samba - Oct 2005 - PDC for Multiple Domains from a Single Samba Box

I've struggled with this for a couple of weeks, and have looked at countless
posts and at the Samba documentation collection with no real solution.

I'm setting up a lab that needs to have multiple domains (for machine / user
segregation politics) for around 40 windows XP professional machines.  I have 
a single Linux server running Suse 9.2.  I would like for this server to be 
able to act as the PDC for N domains.  I am using ldap as the password/ 
account back end running on the same box.  I'm also running dhcpd and DNS on
this box.

I followed the Samba-How-To to setup 'MEGANET2' and have several of the 
windows boxes participating in that domain with what appears to be success 
(thanks to the writer).  I then, based on what I could find doing google 
searches, created an additional ip address (alias) and an additional smb.conf 
file specifying to bind to the aliased ip address.  I modified the 
samba3.schema file to remove the single-value flag from the sambaSID 
attribute and added additional sambaSIDs for the new domain for all of the 
accounts housed in the ldap tree.  I also added an additional sambaDomain 
entry for the new domain.

I started another smbd and nmbd process using the new smb.conf file.  My 
server now has two each smbd and nmbd processes (each using the different 
smb.conf files).

I can join the new domain from an XP box (using the same administrator account 
as with the other domain), however, when I reboot (as required when a domain 
is joined), none of my user names or passwords work at the logon window (even 
though I pick the new domain from the drop down box).  I get various messages 
ranging from domain not found to user name or password is incorrect.

I've see a couple of posts that say this topic was discussed in detail on
the
list during 2001, but I cannot find the posts.  

1.  Am I trying something that just won't work?
2.  Does a PDC have to belong to the domain? ( I cannot get net -w
'newdomain'
rpc join -U Administrator%passwd to work for the new domain)
3.  Has anyone got a configuration like this working?
4.  Do I need to be running two nmbds?
5  What about winbindd?

Any help would be greatly appreciated.
 
Thanks,

Brian Palmer
e-mail: palmer@westar.com

I finally got this to work!

-Brian Palmer

Palmer, Brian G Contractor/Westar schrieb:
> I finally got this to work!
tell us how then?

The nitty gritty is pretty nitty and gritty.  The basic things I missed was
adding an additional database to the LDAP server (i.e.
dc=domain2,dc=quena,dc=org), and getting the system to authenticate through both
databases.  The steps below should shed additional light.  I can post
configuration files if anyone is still interested after following the steps
below.

1. Follow the "Making User's Happy" section in the "Samba-3
by Example" documentation to set up the first domain (MEGANET2).  Include
the steps of authenticating Linux users (Posix users) using ldap (via NSS and
PAM).
2. Create an additional IP address (alias) say 192.168.1.225.
3. Copy the /etc/samba directory to /etc/samba/DOMAIN2.
4. Modify both of the smb.conf files to bind only to specific interfaces using
the interfaces and the bind interfaces only smb.conf parameters.  The first
domain gets eth0 and lo (for access to the ldap server ) while the second domain
gets the alias interface only (i.e interfaces = 192.168.1.225).  Add the private
dir parameters to each of the files and separate the lock and log file
parameters accordingly (i.e. /var/log/samba/DOMAIN2 and /var/run/samba/DOMAIN2).
5. Change the workgroup and netbios name for the new domain to DOMAIN2 and
DOMAIN2_PDC in the new smb.conf file.
6. Add another database to the LDAP server for the DOMAIN2 (i.e. dc=domain2,
dc=quena, dc=org).  To do this, duplicate the first database section (i.e.
dc=quena, dc=org).  The new database section (dc=domain2, dc=quena, dc=org)
needs to appear before the old in the /etc/openldap/slapd.conf file.  Restart
ldap (i.e. rcldap restart).
7. Get a SID for the new domain using the net getsid DOMAIN2.
8. Execute smbpasswd ?c /etc/samba/DOMAIN2/smb.conf ?w secret to set the
password for DOMAIN2.
9. Copy the /var/lib/samba/sbin scripts (Idealx) to /var/lib/samba/sbin/DOMAIN2
and modify the base DN, suffix, and SID parameters in the perl configuration
module file of the copy.
10. Run the smbldap-populate script for the new DOMAIN to add initial entries to
the new LDAP database.  You will have to change the Administrator name for the
new domain to something like DOMAIN2_Administrator since you can?t have
duplicate uids.  You should be able to verify they got added using slapcat or
ldapsearch (you may have to restart the LDAP server).
11. Modify your /etc/ldap.conf file to get the system to authenticate using both
databases (since Samba requires all users and machines to have Posix accounts). 
To do this, duplicate the first section of the file within the file and change
the LDAP info in the new section.  You can verify that you?ve done this
correctly by running getent passwd.  You should see all of the old entries, plus
the new entries.
12. Start your new smbd and nmbd processes specifying the new smb.conf file
(i.e. smbd ?l /var/log/samba/DOMAIN2 ?D ?s /etc/samba/DOMAIN2/smb.conf)
13. You should be able to verify the operation of the new domain by running
smbclient ?U % -L DOMAIN2_PDC.