samba - Sep 2002 - Samba 2.2.5 + OpenLDAP 2.x - Caveats?

Hi List(s)

I'm in the process of configuring a new PDC using Samba 2.2.5.
At the present time we have 9 other Samba PDCs in nonconnected
sites.  In the next few months, these sites will become part of 
a WAN and we're looking to migrate authentication for these 
servers to a single box, for obvious administration benefits.  
The client base is primarily Win2k, SP2 & SP3.

Now I'm making the presumption that Samba + LDAP is the right path
to go down in this type of situation, correct me if I'm wrong, I've
only been looking into this for the past week or so, and yes I've 
been reading the Samba docs and the OpenLDAP docs, so don't tell me
to RTFM :), I'm just after real world experiences here....

Can anyone with experience in this type of setup comment on any 
issues they struck while migrating from smbpasswd based systems
to central LDAP authentication.

What version of OpenLDAP would you recommend?  2.0.x or 2.1.x? 
Pros/cons for either version?  I notice the schema file packaged with
Samba has support for 2.1.x.

Were there any issues in migrating existing users, ie: file permissions,
profiles, etc?

What is the speed like over a WAN environment for a local Samba box
to authenticate against a remote LDAP server, over say a 64k link?

Any other comments?

Thanks for your input in advance

"Freeman, Peter (ERHS)" wrote:
> 
> Hi List(s)
> 
> I'm in the process of configuring a new PDC using Samba 2.2.5.
> At the present time we have 9 other Samba PDCs in nonconnected
> sites.  In the next few months, these sites will become part of
> a WAN and we're looking to migrate authentication for these
> servers to a single box, for obvious administration benefits.
> The client base is primarily Win2k, SP2 & SP3.
> 
> Now I'm making the presumption that Samba + LDAP is the right path
> to go down in this type of situation, correct me if I'm wrong, I've
> only been looking into this for the past week or so, and yes I've
> been reading the Samba docs and the OpenLDAP docs, so don't tell me
> to RTFM :), I'm just after real world experiences here....
> 
> Can anyone with experience in this type of setup comment on any
> issues they struck while migrating from smbpasswd based systems
> to central LDAP authentication.
> 
> What version of OpenLDAP would you recommend?  2.0.x or 2.1.x?
> Pros/cons for either version?  I notice the schema file packaged with
> Samba has support for 2.1.x.
I had to move to 2.1 becouse of database corruption issues with 2.0,
(Net::LDAP scripts seem to triger some bug in the ldap server side).

If running 2.1, I think you will need Samba 2.2.6pre2 if you are not
keeping your unix accounts in ldap too.  (But given the setup, I presume
you are).
 
> Were there any issues in migrating existing users, ie: file permissions,
> profiles, etc?
If you are migrating between domains, then this will be an issue,
becouse you will have one global UID and RID space, rather than
one-per-site.  You will probably have to solve this manually.  You will
therefore need to rejoin machines to the domain etc.
> What is the speed like over a WAN environment for a local Samba box
> to authenticate against a remote LDAP server, over say a 64k link?
> 
> Any other comments?
Samba can hit your LDAP server *hard*.  I would suggest keeping LDAP on
localhost if at all possible - and use LDAP replication from there.  So
make the on-site machines BDCs, and have one PDC centrally.   This type
of solution has been implemented.

Watch out your version of nss_ldap - some are buggy and cause a lot of
'connection reset by peer' stuff.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

>Samba can hit your LDAP server *hard*. I would suggest keeping LDAP on
 >localhost if at all possible - and use LDAP replication from there. So
 >make the on-site machines BDCs, and have one PDC centrally. This type
 >of solution has been implemented.
 >Watch out your version of nss_ldap - some are buggy and cause a lot of
'>connection reset by peer' stuff.
 >Andrew Bartlett

Hello,

Could you tell me wich versions of nss_ldap are buggy are which are not?
I sometime face these "connection by peer" messages and have no idea
what
causes them.

I use nss_ldap-189.

Werner Maes