, which also uses TLS to connect to LDAP server. My question is, how changing "passdb backend" from ldap.server,name to 127.0.0.1 can have this effect, since the server name should have been resolvable with /etc/hosts file? Does it has something to do with my certificate files, which are generated using ldap.server.name? However, I was able to login with TLS and Apache, so I don't think that's the case. Thanks in advance, Jukka Hienola -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba