Hi, i have already search for three days now but i can't find any tips. I am running a Samba PDC based on smb 3.0.23. No i want to integrate a second samba server which should serve serveral client, just to decrease the load on the pdc. This should not be a BDC, just a domain member. For user management i use openLDAP. Well, what do i need for this scenario? Do I need winbind or can i just configure the 2nd server to use the same ldap information as the pdc? I would be thankful if somebody could give me a hint.
Hallo, Sascha, Du (tdy_shadow) meintest am 10.06.08:> i have already search for three days now but i can't find any tips. I > am running a Samba PDC based on smb 3.0.23.First of all you should update to Samba 3.0.30. Viele Gruesse! Helmut
Take this as a hint: [global] interfaces = lo eth0 bind interfaces only = Yes name resolve order = wins bcast lmhosts host printing = cups printcap name = cups printcap cache time = 750 cups options = raw load printers = Yes unix charset = UTF-8 display charset = UTF-8 workgroup = DOMAIN netbios name = NETBIOSNAME admin users = @"Domain Admins" guest account = gast server string = FileServer %v security = user encrypt passwords = Yes log level = 1 vfs:1 log file = /var/log/samba/log.%m syslog = 0 max log size = 100000 domain logons = No os level = 32 preferred master = No domain master = No local master = No wins server = 192.168.10.1 dns proxy = Yes time server = Yes #ldap## passdb backend = ldapsam:"ldap://192.168.10.1" ldap admin dn = cn=admin,dc=domain,dc=name ldap suffix = dc=domain,dc=name ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap ssl = no ldap delete dn = Yes ldap passwd sync = Yes utmp = Yes idmap uid = 1000-20000 idmap gid = 1000-20000 idmap backend = ldap:"ldap://192.168.10.1" shutdown script = /sbin/shutdown abort shutdown script = /sbin/shutdown -c nt acl support = yes kernel oplocks = yes enable privileges = Yes template shell = /bin/false ldap passwd sync = Yes utmp = Yes idmap uid = 1000-20000 idmap gid = 1000-20000 idmap backend = ldap:"ldap://192.168.10.1" shutdown script = /sbin/shutdown abort shutdown script = /sbin/shutdown -c nt acl support = yes kernel oplocks = yes enable privileges = Yes template shell = /bin/false logon script logon path logon home ############################ /etc/samba/smbldap.conf ############################ slaveLDAP="192.168.10.1" slavePort="389" masterLDAP="192.168.10.1" masterPort="389" Also set your ldap.conf and nsswitch.conf to the appropiate values.
----- Original Message ---- From: Helmut Hullen <Hullen@t-online.de> To: samba@lists.samba.org Sent: Tuesday, June 10, 2008 11:52:00 AM Subject: Re: [Samba] 2nd smb server Hallo, Sascha, Du (tdy_shadow) meintest am 10.06.08:> i have already search for three days now but i can't find any tips. I > am running a Samba PDC based on smb 3.0.23.First of all you should update to Samba 3.0.30. okay, and now ??? Best regards
Hi, thanks for the help. I just got stuck in one problem: I joined the Samba Domain. Everything runs well execpt that i can't see/use the domain groups. If I add a share on the 2nd samba and define valid users = user1, the user can connect to that share. But if I add a group, e.g. @admins, that won't work. I don't understand why. I can even see that my PDC accepts and authenticates the user. Do I have to use Idmap? Please help. I'm despaired. Thanks and best regards ----- Original Message ---- From: Sascha Bieler <sascha.bieler@radiogong.de> To: Sven Buchstaller <ask@quickline.de>; samba@lists.samba.org Sent: Tuesday, June 10, 2008 12:45:54 PM Subject: RE: [Samba] 2nd smb server Ah ok, but it should work as you described.> -----Original Message----- > From: samba-bounces+sascha.bieler=radiogong.de@lists.samba.org > [mailto:samba-bounces+sascha.bieler=radiogong.de@lists.samba.org] On > Behalf Of Sven Buchstaller > Sent: Tuesday, June 10, 2008 12:39 PM > To: samba@lists.samba.org > Subject: AW: [Samba] 2nd smb server > > Hi Sasha > > I think Sacha aka tdy_shadow mean somthing else, i have setup this > scenario > for some weeks but i have some trouble, when you look > In my ask in this list like "second samba pdc". > First he must setup the second PDC on a seperate physikal machine, with > newest samba version for "trusted domains" ... > Then you must do on the LDAP the groupmaps for the second PDC for > windows > and unix, you can't use the same from the 1 PDC. > After them you can add user host groups. > Dont forget the SIDs must be the same from the hosts users and groups > for an > domain, only the RIDs must be not the same. > Then add the infos in your smb.conf, i use wins for netbios. > Winbind do you only when you authentifikate on Windows Server. > Thats was a crash info when you need more help send me an Email, today > i > have not much time sorry. > > P.S. The Second Domain works here > > Mit freundlichen Gr??en > > Sven > > Sorry for bad english > > > > > -----Urspr?ngliche Nachricht----- > > Von: samba-bounces+ask=quickline.de@lists.samba.org > > [mailto:samba-bounces+ask=quickline.de@lists.samba.org] Im > > Auftrag von Sascha Bieler > > Gesendet: Dienstag, 10. Juni 2008 12:15 > > An: 'Sascha'; samba@lists.samba.org > > Betreff: RE: [Samba] 2nd smb server > > > > Take this as a hint: > > > > [global] > > interfaces = lo eth0 > > bind interfaces only = Yes > > name resolve order = wins bcast lmhosts host > > printing = cups > > printcap name = cups > > printcap cache time = 750 > > cups options = raw > > load printers = Yes > > unix charset = UTF-8 > > display charset = UTF-8 > > workgroup = DOMAIN > > netbios name = NETBIOSNAME > > admin users = @"Domain Admins" > > guest account = gast > > server string = FileServer %v > > security = user > > encrypt passwords = Yes > > log level = 1 vfs:1 > > log file = /var/log/samba/log.%m > > syslog = 0 > > max log size = 100000 > > domain logons = No > > os level = 32 > > preferred master = No > > domain master = No > > local master = No > > wins server = 192.168.10.1 > > dns proxy = Yes > > time server = Yes > > #ldap## > > passdb backend = ldapsam:"ldap://192.168.10.1" > > ldap admin dn = cn=admin,dc=domain,dc=name > > ldap suffix = dc=domain,dc=name > > ldap group suffix = ou=Groups > > ldap user suffix = ou=Users > > ldap machine suffix = ou=Computers > > ldap idmap suffix = ou=Users > > ldap ssl = no > > ldap delete dn = Yes > > ldap passwd sync = Yes > > utmp = Yes > > idmap uid = 1000-20000 > > idmap gid = 1000-20000 > > idmap backend = ldap:"ldap://192.168.10.1" > > shutdown script = /sbin/shutdown > > abort shutdown script = /sbin/shutdown -c > > nt acl support = yes > > kernel oplocks = yes > > enable privileges = Yes > > template shell = /bin/false > > ldap passwd sync = Yes > > utmp = Yes > > idmap uid = 1000-20000 > > idmap gid = 1000-20000 > > idmap backend = ldap:"ldap://192.168.10.1" > > shutdown script = /sbin/shutdown > > abort shutdown script = /sbin/shutdown -c > > nt acl support = yes > > kernel oplocks = yes > > enable privileges = Yes > > template shell = /bin/false > > logon script > > logon path > > logon home > > > > > > > > > > ############################ > > /etc/samba/smbldap.conf > > ############################ > > slaveLDAP="192.168.10.1" > > slavePort="389" > > > > masterLDAP="192.168.10.1" > > masterPort="389" > > > > > > Also set your ldap.conf and nsswitch.conf to the appropiate values. > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
read chapter 7 of Samba3 By Example.pdf. it explains how to add domain member servers using NSS_LDAP and LDAP backend. no you won't need winbind. Sascha wrote:> Hi, > > i have already search for three days now but i can't find any tips. I am running a Samba PDC based on smb 3.0.23. No i want to integrate a second samba server which should serve serveral client, just to decrease the load on the pdc. This should not be a BDC, just a domain member. For user management i use openLDAP. Well, what do i need for this scenario? Do I need winbind or can i just configure the 2nd server to use the same ldap information as the pdc? > > I would be thankful if somebody could give me a hint. > > > > >
Hi, yes, thanks for the tip but thats what i have already done. The problem is that I can't see my domain groups srv001:/ # net rpc info -S SRV001 -U admin Password: Domain Name: INTERN Domain SID: S-1-5-21-3195058373-2734789582-569256879 Sequence number: 1213134789 Num users: 125 Num domain groups: 0 Num local groups: 0 Where could be the problem? "net groupmap list" shows me all my group mappings. I really don't know where to start. Please help... ----- Original Message ---- From: Adam Williams <awilliam@mdah.state.ms.us> To: Sascha <tdy_shadow@yahoo.com> Cc: samba@lists.samba.org Sent: Tuesday, June 10, 2008 4:54:46 PM Subject: Re: [Samba] 2nd smb server read chapter 7 of Samba3 By Example.pdf. it explains how to add domain member servers using NSS_LDAP and LDAP backend. no you won't need winbind. Sascha wrote:> Hi, > > i have already search for three days now but i can't find any tips. I am running a Samba PDC based on smb 3.0.23. No i want to integrate a second samba server which should serve serveral client, just to decrease the load on the pdc. This should not be a BDC, just a domain member. For user management i use openLDAP. Well, what do i need for this scenario? Do I need winbind or can i just configure the 2nd server to use the same ldap information as the pdc? > > I would be thankful if somebody could give me a hint. > > > > >
> ----- Original Message ----> From: Adam Williams <awilliam@mdah.state.ms.us> > To: Sascha <tdy_shadow@yahoo.com> > Cc: samba@lists.samba.org > Sent: Wednesday, June 11, 2008 9:46:18 PM > Subject: Re: [Samba] 2nd smb server > > the groups are domain groups, not local groups, so try instead of -SSRV001 try -D INTERN same here srv001:/ # net rpc info -S NORDENHAM -U admin Password: Domain Name: INTERN Domain SID: S-1-5-21-3195058373-2734789582-569256879 Sequence number: 1213134789 Num users: 125 Num domain groups: 0 Num local groups: 0 Don't know where to look. Everything seems to work fine on the pdc. except that I can't see the domain groups. getent and groupmap list work quite fine. But the net rpc command won't work. wbinfo -g on the domain member server also won't work. Instead wbinfo -u returns all domain members. First I thought it's a problem with my ldap attrs but i have a variable called sambaGroupType with a value of 2. I really don't know where to look. I think its a problem with my config. [global] workgroup = INTERN netbios name = SRV001 name resolve order = wins hosts bcast wins proxy = yes wins support = yes time server = yes unix charset = ISO8859-1 display charset = ISO8859-1 dos charset = CP850 load printers = no show add printer wizard = no case sensitive = no getwd cache = yes use sendfile = no deadtime = 15 max open files = 100000 hide files = desktop.ini guest ok = yes os level = 99 preferred master = yes local master = no domain master = no domain logons = no admin users = root, "@Domain Admins" ldap admin dn = cn=Manager,dc=test01,dc=intern ldap ssl = start_tls ldap delete dn = no ldap suffix = ou=SAM,dc=test01,dc=intern ldap user suffix = ou=Workers,ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap passwd sync = yes pam password change = yes security = users passdb backend = ldapsam:ldap://ldap001.domain.intern encrypt passwords = yes log file = /var/log/samba/log.%m log level = 1 vfs:2 debug pid = yes max log size = 20480 interfaces = eth0 lo bind interfaces only = yes hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 hosts deny = 0.0.0.0/0 map acl inherit = yes logon drive = I: logon path = \\%N\%U\.profile logon script = %U.bat
oh, pasted the wrong command. actually it was srv001:/ # net rpc info -D INTERN -U admin Password: Domain Name: INTERN Domain SID: S-1-5-21-3195058373-2734789582-569256879 Sequence number: 1213134789 Num users: 125 Num domain groups: 0 Num local groups: 0 ----- Original Message ---- From: Sascha <tdy_shadow@yahoo.com> To: samba@lists.samba.org Sent: Thursday, June 12, 2008 7:31:21 AM Subject: Re: [Samba] 2nd smb server> ----- Original Message ----> From: Adam Williams <awilliam@mdah.state.ms.us> > To: Sascha <tdy_shadow@yahoo.com> > Cc: samba@lists.samba.org > Sent: Wednesday, June 11, 2008 9:46:18 PM > Subject: Re: [Samba] 2nd smb server > > the groups are domain groups, not local groups, so try instead of -SSRV001 try -D INTERN same here srv001:/ # net rpc info -S NORDENHAM -U admin Password: Domain Name: INTERN Domain SID: S-1-5-21-3195058373-2734789582-569256879 Sequence number: 1213134789 Num users: 125 Num domain groups: 0 Num local groups: 0 Don't know where to look. Everything seems to work fine on the pdc. except that I can't see the domain groups. getent and groupmap list work quite fine. But the net rpc command won't work. wbinfo -g on the domain member server also won't work. Instead wbinfo -u returns all domain members. First I thought it's a problem with my ldap attrs but i have a variable called sambaGroupType with a value of 2. I really don't know where to look. I think its a problem with my config. [global] workgroup = INTERN netbios name = SRV001 name resolve order = wins hosts bcast wins proxy = yes wins support = yes time server = yes unix charset = ISO8859-1 display charset = ISO8859-1 dos charset = CP850 load printers = no show add printer wizard = no case sensitive = no getwd cache = yes use sendfile = no deadtime = 15 max open files = 100000 hide files = desktop.ini guest ok = yes os level = 99 preferred master = yes local master = no domain master = no domain logons = no admin users = root, "@Domain Admins" ldap admin dn = cn=Manager,dc=test01,dc=intern ldap ssl = start_tls ldap delete dn = no ldap suffix = ou=SAM,dc=test01,dc=intern ldap user suffix = ou=Workers,ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap passwd sync = yes pam password change = yes security = users passdb backend = ldapsam:ldap://ldap001.domain.intern encrypt passwords = yes log file = /var/log/samba/log.%m log level = 1 vfs:2 debug pid = yes max log size = 20480 interfaces = eth0 lo bind interfaces only = yes hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 hosts deny = 0.0.0.0/0 map acl inherit = yes logon drive = I: logon path = \\%N\%U\.profile logon script = %U.bat