Barry Smoke
2004-Feb-02 22:45 UTC
[Samba] 4 samba domains/one ldap backend/2 methods/which to use?
in both methods tried, we can't successfully add xp machines to the domain at the remote locations main samba is on our main campus, behind a 10.10 internal lan remote samba's are on remote campuses, behind a 10.xx network 10.11 10.12 all connected with our internal lan via VPN ###################################################################### Method 1) ALL PDC's, using same ldap database(thus inherant problems, allusers have SID's generated with primary domain's SID) a)We set up our master ldap server, and samba server on the same machine. b)replicated ldap to remote samba servers, and set up referrals, so that transactions to modify ldap go back to master c)install idealx smbldap-tools on all samba servers, using different SID's on each server d) attempt to join xp machine to domain using results: samba authenticates users correctly, and users are added correctly. adding samba machine accounts at remote servers errors out, while it works on main server. the errors are sporadic, such as can't find domain, can't find user, questions: why would users in the ldap database generated with the master samba/ldap domain/server be able to log in at remote site/domain...wouldn't the SID's conflict? why would we not be able to join xp machine to domain, with the remote server's SID configured in smbldap-tools(remember remote server has different SID in smbldap-tools, thus adds users locally, whihc is referred to the master.)? when run manually, the machine entry get's put into ldap, and it gets put into ldap from the xp wizard also, but it does not get the sambaSamAccount objectclass, along with the sid's samba generates, thus causes an error(user not found) speculations: our remote domain needs a "domain admins" group wiht it's sid, so that a root user can be added to ldap (remoteroot), so machines can be added wiht that user's info... the problem is we get these errors wiht smbldap-tools: [root@proxy samba]# smbldap-usershow desroot /usr/local/sbin/smbldap-usershow: user desroot doesn't exist [root@proxy samba]# smbldap-groupshow desdomadm dn: cn=desdomadm,ou=Groups,dc=bryantschools,dc=org objectClass: posixGroup,sambaGroupMapping cn: desdomadm gidNumber: 1040 sambaSID: S-1-5-21-3567609034-2183773975-620293219-3081 sambaGroupType: 2 [root@proxy samba]# smbldap-useradd -a -g desdomadm desroot Use of uninitialized value in pattern match (m//) at /usr/local/sbin//smbldap_tools.pm line 733. /usr/local/sbin/smbldap-useradd: unknown group desdomadm thus, I can't test the theory... ####################################################################### Method 2) believeing method 1 had something to do with an SID problem, we proceeded to set up the remote locations as BDC's a)set up master ldap server, and samba server on same machine, b) set up replica's and referrals back to master c) set up remote servers as BDC's using same SID d)set up SID in smbldaptools to be the same results: samba added the xp machines to the domain, but we could not log in upon reboot. questions: on method1 above, we have some users that get special shares based upon the %m, meaning the domain they put to log in box. This works on the pdc, but we can't get it to work on a BDC.(Why don't domain aliases work on a BDC?) this e-mail mentions the correct way to do multiple domains in the same ldap database....is different branches... where is any documentation on the correct way / designed way to do this? http://lists.samba.org/archive/samba-technical/2003-December/033422.html Thanks in advance, Barry Smoke District Network Admin Bryant Public Schools
Andrew Bartlett
2004-Feb-03 09:15 UTC
[Samba] 4 samba domains/one ldap backend/2 methods/which to use?
On Tue, 2004-02-03 at 09:44, Barry Smoke wrote:> in both methods tried, we can't successfully add xp machines to the > domain at the remote locations > main samba is on our main campus, behind a 10.10 internal lan > remote samba's are on remote campuses, behind a 10.xx network > 10.11 > 10.12 > > all connected with our internal lan via VPN > ###################################################################### > Method 1) ALL PDC's, using same ldap database(thus inherant problems, > allusers have SID's generated with primary domain's SID)You cannot share users between domains. If the user is in one domain, it *must not* be visible to the other domains, you must use a seperate ldap suffix.> ####################################################################### > Method 2) believeing method 1 had something to do with an SID problem, > we proceeded to set up the remote locations as BDC's > > a)set up master ldap server, and samba server on same machine, > b) set up replica's and referrals back to master > c) set up remote servers as BDC's using same SID > d)set up SID in smbldaptools to be the same > > results: > samba added the xp machines to the domain, but we could not log in upon > reboot.Check your replication, and use Samba 3.0.1, with the 'ldap replication sleep' parameter. This allows you to make the system wait until the slave LDAP server has caught up.> questions: > on method1 above, we have some users that get special shares based upon > the %m, meaning the domain they put to log in box.%m is the machine name they login from.> This works on the pdc, but we can't get it to work on a BDC.(Why don't > domain aliases work on a BDC?)I'm not sure what you mean here. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040203/230ee438/attachment.bin