samba - Jan 2005 - 2 Domains on one server (browse.dat location) (3.0.9)

Appologies for double posting this.  I managed to add it to the end of an 
old thread instead of starting a new one,
anyone recommend a mail client that shows threads? :)


Hi,
	I'm trying to run 2 domains from the one server.  I've got my 2 config
files
and both servers run, bound to the correct interface if started normally.

The problem I have occurs when I try to start both at once.  nmdb seems to 
be hardwired
to write to $SAMBA_ROOT/var/locks/browse.dat  so each instance of nmbd 
overwrites
the data of the other.

Have I missed an option to configure it to write elsewhere? ( log, lock & 
pid dirs don't do it)
or, do I have to recompile samba with a new root?

Feature Request::  Is it possible to have an option to reset this location 
if it doesn't exist?

Is there a good howto anywhere on 2 domains / one machine or a good reason 
not to do it?
(Pref for Solaris)

We've got the same users in each domain, with the same ldap backend, The 
problem
being solved is that of giving some users escalated permissions when logged 
into their
own domain (Set group of machines ) but allowing them to log into the 
"World usable"
domain (open access machines) with normal permissions. Joe Blogs shouldn't 
be able to
login to the 2nd domain, & I've controlled access using the ldap filter
in
smb.conf. (Good / Bad idea?)

Any comments from those who done this appreciated.

Cheers,
	Duncan

Duncan Brannen wrote:
>
>
> Appologies for double posting this.  I managed to add it to the end of 
> an old thread instead of starting a new one,
> anyone recommend a mail client that shows threads? :)
>
>
> Hi,
>     I'm trying to run 2 domains from the one server.  I've got my 2
> config files
> and both servers run, bound to the correct interface if started normally.
>
> The problem I have occurs when I try to start both at once.  nmdb 
> seems to be hardwired
> to write to $SAMBA_ROOT/var/locks/browse.dat  so each instance of nmbd 
> overwrites
> the data of the other.
>
> Have I missed an option to configure it to write elsewhere? ( log, 
> lock & pid dirs don't do it)
> or, do I have to recompile samba with a new root?
>
> Feature Request::  Is it possible to have an option to reset this 
> location if it doesn't exist?
>
> Is there a good howto anywhere on 2 domains / one machine or a good 
> reason not to do it?
> (Pref for Solaris)
>
> We've got the same users in each domain, with the same ldap backend, 
> The problem
> being solved is that of giving some users escalated permissions when 
> logged into their
> own domain (Set group of machines ) but allowing them to log into the 
> "World usable"
> domain (open access machines) with normal permissions. Joe Blogs 
> shouldn't be able to
> login to the 2nd domain, & I've controlled access using the ldap 
> filter in smb.conf. (Good / Bad idea?)
>
> Any comments from those who done this appreciated.
>
> Cheers,
>     Duncan
>
Yes, you missed the parameter "lock directory" in smb.conf. browse.dat
lays under the lock directory path.
I have successfull installation of samba server with two domains, but it 
works only if locking directories are separated. And yes, you will need 
separate ldap records for same users in different domains (because of 
different SIDs).

-- 
Ing. Yevheniy Demchenko
UVT s.r.o.

Hi,
   Thanks again.

Config was simply

./configure --with-acl-support --disable-static --with-pam --with-msdfs --wi
th-krb5=/usr/local --with-ads=no

I'm using smbd/nmbd -D -s /path/to/config1/2

Config was being picked up as I could see the 2nd domain and it worked 
if it was the only one running.

Having just fired this up at the command line, both daemons seem to
be writing to seperate browse.dat files as you said. Possibly I was blinded
by the obvious earlier and just didn't see the 2nd browse.dat, since the
.tdb
files were there.  Both browse.dat files look sane now where as before the one
file didn't.

Can't currently query the domain, I should be able to have a look at this
again
Friday PM when I'm back at work. One step forward, two back :)

Good to know someone's done it though.

Cheers,
      Duncan

[global]
        log level = 3
        log file = /samba/domain2/var/log.%M[%m][%I]
        lock dir = /samba/domain2/var/locks
        pid directory = /samba/domain2/var/locks
        private dir =  /samba/domain2/var/locks


        ;Basic Server Settings
        netbios name = SAMBA2
        workgroup = DOMAIN2
        bind interfaces only = True
        interfaces = X.Y.Z.4/24   #The first domain listens on 127.0.0.1 also
        socket address = X.Y.Z.4


Quoting Demchenko Yevheniy <zheka@uvt.cz>:
> On Thursday 27 January 2005 17:53, you wrote:
> > zheka wrote:
> > > Duncan Brannen wrote:
> > >> Appologies for double posting this.  I managed to add it to
the end
> > >> of an old thread instead of starting a new one,
> > >> anyone recommend a mail client that shows threads? :)
> > >>
> > >>
> > >> Hi,
> > >>     I'm trying to run 2 domains from the one server. 
I've got my 2
> > >> config files
> > >> and both servers run, bound to the correct interface if
started
> > >> normally.
> > >>
> > >> The problem I have occurs when I try to start both at once. 
nmdb
> > >> seems to be hardwired
> > >> to write to $SAMBA_ROOT/var/locks/browse.dat  so each
instance of
> > >> nmbd overwrites
> > >> the data of the other.
>
 > >>
> > >> Have I missed an option to configure it to write elsewhere? (
log,
> > >> lock & pid dirs don't do it)
> > >> or, do I have to recompile samba with a new root?
> > >>
> > >> Feature Request::  Is it possible to have an option to reset
this
> > >> location if it doesn't exist?
> > >>
> > >> Is there a good howto anywhere on 2 domains / one machine or
a good
> > >> reason not to do it?
> > >> (Pref for Solaris)
> > >>
> > >> We've got the same users in each domain, with the same
ldap backend,
> > >> The problem
> > >> being solved is that of giving some users escalated
permissions when
> > >> logged into their
> > >> own domain (Set group of machines ) but allowing them to log
into the
> > >> "World usable"
> > >> domain (open access machines) with normal permissions. Joe
Blogs
> > >> shouldn't be able to
> > >> login to the 2nd domain, & I've controlled access
using the ldap
> > >> filter in smb.conf. (Good / Bad idea?)
> > >>
> > >> Any comments from those who done this appreciated.
> > >>
> > >> Cheers,
> > >>     Duncan
> > >
> > > Yes, you missed the parameter "lock directory" in
smb.conf. browse.dat
> > > lays under the lock directory path.
> > > I have successfull installation of samba server with two domains,
but
> > > it works only if locking directories are separated. And yes, you
will
> > > need separate ldap records for same users in different domains
> > > (because of different SIDs).
> >
> > I've set the lock directory (see above, tried lock, log and pid)
but
> > this doesn't change the browse.dat location, just the pid /
> > filename.tdb  location.  Possibly the overwriting of browse.dat by the
> > two nmbd processes is a red herring and it should work.
> >
> > I've set the SIDs' of the two domains to be the same so I only
need one
> > set of user records.  Which version are you using?  I'm going to
try
> > again with 3.0.11,
> > and compile them into distinct directories if it still fails.
> >
> > Cheers,
> >          Duncan
> 
> Didn't you forget to point the second instance of nmbd (for second)
domain to
> 
> the right smb.conf? How do you start samba?
> try this:
> smbd -s /path/to/smb.conf1
> nmbd -s /path/to/smb.conf1
> smbd -s /path/to/smb.conf2
> nmbd -s /path/to/smb.conf2
> 
> In my case (samba 3.0.4) browse.dat _do_ lies under locks directory,
> will try it on samba 3.0.11pre2 tomorrow.
> did you use some prepackaged binary or compiled it?
> if so, how did configure string look like? 
> 
> -- 
> Ing. Yevheniy Demchenko,
> UVT s.r.o.
> 
> 



-----------------------------------------------------------------
University of St Andrews Webmail: http://webmail.st-andrews.ac.uk

On a related issue - has anyone gotten the Samba server to run in 2 different
domains using the SAME "lock dir" parameter?  My purpose is to have a
share in 2 different domains.  It seems to work in limited testing without nmbd
or winbind which I can live without if needed.  Config is similar to the one
below except both smb.conf's have the same "lock dir" parameter. 
Samba 2.2.7a on RH9, planning to try 3.0.10 on Solaris 9.

Thanks!
- Ken Bourque

-----Forwarded Message-----
dbb at st-andrews.ac.uk dbb at st-andrews.ac.uk
Fri Jan 28 00:31:20 GMT 2005

Hi,
   Thanks again.

Config was simply

./configure --with-acl-support --disable-static --with-pam --with-msdfs --wi
th-krb5=/usr/local --with-ads=no

I'm using smbd/nmbd -D -s /path/to/config1/2

Config was being picked up as I could see the 2nd domain and it worked 
if it was the only one running.

Having just fired this up at the command line, both daemons seem to
be writing to seperate browse.dat files as you said. Possibly I was blinded
by the obvious earlier and just didn't see the 2nd browse.dat, since the
.tdb
files were there.  Both browse.dat files look sane now where as before the one
file didn't.

Can't currently query the domain, I should be able to have a look at this
again
Friday PM when I'm back at work. One step forward, two back :)

Good to know someone's done it though.

Cheers,
      Duncan

[global]
        log level = 3
        log file = /samba/domain2/var/log.%M[%m][%I]
        lock dir = /samba/domain2/var/locks
        pid directory = /samba/domain2/var/locks
        private dir =  /samba/domain2/var/locks


        ;Basic Server Settings
        netbios name = SAMBA2
        workgroup = DOMAIN2
        bind interfaces only = True
        interfaces = X.Y.Z.4/24   #The first domain listens on 127.0.0.1 also
        socket address = X.Y.Z.4