The situation I've got is that I want to make one domain, and then use
it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and
10.3, all physically remote, but connected by a frees/wan tunnel that is
working just fine. We also have working LDAP logins and all that is
fine. I have gotten as far as getting my domain going on LDAP within
one subnet, but now I'm trying to add the second one.
I've got a second box on the remote subnet that can get connected to
ldap, and authenticate users just fine, i.e. I can browse to it from
wherever I need to come from, off of a machine that is connected to the
server on subnet 1. The problem arises when I try to join the domain
from the second subnet. I am entirely unclear on what configuration I
need on the second box to make the domain join work. I tried once with
the same smb.conf from the first machine, at which point I could get
joined just fine, but could not log in. Now I have machine 2 in more of
a non-master setup, basically just a domain master = no, and I can't get
joined at all. The smb.conf of the 'master' is attached to the end of
this post.
I've seen in the archives several people claiming that this is possible,
but never giving any direction as to what to try. I also remember
seeing something about using seperate domains, but then sharing the LDAP
data storage. Would this be done by just changing the SID of all the
domains to match? Which of the two is a more reliable solution? I'd
lean toward the former, but I'm open to suggestions.
[global]
workgroup = AE3
server string passdb backend =
ldapsam:ldap://ldap1.fargo.ae-solutions.com
pam password change = Yes
log level = 2
log file = /var/log/samba/log.%m
max log size = 50
add group script = /usr/local/sbin/smbldap-groupadd -p
add user to group script = /usr/local/sbin/smbldap-groupmod -m
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
set primary group script = /usr/local/sbin/smbldap-usermod -g
add machine script = /usr/local/sbin/smbldap-useradd -w
logon script = logon.cmd
logon path = \\fgoserv\profiles\%U
logon drive = H:
logon home = \\fgoserv\%U
domain logons = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=ae-solutions,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=Manager,dc=ae-solutions,dc=com
ldap ssl = no
ldap passwd sync = Yes
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com
On Fri, 2004-03-12 at 16:16, Paul Gienger wrote:> The situation I've got is that I want to make one domain, and then use > it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and > 10.3, all physically remote, but connected by a frees/wan tunnel that is > working just fine. We also have working LDAP logins and all that is > fine. I have gotten as far as getting my domain going on LDAP within > one subnet, but now I'm trying to add the second one. > > I've got a second box on the remote subnet that can get connected to > ldap, and authenticate users just fine, i.e. I can browse to it from > wherever I need to come from, off of a machine that is connected to the > server on subnet 1. The problem arises when I try to join the domain > from the second subnet. I am entirely unclear on what configuration I > need on the second box to make the domain join work. I tried once with > the same smb.conf from the first machine, at which point I could get > joined just fine, but could not log in. Now I have machine 2 in more of > a non-master setup, basically just a domain master = no, and I can't get > joined at all. The smb.conf of the 'master' is attached to the end of > this post. > > I've seen in the archives several people claiming that this is possible, > but never giving any direction as to what to try. I also remember > seeing something about using seperate domains, but then sharing the LDAP > data storage. Would this be done by just changing the SID of all the > domains to match? Which of the two is a more reliable solution? I'd > lean toward the former, but I'm open to suggestions. > > [global] > workgroup = AE3 > server string > passdb backend = ldapsam:ldap://ldap1.fargo.ae-solutions.com > pam password change = Yes > log level = 2 > log file = /var/log/samba/log.%m > max log size = 50 > add group script = /usr/local/sbin/smbldap-groupadd -p > add user to group script = /usr/local/sbin/smbldap-groupmod -m > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > set primary group script = /usr/local/sbin/smbldap-usermod -g > add machine script = /usr/local/sbin/smbldap-useradd -w > logon script = logon.cmd > logon path = \\fgoserv\profiles\%U > logon drive = H: > logon home = \\fgoserv\%U > domain logons = Yes > dns proxy = No > wins support = Yes > ldap suffix = dc=ae-solutions,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap admin dn = cn=Manager,dc=ae-solutions,dc=com > ldap ssl = no > ldap passwd sync = Yes---- Myself, I would want all computers on the same domain and therefore in the same ldap tree. The way this works depends upon your estimation of the reliability of the vpn connections. If they are highly reliable, set wins to point to the IP address of the PDC in subnet 1 for all computers in all subnets. This should provide the best quality of network browsing and truly allow all computers to see each other. If you suspect that there will be a break in network connectivity higher than say 2% of the time, then you probably have to think in terms of having a 'BDC' and slave LDAP server with wins support = yes in each subnet and set each Windows client (hopefully, you are using DHCP) to use the local BDC/slave LDAP for WINS and secondarily, point to the WINS server on subnet 1. Then you probably need to set remote announce on the machine in subnet 1 to the broadcast address 10.x.x.255 for each subnet. One of the curious things that I didn't realize right away when I set up Samba and LDAP...I had wanted a BDC to provide a backup of the SAM database just in case. But if you slapcat the LDAP database regularly, all of the users/groups are thoroughly backed up and even if the system were to die a bad death, you could still set up a new machine and achieve backup portability quite simply. Craig Craig
Paul Gienger schrieb:> The situation I've got is that I want to make one domain, and then use > it on several different subnets. I have 3 subnets, 10.1.x.x, 10.2 and > 10.3, all physically remote, but connected by a frees/wan tunnel that is > working just fine. We also have working LDAP logins and all that is > fine. I have gotten as far as getting my domain going on LDAP within > one subnet, but now I'm trying to add the second one. > I've got a second box on the remote subnet that can get connected to > ldap, and authenticate users just fine, i.e. I can browse to it from > wherever I need to come from, off of a machine that is connected to the > server on subnet 1. The problem arises when I try to join the domain > >> from the second subnet. I am entirely unclear on what configuration I > > need on the second box to make the domain join work. I tried once with > the same smb.conf from the first machine, at which point I could get > joined just fine, but could not log in. Now I have machine 2 in more of > a non-master setup, basically just a domain master = no, and I can't get > joined at all. The smb.conf of the 'master' is attached to the end of > this post. > > I've seen in the archives several people claiming that this is possible, > but never giving any direction as to what to try. I also remember > seeing something about using seperate domains, but then sharing the LDAP > data storage. Would this be done by just changing the SID of all the > domains to match? Which of the two is a more reliable solution? I'd > lean toward the former, but I'm open to suggestions. > > [global] > workgroup = AE3 > server string > passdb backend = ldapsam:ldap://ldap1.fargo.ae-solutions.com > pam password change = Yes > log level = 2 > log file = /var/log/samba/log.%m > max log size = 50 > add group script = /usr/local/sbin/smbldap-groupadd -p > add user to group script = /usr/local/sbin/smbldap-groupmod -m > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > set primary group script = /usr/local/sbin/smbldap-usermod -g > add machine script = /usr/local/sbin/smbldap-useradd -w > logon script = logon.cmd > logon path = \\fgoserv\profiles\%U > logon drive = H: > logon home = \\fgoserv\%U > domain logons = Yes > dns proxy = No > wins support = Yes > ldap suffix = dc=ae-solutions,dc=com > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap admin dn = cn=Manager,dc=ae-solutions,dc=com > ldap ssl = no > ldap passwd sync = Yes > >Hi, this is a matter of subnet browsing. Ich have solved the problem with having samba proxies on the firewalls, which are routers too. if you get wins and dns work in the right way, joining a smb domain in an other subnet works. Allthough you should simply setup a smb bdc with slave ldap in the other subnet. ( this would also help if you loose con to the master ldap ) You can also setup a new domain and trust each other ( but there for wins and dns must work too ) watch out and read the doku to this parameters remote browse sync remote announce and wins server = x.x.x.x Regards