Brian Palmer
2005-Oct-18 23:40 UTC
[Samba] PDC for Multiple Domains from a Single Samba Box
I've struggled with this for a couple of weeks, and have looked at countless posts and at the Samba documentation collection with no real solution. I'm setting up a lab that needs to have multiple domains (for machine / user segregation politics) for around 40 windows XP professional machines. I have a single Linux server running Suse 9.2. I would like for this server to be able to act as the PDC for N domains. I am using ldap as the password/ account back end running on the same box. I'm also running dhcpd and DNS on this box. I followed the Samba-How-To to setup 'MEGANET2' and have several of the windows boxes participating in that domain with what appears to be success (thanks to the writer). I then, based on what I could find doing google searches, created an additional ip address (alias) and an additional smb.conf file specifying to bind to the aliased ip address. I modified the samba3.schema file to remove the single-value flag from the sambaSID attribute and added additional sambaSIDs for the new domain for all of the accounts housed in the ldap tree. I also added an additional sambaDomain entry for the new domain. I started another smbd and nmbd process using the new smb.conf file. My server now has two each smbd and nmbd processes (each using the different smb.conf files). I can join the new domain from an XP box (using the same administrator account as with the other domain), however, when I reboot (as required when a domain is joined), none of my user names or passwords work at the logon window (even though I pick the new domain from the drop down box). I get various messages ranging from domain not found to user name or password is incorrect. I've see a couple of posts that say this topic was discussed in detail on the list during 2001, but I cannot find the posts. 1. Am I trying something that just won't work? 2. Does a PDC have to belong to the domain? ( I cannot get net -w 'newdomain' rpc join -U Administrator%passwd to work for the new domain) 3. Has anyone got a configuration like this working? 4. Do I need to be running two nmbds? 5 What about winbindd? Any help would be greatly appreciated. Thanks, Brian Palmer e-mail: palmer@westar.com
Palmer, Brian G Contractor/Westar
2005-Oct-24 21:10 UTC
[Samba] PDC for Multiple Domains from a Single Samba Box
I finally got this to work! -Brian Palmer
Tomasz Chmielewski
2005-Oct-24 21:25 UTC
[Samba] PDC for Multiple Domains from a Single Samba Box
Palmer, Brian G Contractor/Westar schrieb:> I finally got this to work!tell us how then?
palmer7440@bellsouth.net
2005-Oct-25 00:44 UTC
[Samba] PDC for Multiple Domains from a Single Samba Box
The nitty gritty is pretty nitty and gritty. The basic things I missed was adding an additional database to the LDAP server (i.e. dc=domain2,dc=quena,dc=org), and getting the system to authenticate through both databases. The steps below should shed additional light. I can post configuration files if anyone is still interested after following the steps below. 1. Follow the "Making User's Happy" section in the "Samba-3 by Example" documentation to set up the first domain (MEGANET2). Include the steps of authenticating Linux users (Posix users) using ldap (via NSS and PAM). 2. Create an additional IP address (alias) say 192.168.1.225. 3. Copy the /etc/samba directory to /etc/samba/DOMAIN2. 4. Modify both of the smb.conf files to bind only to specific interfaces using the interfaces and the bind interfaces only smb.conf parameters. The first domain gets eth0 and lo (for access to the ldap server ) while the second domain gets the alias interface only (i.e interfaces = 192.168.1.225). Add the private dir parameters to each of the files and separate the lock and log file parameters accordingly (i.e. /var/log/samba/DOMAIN2 and /var/run/samba/DOMAIN2). 5. Change the workgroup and netbios name for the new domain to DOMAIN2 and DOMAIN2_PDC in the new smb.conf file. 6. Add another database to the LDAP server for the DOMAIN2 (i.e. dc=domain2, dc=quena, dc=org). To do this, duplicate the first database section (i.e. dc=quena, dc=org). The new database section (dc=domain2, dc=quena, dc=org) needs to appear before the old in the /etc/openldap/slapd.conf file. Restart ldap (i.e. rcldap restart). 7. Get a SID for the new domain using the net getsid DOMAIN2. 8. Execute smbpasswd ?c /etc/samba/DOMAIN2/smb.conf ?w secret to set the password for DOMAIN2. 9. Copy the /var/lib/samba/sbin scripts (Idealx) to /var/lib/samba/sbin/DOMAIN2 and modify the base DN, suffix, and SID parameters in the perl configuration module file of the copy. 10. Run the smbldap-populate script for the new DOMAIN to add initial entries to the new LDAP database. You will have to change the Administrator name for the new domain to something like DOMAIN2_Administrator since you can?t have duplicate uids. You should be able to verify they got added using slapcat or ldapsearch (you may have to restart the LDAP server). 11. Modify your /etc/ldap.conf file to get the system to authenticate using both databases (since Samba requires all users and machines to have Posix accounts). To do this, duplicate the first section of the file within the file and change the LDAP info in the new section. You can verify that you?ve done this correctly by running getent passwd. You should see all of the old entries, plus the new entries. 12. Start your new smbd and nmbd processes specifying the new smb.conf file (i.e. smbd ?l /var/log/samba/DOMAIN2 ?D ?s /etc/samba/DOMAIN2/smb.conf) 13. You should be able to verify the operation of the new domain by running smbclient ?U % -L DOMAIN2_PDC.