Scribd
Upload
191 views4 pages

Samba 4 Provision Command Attribute

The Samba provisioning tool currently only supports configuring Samba to use an internal LDAP server that it creates. The document proposes changes to the tool to allow it to configure Samba to use an existing external LDAP server. It suggests splitting the tool into separate actions for creating an empty LDAP server configuration and setting up Samba on an existing LDAP server. Additional parameters would be added to specify the LDAP directory and URI.

Uploaded by

Aftab Yousif
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
191 views4 pages

Samba 4 Provision Command Attribute

The Samba provisioning tool currently only supports configuring Samba to use an internal LDAP server that it creates. The document proposes changes to the tool to allow it to configure Samba to use an existing external LDAP server. It suggests splitting the tool into separate actions for creating an empty LDAP server configuration and setting up Samba on an existing LDAP server. Additional parameters would be added to specify the LDAP directory and URI.

Uploaded by

Aftab Yousif
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Overview

Samba can be configured to use an LDAP server (389 DS or OpenLDAP) as its backend
database. Currently the provisioning tool always creates a new (internal) LDAP server, it cannot
use an existing (external) LDAP server.

Internal LDAP server has the following advantages:

 Simplicity. The provisioning tool creates and configures the LDAP server, no manual
configuration needed.
 Automation. Samba test can create and destroy LDAP servers automatically.
 Security. All LDAP server files can be stored in a private directory.
 Exclusivity. The LDAP server will not be shared so there will be no interference or
conflicts with other applications.
 Efficiency. The communication will be done via Unix domain socket (LDAPI).

On the other hand, external LDAP server has the following advantages:

 Configurability. The LDAP administrator has full control of the configuration and
management.
 Troubleshooting. It's easier to isolate a problem by running the LDAP server separately
from Samba tests.
 Distribution. Samba and the LDAP server can run on different machines. The
communication will not be as efficient as LDAPI, but it can still be as secure as other
LDAP client-server communication done via network.
 Integration. Some applications may want to use the same LDAP server. The current IPA
design doesn't require this, but in the future the design could change.

There are some changes that need to be make in order to support external LDAP server.

Current Code
The provisioning tool is located in these files:

 source4/setup/provision.
 source4/scripting/python/samba/provision.py
 source4/scripting/python/samba/provisionbackend.py
 source4/scripting/python/samba/provisionexceptions.py

To provision Samba with DS:

% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \


--host-name=samba --host-ip=127.0.0.1 \
--adminpass=Secret123 --root=root --server-role="domain controller" \
--ldapadminpass=Secret123 --ldap-backend-type=fedora-ds \
--slapd-path=/usr/sbin/ns-slapd --setup-ds-path=/usr/sbin/setup-ds.pl

The tool will perform the following operations:

 Create internal LDAP server:


o Create a new LDAP server in the private directory.
o Configure Samba schema.
o Configure domain, configuration, schema, and Samba partitions.
o Configure SASL mappings.
o Load Samba admin user for SASL authentication.
o Configure referential integrity.
o Configure attribute indexing.
o DS only:
 Configure DNA for SID allocation.
o OpenLDAP only:
 Configure ACL in slapd.conf.
 Start LDAP server.
 Setup Samba:
o Setup share database.
o Setup secrets database.
o Setup registry database.
o Setup privileges database.
o Setup idmap database.
o Setup SAM database.
o DS only:
 Configure ACL in the base entry of each partition.
 Stop LDAP server.

Proposed Solution
The provisioning tool should be split into 2 different actions:

 Creating an empty LDAP server with Samba configuration.


 Setting up Samba on an LDAP server that has been configured for Samba.

A new optional parameter (--ldap-action) will be added to the provisioning tool to determine
which action will be executed. By default the tool will create an internal LDAP server and setup
Samba to use this LDAP server. This is the same as the original behavior.

If you need to use an external LDAP server, you can either configure the LDAP server manually,
or use the provisioning tool to create an initial LDAP server which you can customize later on.
Then you need to run the provisioning tool again to setup Samba using the LDAP server that you
have created earlier.
Creating LDAP Server
Creating LDAP server will execute the following operations:

 Create a new LDAP server in the specified directory.


 Configure Samba schema.
 Configure domain, configuration, schema, and Samba partitions.
 Configure SASL mappings.
 Load Samba admin user for SASL authentication.
 Configure referential integrity.
 Configure attribute indexing.
 DS only:
o Configure DNA for SID allocation.
 OpenLDAP only:
o Configure ACL in slapd.conf.
o Configure root password in each partition. See note below.

On OpenLDAP each partition has its own root user. Only the root user can remove the base entry
in each partition. This is necessary for setting up Samba on an existing LDAP server. To enable
root user, the root password must be specified in the slapd.conf.

A new optional parameter (--ldap-dir) will be added to the provisioning tool to specify the LDAP
server directory. The default value is SAMBA_HOME/private/ldap.

Setting up Samba
Setting up Samba will execute the following operations:

 Remove existing entries in domain, configuration, and schema partitions.


 Setup share database.
 Setup secrets database.
 Setup registry database.
 Setup privileges database.
 Setup idmap database.
 Setup SAM database.
 DS only:
o Set the new domain SID in DNA configuration.
o Configure ACL in the base entry of each partition.

A new optional parameter (--ldap-uri) will be added to the provisioning tool to specify the URI
of the external LDAP server. By default the value is ldapi://<path to socket>. The default path to
socket is <SAMBA_HOME>/private/ldap/ldapi. Note that the file separator "/" should be
encoded as %2F.
The LDAP admin password (--ldapadminpass) must be specified explicitly, so the tool can
access the LDAP server. Otherwise it will generate a random password.

Examples
Configuring Samba with Internal LDAP Server
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--host-name=samba --host-ip=127.0.0.1 \
--adminpass=Secret123 --root=root --server-role="domain controller" \
--ldapadminpass=Secret123 --ldap-backend-type=fedora-ds \
--slapd-path=/usr/sbin/ns-slapd --setup-ds-path=/usr/sbin/setup-ds.pl

Configuring Samba with External LDAP Server


Create a new LDAP server on /root/Samba/fedora-ds using the following command:

% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \


--host-name=samba --host-ip=127.0.0.1 \
--adminpass=Secret123 --root=root --server-role="domain controller" \
--ldapadminpass=Secret123 --ldap-backend-type=fedora-ds \
--ldap-action=create --ldap-dir=/root/Samba/fedora-ds

Make sure the LDAP server is running. Then setup Samba using the new LDAP server by
specifying the LDAP URI:

% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \


--host-name=samba --host-ip=127.0.0.1 \
--adminpass=Secret123 --root=root --server-role="domain controller" \
--ldapadminpass=Secret123 --ldap-backend-type=fedora-ds \
--ldap-action=setup --ldap-uri=ldapi://%2Froot%2FSamba%2Ffedora-ds%2Fldapi

You might also like