Duncan Brannen
2005-Jan-27 10:09 UTC
[Samba] 2 Domains on one server (browse.dat location) (3.0.9)
Appologies for double posting this. I managed to add it to the end of an old thread instead of starting a new one, anyone recommend a mail client that shows threads? :) Hi, I'm trying to run 2 domains from the one server. I've got my 2 config files and both servers run, bound to the correct interface if started normally. The problem I have occurs when I try to start both at once. nmdb seems to be hardwired to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of nmbd overwrites the data of the other. Have I missed an option to configure it to write elsewhere? ( log, lock & pid dirs don't do it) or, do I have to recompile samba with a new root? Feature Request:: Is it possible to have an option to reset this location if it doesn't exist? Is there a good howto anywhere on 2 domains / one machine or a good reason not to do it? (Pref for Solaris) We've got the same users in each domain, with the same ldap backend, The problem being solved is that of giving some users escalated permissions when logged into their own domain (Set group of machines ) but allowing them to log into the "World usable" domain (open access machines) with normal permissions. Joe Blogs shouldn't be able to login to the 2nd domain, & I've controlled access using the ldap filter in smb.conf. (Good / Bad idea?) Any comments from those who done this appreciated. Cheers, Duncan
Duncan Brannen wrote:> > > Appologies for double posting this. I managed to add it to the end of > an old thread instead of starting a new one, > anyone recommend a mail client that shows threads? :) > > > Hi, > I'm trying to run 2 domains from the one server. I've got my 2 > config files > and both servers run, bound to the correct interface if started normally. > > The problem I have occurs when I try to start both at once. nmdb > seems to be hardwired > to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of nmbd > overwrites > the data of the other. > > Have I missed an option to configure it to write elsewhere? ( log, > lock & pid dirs don't do it) > or, do I have to recompile samba with a new root? > > Feature Request:: Is it possible to have an option to reset this > location if it doesn't exist? > > Is there a good howto anywhere on 2 domains / one machine or a good > reason not to do it? > (Pref for Solaris) > > We've got the same users in each domain, with the same ldap backend, > The problem > being solved is that of giving some users escalated permissions when > logged into their > own domain (Set group of machines ) but allowing them to log into the > "World usable" > domain (open access machines) with normal permissions. Joe Blogs > shouldn't be able to > login to the 2nd domain, & I've controlled access using the ldap > filter in smb.conf. (Good / Bad idea?) > > Any comments from those who done this appreciated. > > Cheers, > Duncan >Yes, you missed the parameter "lock directory" in smb.conf. browse.dat lays under the lock directory path. I have successfull installation of samba server with two domains, but it works only if locking directories are separated. And yes, you will need separate ldap records for same users in different domains (because of different SIDs). -- Ing. Yevheniy Demchenko UVT s.r.o.
dbb@st-andrews.ac.uk
2005-Jan-28 00:21 UTC
[Samba] 2 Domains on one server (browse.dat location) (3.0.9)
Hi, Thanks again. Config was simply ./configure --with-acl-support --disable-static --with-pam --with-msdfs --wi th-krb5=/usr/local --with-ads=no I'm using smbd/nmbd -D -s /path/to/config1/2 Config was being picked up as I could see the 2nd domain and it worked if it was the only one running. Having just fired this up at the command line, both daemons seem to be writing to seperate browse.dat files as you said. Possibly I was blinded by the obvious earlier and just didn't see the 2nd browse.dat, since the .tdb files were there. Both browse.dat files look sane now where as before the one file didn't. Can't currently query the domain, I should be able to have a look at this again Friday PM when I'm back at work. One step forward, two back :) Good to know someone's done it though. Cheers, Duncan [global] log level = 3 log file = /samba/domain2/var/log.%M[%m][%I] lock dir = /samba/domain2/var/locks pid directory = /samba/domain2/var/locks private dir = /samba/domain2/var/locks ;Basic Server Settings netbios name = SAMBA2 workgroup = DOMAIN2 bind interfaces only = True interfaces = X.Y.Z.4/24 #The first domain listens on 127.0.0.1 also socket address = X.Y.Z.4 Quoting Demchenko Yevheniy <zheka@uvt.cz>:> On Thursday 27 January 2005 17:53, you wrote: > > zheka wrote: > > > Duncan Brannen wrote: > > >> Appologies for double posting this. I managed to add it to the end > > >> of an old thread instead of starting a new one, > > >> anyone recommend a mail client that shows threads? :) > > >> > > >> > > >> Hi, > > >> I'm trying to run 2 domains from the one server. I've got my 2 > > >> config files > > >> and both servers run, bound to the correct interface if started > > >> normally. > > >> > > >> The problem I have occurs when I try to start both at once. nmdb > > >> seems to be hardwired > > >> to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of > > >> nmbd overwrites > > >> the data of the other. >> >>> > >> Have I missed an option to configure it to write elsewhere? ( log, > > >> lock & pid dirs don't do it) > > >> or, do I have to recompile samba with a new root? > > >> > > >> Feature Request:: Is it possible to have an option to reset this > > >> location if it doesn't exist? > > >> > > >> Is there a good howto anywhere on 2 domains / one machine or a good > > >> reason not to do it? > > >> (Pref for Solaris) > > >> > > >> We've got the same users in each domain, with the same ldap backend, > > >> The problem > > >> being solved is that of giving some users escalated permissions when > > >> logged into their > > >> own domain (Set group of machines ) but allowing them to log into the > > >> "World usable" > > >> domain (open access machines) with normal permissions. Joe Blogs > > >> shouldn't be able to > > >> login to the 2nd domain, & I've controlled access using the ldap > > >> filter in smb.conf. (Good / Bad idea?) > > >> > > >> Any comments from those who done this appreciated. > > >> > > >> Cheers, > > >> Duncan > > > > > > Yes, you missed the parameter "lock directory" in smb.conf. browse.dat > > > lays under the lock directory path. > > > I have successfull installation of samba server with two domains, but > > > it works only if locking directories are separated. And yes, you will > > > need separate ldap records for same users in different domains > > > (because of different SIDs). > > > > I've set the lock directory (see above, tried lock, log and pid) but > > this doesn't change the browse.dat location, just the pid / > > filename.tdb location. Possibly the overwriting of browse.dat by the > > two nmbd processes is a red herring and it should work. > > > > I've set the SIDs' of the two domains to be the same so I only need one > > set of user records. Which version are you using? I'm going to try > > again with 3.0.11, > > and compile them into distinct directories if it still fails. > > > > Cheers, > > Duncan > > Didn't you forget to point the second instance of nmbd (for second) domain to > > the right smb.conf? How do you start samba? > try this: > smbd -s /path/to/smb.conf1 > nmbd -s /path/to/smb.conf1 > smbd -s /path/to/smb.conf2 > nmbd -s /path/to/smb.conf2 > > In my case (samba 3.0.4) browse.dat _do_ lies under locks directory, > will try it on samba 3.0.11pre2 tomorrow. > did you use some prepackaged binary or compiled it? > if so, how did configure string look like? > > -- > Ing. Yevheniy Demchenko, > UVT s.r.o. > >----------------------------------------------------------------- University of St Andrews Webmail: http://webmail.st-andrews.ac.uk
klbspam
2005-Jan-31 18:08 UTC
[Samba] Re: 2 Domains on one server (browse.dat location) (3.0.9)
On a related issue - has anyone gotten the Samba server to run in 2 different domains using the SAME "lock dir" parameter? My purpose is to have a share in 2 different domains. It seems to work in limited testing without nmbd or winbind which I can live without if needed. Config is similar to the one below except both smb.conf's have the same "lock dir" parameter. Samba 2.2.7a on RH9, planning to try 3.0.10 on Solaris 9. Thanks! - Ken Bourque -----Forwarded Message----- dbb at st-andrews.ac.uk dbb at st-andrews.ac.uk Fri Jan 28 00:31:20 GMT 2005 Hi, Thanks again. Config was simply ./configure --with-acl-support --disable-static --with-pam --with-msdfs --wi th-krb5=/usr/local --with-ads=no I'm using smbd/nmbd -D -s /path/to/config1/2 Config was being picked up as I could see the 2nd domain and it worked if it was the only one running. Having just fired this up at the command line, both daemons seem to be writing to seperate browse.dat files as you said. Possibly I was blinded by the obvious earlier and just didn't see the 2nd browse.dat, since the .tdb files were there. Both browse.dat files look sane now where as before the one file didn't. Can't currently query the domain, I should be able to have a look at this again Friday PM when I'm back at work. One step forward, two back :) Good to know someone's done it though. Cheers, Duncan [global] log level = 3 log file = /samba/domain2/var/log.%M[%m][%I] lock dir = /samba/domain2/var/locks pid directory = /samba/domain2/var/locks private dir = /samba/domain2/var/locks ;Basic Server Settings netbios name = SAMBA2 workgroup = DOMAIN2 bind interfaces only = True interfaces = X.Y.Z.4/24 #The first domain listens on 127.0.0.1 also socket address = X.Y.Z.4