samba - Feb 2008 - IDMAP: migrating from a single PDC to a PDC and some Member Servers

Hi,

     I am migrating a Samba 3.0.28 ( Slackware 12.0 ) that is a single
PDC, to a PDC with domain members and/or BDC.

    This single PDC is plugged in a central switch and I have a lot of
computer's rooms, in different ethernet segments, all them using
switches and routers to reach this PDC. ( Something like this: PDC ->
central switch -> router -> switch -> workstations )

    Motivations: (1 phase) distribute the load of authentications (2
phase) distribute the load of roaming profiles (3 phase) distribute
the load of home directories.

    I am using  (now) OpenLDAP, smbldap-tools, padl nss_ldap and nscd.
( There are some issues with WXP workstations, but they are for other
email )

    Everybody is authenticating from Windows (WXP) and all my users
are in LDAP. Every user has its own roaming profile and its own home
dir. Everything is in the PDC, that runs smbd and nmbd and nfs for
some Linux workstations.

    Well, rereading the manuals ( official docs ) I have some doubts
about idmap(  for awhile)

    In my situation now ( single one PDC ), I don't need idmap
translation, because Samba will get UID/GID from LDAP and because
there is just one server. Is it right?
    ( this PDC is using values: idmap uid = 10 000-20 000 and idmap
gid 10 000-20 000.

    I have (now) more than 16000 uids in the LDAP database ( some were
excluded ). So, if I need IDMAP, 10 000-20 000 range would be not
enough, right?

    What consequences will result if I change  (now) idmap-uid from
default value to, lets say, 10 000 000 - 20 000 000 ? Will existing
users have problems with their file permissions? I have to change it
(now) ?

    I am stuck. :-|



    To migrate to a PDC/BDC/Domain members or to PDC/Domain members,
will be enough just to set all PDC/BDC/Domain Members to use the same
LDAP database, and all using nss_ldap/nscd, __without__ winbind?

    I mean, all servers will use the same LDAP ( I know I can have
slave LDAP servers). I know I will have to change smb.conf to give to
each server the correct role in the structure. I have already seen
references in the docs about this issue.

    In this context, will I need idmap to translate SID/UID/GID or
using the same LDAP with nss_ldap will be enough?

    I am stuck in it. Could somebody give me some directions to help
me to give the next step?

    Thank you.

Best regards,

Freitas

casfre@gmail.com wrote:
> Hi,
>
>      I am migrating a Samba 3.0.28 ( Slackware 12.0 ) that is a single
> PDC, to a PDC with domain members and/or BDC.
>
>     This single PDC is plugged in a central switch and I have a lot of
> computer's rooms, in different ethernet segments, all them using
> switches and routers to reach this PDC. ( Something like this: PDC ->
> central switch -> router -> switch -> workstations )
>
>     Motivations: (1 phase) distribute the load of authentications (2
> phase) distribute the load of roaming profiles (3 phase) distribute
> the load of home directories.
>
>     I am using  (now) OpenLDAP, smbldap-tools, padl nss_ldap and nscd.
> ( There are some issues with WXP workstations, but they are for other
> email )
>
>     Everybody is authenticating from Windows (WXP) and all my users
> are in LDAP. Every user has its own roaming profile and its own home
> dir. Everything is in the PDC, that runs smbd and nmbd and nfs for
> some Linux workstations.
>
>     Well, rereading the manuals ( official docs ) I have some doubts
> about idmap(  for awhile)
>
>     In my situation now ( single one PDC ), I don't need idmap
> translation, because Samba will get UID/GID from LDAP and because
> there is just one server. Is it right?
>   
Yes, Even if you have a BDC you can configure it as the client of the 
same ldap server and use nss_ldap for name resolution.
>     ( this PDC is using values: idmap uid = 10 000-20 000 and idmap
> gid 10 000-20 000.
>   
IMHO, idmap uid/gid mapping is only relevant if you are going to run the 
samba server as a member of PDC/BDC and want to be authenticated by it - 
ie "security = domain" - or as member of AD - ie security = ads. I
don't
know whether a PDC can be configured as a member authenticating to 
itself, but  I always prefer to use nss_ldap for name service and 
authentication for PDC.
>     I have (now) more than 16000 uids in the LDAP database ( some were
> excluded ). So, if I need IDMAP, 10 000-20 000 range would be not
> enough, right?
>   
Yes
>     What consequences will result if I change  (now) idmap-uid from
> default value to, lets say, 10 000 000 - 20 000 000 ? Will existing
> users have problems with their file permissions? I have to change it
> (now) ?
>   
Yes, it would alter the uids/gids assigned for current users, hence it 
would affect file permissions. Eg, if you have a user named user1 who 
has been assigned a uid of 10000 earlier, after changing the range, he 
would get a new uid assigned from the new range. The end result is that 
he wouldn't have permission to access files which were created while his 
uid being 10000. So the recommended method is to keep the low number 
from the defined range intact and increase the range. ie, 10000 - 50000.
>     I am stuck. :-|
>
>
>
>     To migrate to a PDC/BDC/Domain members or to PDC/Domain members,
> will be enough just to set all PDC/BDC/Domain Members to use the same
> LDAP database, and all using nss_ldap/nscd, __without__ winbind?
>   
It's possible. But in this case note that member servers are never need 
to be member of the PDC domain. It just uses nss_ldap and LDAP server 
for authentication. If this is the case, your intention of setting up 
PDC/BDC would be only to authenticate windows client for which it was 
designed.
>     I mean, all servers will use the same LDAP ( I know I can have
> slave LDAP servers). I know I will have to change smb.conf to give to
> each server the correct role in the structure. I have already seen
> references in the docs about this issue.
>
>     In this context, will I need idmap to translate SID/UID/GID or
> using the same LDAP with nss_ldap will be enough?
>
>     I am stuck in it. Could somebody give me some directions to help
> me to give the next step?
>
>     Thank you.
>
> Best regards,
>
> Freitas
>