|
Replicated Failover Domain Controller and file server using LDAP 3.0. Initialization LDAP Database 5.0. Heartbeat HA Configuration
1.0. Configuring SambaSamba is an ambitious project to provide solutions for file & print sharing between NIX* Linux ? and Microsoft Windows. If you are familiar with Samba this document may give you some ideas of how you can bundle different software packages together to produce a very reliable configuration.
Samba Configuration
- Backup Domain Controller A master domain controller, that provides authentication through the use of LDAP A slave domain controller that can load balance client login requests which also provide redundancy through the use of a replica LDAP database.
Get the latest version of samba http://us4./samba/ftp/samba-latest.tar.gz It is essential that both the PDC and BDC are running the same version of samba. [root@node1 samba]# wget http://us4./samba/ftp/samba-latest.tar.gz --19:28:04-- http://us4./samba/ftp/samba-latest.tar.gz => `samba-latest.tar.gz' Resolving us4.... 192.48.170.15 Connecting to us4.|192.48.170.15|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17,704,221 (17M) [application/x-tar] 100%[====================================>] 17,704,221 53.01K/s ETA 00:00 19:33:40 (51.62 KB/s) - `samba-latest.tar.gz' saved [17704221/17704221]
[root@node1 samba]# tar zxvf samba-latest.tar.gz [root@node1 samba]# cd samba-3.0.23d/ Choose the appropriate distribution. [root@node1 samba-3.0.23d]# cd packaging/ bin/ Example/ Mandrake/ RedHat-9/ SGI/ SuSE/ Debian/ LSB/ README RHEL/ Solaris/ sysv/
This will take some time. [root@node1 samba-3.0.23d]# cd packaging/RHEL/ [root@node1 RHEL]# ls makerpms.sh makerpms.sh.tmpl samba.spec samba.spec.tmpl setup [root@node1 RHEL]# chmod 777 makerpms.sh [root@node1 RHEL]# ./makerpms.sh Wrote: /usr/src/redhat/SRPMS/samba-3.0.23d-1.src.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-client-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-common-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-swat-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-doc-3.0.23d-1.i386.rpm Wrote: /usr/src/redhat/RPMS/i386/samba-debuginfo-3.0.23d-1.i386.rpm makerpms.sh: Done. [root@node1 RHEL]#
[root@node2]# cd /usr/src/redhat/RPMS/i386/ [root@node1 i386]# rpm -Uvh samba-3.0.23d-1.i386.rpm samba-client-3.0.23d-1.i386.rpm samba-common-3.0.23d-1.i386.rpm samba-debuginfo-3.0.23d-1.i386.rpm samba-doc-3.0.23d-1.i386.rpm samba- swat-3.0.23d-1.i386.rpm Preparing... ########################################### [100%] 1:samba-common ########################################### [ 17%] 2:samba ########################################### [ 33%] 3:samba-client ########################################### [ 50%] 4:samba-debuginfo ########################################### [ 67%] 5:samba-doc ########################################### [ 83%] 6:samba-swat ########################################### [100%] [root@node1 i386]#
Login to node2 – the backup domain controller and repeat the above steps. 1.1. smb.conf PDCYou will need to replace the high lightened parameters with your domain name. Take note of the use of failover ldap backbends; this is very useful. [root@node1 ~]# mkdir /data [root@node1 ~]# vi /etc/samba/smb.conf # # Primary Domain Controller smb.conf # # Global parameters [global] unix charset = LOCALE workgroup = DDESIGN netbios name = node1 #passdb backend = ldapsam:ldap://127.0.0.1 #passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" passdb backend =ldapsam:"ldap://node1.differentialdesign.org ldap://node2.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u' add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g' delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g' add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat #logon path = \\192.168.0.4\profiles\%u logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes domain master = Yes wins support = Yes # peformance optimization all users stored in ldap ldapsam:trusted = yes ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = root printing = cups #========================Share Definitions========================= [homes] comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no [profiles] path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777 [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" 1.2. smb.conf BDC[root@node2 ~]# mkdir /data [root@node2 ~]# vi /etc/samba/smb.conf # # Backup Domain Controller # # Global parameters [global] unix charset = LOCALE workgroup = DDESIGN netbios name = node2 #passdb backend = ldapsam:ldap://127.0.0.1 #passdb backend = ldapsam:"ldap://192.168.0.2 ldap://192.168.0.3" passdb backend = ldapsam:"ldap://node2.differentialdesign.org ldap://node1.differentialdesign.org" username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = %u.bat #logon path = \\192.168.0.4\profiles\%u logon path = \\nodes.differentialdesign.org\profiles\%u logon drive = H: domain logons = Yes os level = 63 domain master = No wins server = node1.differentialdesign.org ldap suffix = dc=differentialdesign,dc=org ldap machine suffix = ou=Computers,ou=Users ldap user suffix = ou=People,ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=sambaadmin,dc=differentialdesign,dc=org utmp = Yes idmap backend = ldap://node1.differentialdesign.org idmap uid = 10000-20000 idmap gid = 10000-20000 printing = cups #========================Share Definitions========================= [homes] comment = Home Directories valid users = %S browseable = yes writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /data/samba/netlogon writeable = yes browseable = yes read only = no [profiles] path = /data/samba/profiles writeable = yes browseable = no read only = no create mode = 0777 directory mode = 0777 [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" 1.3. /etc/hostsIn order to correctly resolve name to IP address we need some sort of name resolution. We already have a DNS name server which is capable of doing this as per section 7.0. BIND DNS; however it is desirable to have a backup feature such as entries in the /etc/hosts file.
On node1 we will edit the hosts file to reflect our configuration. [root@node1 ~]# vi /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 node1 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org Step2. Login to node2 and edit the /etc/hosts file. [root@node2 ~]# vi /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 node2 localhost.localdomain localhost 192.168.0.2 node1.differentialdesign.org 192.168.0.3 node2.differentialdesign.org 192.168.0.4 nodes.differentialdesign.org 1.4. Samba SecurityThere are many additional features we can add to Samba to make it more secure. We can add some additional comments to our smb.conf to achieve this. One of the great features of Samba is the “host allow =” option. This can be applied on a global scale to all the shares in the smb.conf by placing the global section of the smb.conf or to specific shares, but not both. The example limits access to Samba shares to clients on the 192.168.0.0/24 network as it is defined it in the glocal section of the smb.conf. ## /etc/samba/smb.conf ## Global parameters [global] workgroup = DDESIGN security = user hosts allow = 192.168.0.0/24 For additional network share security, we can use this option on a per share basis, giving us greater flexability. This limits access to this share to the client with the 192.168.0.100/24 IP address; you of course can use multiple addresses and subnets. ## /etc/samba/smb.conf ## ==== Share Definitions ===== [Documents] comment = share to test samba path = /data/documents writeable = yes browseable = yes read only = no valid users = "@Domain Users" hosts allow = 192.168.0.100/24 1.5. Filesystem ACLsIn many cases Linux users and group permissions are sufficient for small workgroups, using ACL's we can extend permissions on directories and files without adding users to additional groups. |
|
|
