Hi All, I have a domain setup soon to go into production. We have 3 buildings, each containing a fileserver for that buildings users (home drives/share drives). I've been using the smbldap-tools on the PDC, which is all working fine. Is it possible to join another server to the domain, also using the smbldap-tools, with a different config, that will setup a users home drive, etc on that server, or will a setup like this need to be done manually? I have a test BDC that I've been playing with trying to do this, but if I do smbldap-useradd from the BDC the user can't get logged on with an error message "A device attached to the system is not functioning" on the windows client (the account does get setup in ldap). In the smbldap-tools config I used the SID of the BDC, which I'm guessing might be my problem... should I change that to the SID of the PDC? Also, with a samba/ldap domains setup - how can I allow a user to have shell access on one server on the domain, but not on the other servers on the domain? Can this be done through the domain/ldap, or in this scenario will shell logons have to be managed locally on the individual servers ? Thanks, Matt. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/
On Tue, 2006-03-21 at 09:26 -0500, Matt Ingram wrote:> Hi All, > > I have a domain setup soon to go into production. We have 3 buildings, > each containing a fileserver for that buildings users (home drives/share > drives). I've been using the smbldap-tools on the PDC, which is all > working fine. Is it possible to join another server to the domain, also > using the smbldap-tools, with a different config, that will setup a > users home drive, etc on that server, or will a setup like this need to > be done manually? I have a test BDC that I've been playing with trying > to do this, but if I do smbldap-useradd from the BDC the user can't get > logged on with an error message "A device attached to the system is not > functioning" on the windows client (the account does get setup in > ldap). In the smbldap-tools config I used the SID of the BDC, which I'm > guessing might be my problem... should I change that to the SID of the PDC?---- why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the "By Example" where it discusses PDC's and BDC's and how to manage them ----> > Also, with a samba/ldap domains setup - how can I allow a user to have > shell access on one server on the domain, but not on the other servers > on the domain? Can this be done through the domain/ldap, or in this > scenario will shell logons have to be managed locally on the individual > servers ?---- I'm quite certain that is possible but I haven't done it. It is not a samba question at all but working through your LDAP implementation as it relates to the posix structures on each UNIX/Linux system that you offer shell accounts and thus, well out of the scope of this list. Craig
On Wed, 2006-03-22 at 08:43 -0500, Matt Ingram wrote:> > Craig White wrote: > > -- > > why fly by the seat of your pants on this when the documentation tells > > you what you need to know? > > > > see http://www.samba.org/samba/docs - the "By Example" where it > > discusses PDC's and BDC's and how to manage them > > > hmm are you referring to the chapter on Making Happy Users? That > chapter does not address the the scenario I am going for. The sample > given is still using home drives that reside on the PDC and mounted on > the BDC via NFS; which is not what I'm looking for. What I'm looking > for is, Site one's users home drives exclusively running off of BDC1; > site 2's users home drives exclusively running off of BDC2, and so on. > > Here's what I've tried: > on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that > of the PDC instead of the BDC's SID, while things like the home drive > are pointing to the BDC, instead of the PDC. This seems to work, the > way I was hoping.. are you aware of any problems having the setup like this?---- let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. Craig