The situation I've got is that I want to make one domain, and then use it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and 10.3, all physically remote, but connected by a frees/wan tunnel that is working just fine. We also have working LDAP logins and all that is fine. I have gotten as far as getting my domain going on LDAP within one subnet, but now I'm trying to add the second one. I've got a second box on the remote subnet that can get connected to ldap, and authenticate users just fine, i.e. I can browse to it from wherever I need to come from, off of a machine that is connected to the server on subnet 1. The problem arises when I try to join the domain from the second subnet. I am entirely unclear on what configuration I need on the second box to make the domain join work. I tried once with the same smb.conf from the first machine, at which point I could get joined just fine, but could not log in. Now I have machine 2 in more of a non-master setup, basically just a domain master = no, and I can't get joined at all. The smb.conf of the 'master' is attached to the end of this post. I've seen in the archives several people claiming that this is possible, but never giving any direction as to what to try. I also remember seeing something about using seperate domains, but then sharing the LDAP data storage. Would this be done by just changing the SID of all the domains to match? Which of the two is a more reliable solution? I'd lean toward the former, but I'm open to suggestions. [global] workgroup = AE3 server string passdb backend = ldapsam:ldap://ldap1.fargo.ae-solutions.com pam password change = Yes log level = 2 log file = /var/log/samba/log.%m max log size = 50 add group script = /usr/local/sbin/smbldap-groupadd -p add user to group script = /usr/local/sbin/smbldap-groupmod -m delete user from group script = /usr/local/sbin/smbldap-groupmod -x set primary group script = /usr/local/sbin/smbldap-usermod -g add machine script = /usr/local/sbin/smbldap-useradd -w logon script = logon.cmd logon path = \\fgoserv\profiles\%U logon drive = H: logon home = \\fgoserv\%U domain logons = Yes dns proxy = No wins support = Yes ldap suffix = dc=ae-solutions,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap admin dn = cn=Manager,dc=ae-solutions,dc=com ldap ssl = no ldap passwd sync = Yes -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com
On Fri, 2004-03-12 at 16:16, Paul Gienger wrote:> The situation I've got is that I want to make one domain, and then use > it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and > 10.3, all physically remote, but connected by a frees/wan tunnel that is > working just fine. We also have working LDAP logins and all that is > fine. I have gotten as far as getting my domain going on LDAP within > one subnet, but now I'm trying to add the second one. > > I've got a second box on the remote subnet that can get connected to > ldap, and authenticate users just fine, i.e. I can browse to it from > wherever I need to come from, off of a machine that is connected to the > server on subnet 1. The problem arises when I try to join the domain > from the second subnet. I am entirely unclear on what configuration I > need on the second box to make the domain join work. I tried once with > the same smb.conf from the first machine, at which point I could get > joined just fine, but could not log in. Now I have machine 2 in more of > a non-master setup, basically just a domain master = no, and I can't get > joined at all. The smb.conf of the 'master' is attached to the end of > this post. > > I've seen in the archives several people claiming that this is possible, > but never giving any direction as to what to try. I also remember > seeing something about using seperate domains, but then sharing the LDAP > data storage. Would this be done by just changing the SID of all the > domains to match? Which of the two is a more reliable solution? I'd > lean toward the former, but I'm open to suggestions. > > [global] > workgroup = AE3 > server string > passdb backend = ldapsam:ldap://ldap1.fargo.ae-solutions.com > pam password change = Yes > log level = 2 > log file = /var/log/samba/log.%m > max log size = 50 > add group script = /usr/local/sbin/smbldap-groupadd -p > add user to group script = /usr/local/sbin/smbldap-groupmod -m > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > set primary group script = /usr/local/sbin/smbldap-usermod -g > add machine script = /usr/local/sbin/smbldap-useradd -w > logon script = logon.cmd > logon path = \\fgoserv\profiles\%U > logon drive = H: > logon home = \\fgoserv\%U > domain logons = Yes > dns proxy = No > wins support = Yes > ldap suffix = dc=ae-solutions,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap admin dn = cn=Manager,dc=ae-solutions,dc=com > ldap ssl = no > ldap passwd sync = Yes---- Myself, I would want all computers on the same domain and therefore in the same ldap tree. The way this works depends upon your estimation of the reliability of the vpn connections. If they are highly reliable, set wins to point to the IP address of the PDC in subnet 1 for all computers in all subnets. This should provide the best quality of network browsing and truly allow all computers to see each other. If you suspect that there will be a break in network connectivity higher than say 2% of the time, then you probably have to think in terms of having a 'BDC' and slave LDAP server with wins support = yes in each subnet and set each Windows client (hopefully, you are using DHCP) to use the local BDC/slave LDAP for WINS and secondarily, point to the WINS server on subnet 1. Then you probably need to set remote announce on the machine in subnet 1 to the broadcast address 10.x.x.255 for each subnet. One of the curious things that I didn't realize right away when I set up Samba and LDAP...I had wanted a BDC to provide a backup of the SAM database just in case. But if you slapcat the LDAP database regularly, all of the users/groups are thoroughly backed up and even if the system were to die a bad death, you could still set up a new machine and achieve backup portability quite simply. Craig Craig
Paul Gienger schrieb:> The situation I've got is that I want to make one domain, and then use > it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and > 10.3, all physically remote, but connected by a frees/wan tunnel that is > working just fine. We also have working LDAP logins and all that is > fine. I have gotten as far as getting my domain going on LDAP within > one subnet, but now I'm trying to add the second one. > I've got a second box on the remote subnet that can get connected to > ldap, and authenticate users just fine, i.e. I can browse to it from > wherever I need to come from, off of a machine that is connected to the > server on subnet 1. The problem arises when I try to join the domain > >> from the second subnet. I am entirely unclear on what configuration I > > need on the second box to make the domain join work. I tried once with > the same smb.conf from the first machine, at which point I could get > joined just fine, but could not log in. Now I have machine 2 in more of > a non-master setup, basically just a domain master = no, and I can't get > joined at all. The smb.conf of the 'master' is attached to the end of > this post. > > I've seen in the archives several people claiming that this is possible, > but never giving any direction as to what to try. I also remember > seeing something about using seperate domains, but then sharing the LDAP > data storage. Would this be done by just changing the SID of all the > domains to match? Which of the two is a more reliable solution? I'd > lean toward the former, but I'm open to suggestions. > > [global] > workgroup = AE3 > server string > passdb backend = ldapsam:ldap://ldap1.fargo.ae-solutions.com > pam password change = Yes > log level = 2 > log file = /var/log/samba/log.%m > max log size = 50 > add group script = /usr/local/sbin/smbldap-groupadd -p > add user to group script = /usr/local/sbin/smbldap-groupmod -m > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > set primary group script = /usr/local/sbin/smbldap-usermod -g > add machine script = /usr/local/sbin/smbldap-useradd -w > logon script = logon.cmd > logon path = \\fgoserv\profiles\%U > logon drive = H: > logon home = \\fgoserv\%U > domain logons = Yes > dns proxy = No > wins support = Yes > ldap suffix = dc=ae-solutions,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap admin dn = cn=Manager,dc=ae-solutions,dc=com > ldap ssl = no > ldap passwd sync = Yes > >Hi, this is a matter of subnet browsing. Ich have solved the problem with having samba proxies on the firewalls, which are routers too. if you get wins and dns work in the right way, joining a smb domain in an other subnet works. Allthough you should simply setup a smb bdc with slave ldap in the other subnet. ( this would also help if you loose con to the master ldap ) You can also setup a new domain and trust each other ( but there for wins and dns must work too ) watch out and read the doku to this parameters remote browse sync remote announce and wins server = x.x.x.x Regards