ClearFoundation

Hello everyone,

I have the following setting: Two Systems ClearOS, the "A" is our PDC and the "B" is an Application Server, join the system "B" as FileServer the same domain (we also runs LDAP).

The point is we want to create shares on the FileServer and give permissions to groups/users defined on the PDC, to gain access to those resources or not.

I could create an administrative resources via samba (not FlexShare) to access the group "domains_admin" (winadmin samba user in both systems have the same password), but when we try to do the same for another user or group can not be accessed on the network.

Try replicating LDAP in system B but had no success.

It is not yet available that the option of promoting a system as a BDC (this will be our schedule for this case).

Thanks for the help,

Hi, at present this isn't available through the webconfig - however I believe it is possible for server B to authenticate against the PDC (Server A) by joining the domain, effectively becoming a member-server. I trialled this a long time ago to get ClearOS in standalone mode to authenticate against Win2K3, so the steps are a little hazy, but the samba docs should give you some clues as the the edit's required for /etc/samba/smb.conf and there are some modifications to winbind.

www.samba.org/samba/docs/man/Samba-HOWTO...domain-member-server
hope that helps, in the mean time I'll see if I can find my notes...

There is also an LDAP replication setup being developed you maybe interested in reading about
www.clearfoundation.com/docs/developer/f...er_and_replica/start

Hi Tim,

Thanks for responding, this is beyond the scope of Webconfig, so no problem.

We will read these links, would be a good idea to let the second set as a BDC, especially to manage permissions centrally.

Hi Tim,

Implement the two configurations
1. Integrated LDAP for User and Group Management
and
2. Windows Networking with PDC and BDC Support

1. Integrated LDAP for User and Group Management
I did the following changes to the configuration script (/etc/openldap/slapd.conf)
Technically (www.openldap.org), "syncrepl" is the configuration directive, and everything else is that directive's parameter. So you could write:

"syncrepl rid=123 provider=ldap://...", you add the "\" character to concatenate the script.

his is my configuration which works :

syncrepl rid=123 \
provider=ldaps://mypdc.example.net:636 \
bindmethod=simple \
searchbase="dc=example,dc=net" \
binddn="cn=manager,cn=internal,dc=example,dc=net" \
credentials=123 \
filter="(objectclass=*)" \
schemachecking=on \
type=refreshAndPersist \
syncdata=accesslog \
retry="15 +" \
logbase="cn=accesslog"
# Refer updates to the master
updateref ldaps://mypdc.example.net


Finally achieve that replicated both users and groups automatically.

When the income to FlexShare Webconfig shows Invalid legend with an exclamation point.
or attach file
I can create a share, for example Backup, a group owner (generated at the PDC) with users assigned, active but when I accessed via the bowser from a position of a user who belongs to the group (logged to the domain of course ) gives the error that no permissions to access the resources on your computer.

Any idea what is wrong?

Hi Fabian, unfortunately I have no experience of LDAP replication - the ClearOS dev team will have to chip in here as they are working on it

Fabian Blanco wrote:
Hi Tim,

Implement the two configurations
1. Integrated LDAP for User and Group Management
and
2. Windows Networking with PDC and BDC Support

1. Integrated LDAP for User and Group Management
I did the following changes to the configuration script (/etc/openldap/slapd.conf)
Technically (www.openldap.org), "syncrepl" is the configuration directive, and everything else is that directive's parameter. So you could write:

"syncrepl rid=123 provider=ldap://...", you add the "\" character to concatenate the script.

his is my configuration which works :

syncrepl rid=123 \
provider=ldaps://mypdc.example.net:636 \
bindmethod=simple \
searchbase="dc=example,dc=net" \
binddn="cn=manager,cn=internal,dc=example,dc=net" \
credentials=123 \
filter="(objectclass=*)" \
schemachecking=on \
type=refreshAndPersist \
syncdata=accesslog \
retry="15 +" \
logbase="cn=accesslog"
# Refer updates to the master
updateref ldaps://mypdc.example.net


Finally achieve that replicated both users and groups automatically.

When the income to FlexShare Webconfig shows Invalid legend with an exclamation point.
or attach file
I can create a share, for example Backup, a group owner (generated at the PDC) with users assigned, active but when I accessed via the bowser from a position of a user who belongs to the group (logged to the domain of course ) gives the error that no permissions to access the resources on your computer.

Any idea what is wrong?

Now that you have a replicated LDAP directory, the simplest approach is make the second machine a BDC. You need to mirror your smb.conf info from the PDC, set "domain master = No" on the BDC. Edit the conf files so that "passdb backend = ldapsam:ldap://pdc_name:389"

Next, remove the /var/lib/samba/*tdb files, remove the secrets.tdb file. Now recreated the secrets.tdb as folllows:
a) On the PDC:
net getdomainsid

b) On the BDC:
net setdomainsid S-1-5-21-xxxxxxxxx-xxxxxxx-xxxxxxx
net setlocalsid S-1-5-21-xxxxxxxxx-xxxxxxx-xxxxxxx

c) On the PDC:
net rpc join -Uwinadmin%"winadmin_password"

d) On the BDC:
smbpasswd -w "the_secret_LDAP_password"
net rpc join -Uwinadmin%"winadmin_password"

Check that the following work:
getent passwd
getent group
- both should give the same output on both machines.

wbinfo -t
- both machines should have a valid domain trust account

wbinfo -u
wbinfo -g
- both systems should provide identical output

pdbedit -Lw
- both systems should provide identical output

e) Now restart Samba (nmbd, winbind, smbd).

f) Validate that group mappings are identical across both systems:
net groupmap list
- if not, make them the same (hint: you could copy the group_mapping.tdb file from the PDC to the BDC)

g) Valdiate that user rights and privileges are identical on both systems:
net rpc rights list accounts -Uwinadmin%"winadmin_password"
- if not, make them the same (search the Samba HOWTO if necessary)

At this point the UIDs and GIDs will be identical across both systems and normal filesystem permissions will apply in a consistent manner.

- John T.