samba - Feb 2009 - Idmap + LDAP + winbind: our first BDC - doubts about idmap ranges and winbbindd + Idmap dn

Hi,

    My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We
are using Samba 3.0.33 (Slackware 12.0.0).

    Our layout is almost like this one
http://us1.samba.org/samba/docs/man/Samba-Guide/images/chap6-net.png,
but we have more BLDGn than this example.

    Actually, we are taking ideas from
http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html
and from
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html.

    We are reading the docs again, but I would like to clarify some
points, if possible, to understand "the picture".

    We have never had a BDC before. Winbindd is not running in our
PDC. We want a BDC to divide the authentication load with our PDC.
Initially, we will install just one BDC. We have been using Samba +
LDAP (with SSL)+ smbldaptools since the begining so, our users (people
and machines) are all in the LDAP base. In the future, if the results
were good, we will install more BDCs, using the same logic.

    We have idmap uid and idmap gid with 10000 - 20000 default values
(smb.conf in PDC). We already have more than 20000 users in our base
(actually, more than 20000 uidx; some of them were deleted). We use
nss_ldap + nscd in our PDC (nsswitch). We need to have UID/GID/SID
constant in all servers (PDC + BDCs). We used roaming profiles in the
past, but we are not using them now. User's home directories are
available using [homes] service (drive Y:).

    At this moment we will use the strategy of one LDAP master for the
two servers. We are planning to have slave LDAPs, but not now.

    Our conclusions until now:

    Modify smb.conf, in PDC to use:

    -idmap backend = ldaps://ourldap
    -idmap uid = 2147483648 - 4294967295
    -idmap gid = 2147483648 - 4294967295

    Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using
the same lines above.
    Sure, we will configure/adjusts BDC with nss_ldap and do the tests
in that guides I already told.

    What we are worried about follows:

    -Winbindd must run in PDC?
    -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)?
    -Winbindd is "the man" that will use idmap values and mantain LDAP
Idmap dn?
    -Just Winbindd running in BDCs will modify LDAP Idmap dn?
    -If we run winbindd (with LDAP) and "mess the hole thing", can we
just start again without "destroying" our PDC UID/GID/SID. We have
LDAP's base backup. We do not want to, but we can restore the base in
the case of a "disaster".
    -Home directories will be kept just in PDC. Is it enough to adjust
the maps (logon path, logon drive etc) in BDC to use PDC reference? I
mean, instead of \\%L\... we will use \\OURPDCNAME\...

     I know that are a lot of questions, but we are trying to avoid
problems an to understand as much as we can before setting up our
first BDC.

     Thanks for your attention.

     Best regards,

C?ssio

On Tuesday 03 February 2009 19:53:35 casfre@gmail.com
wrote:
> Hi,
>
>     My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We
> are using Samba 3.0.33 (Slackware 12.0.0).
>
>     Our layout is almost like this one
> http://us1.samba.org/samba/docs/man/Samba-Guide/images/chap6-net.png,
> but we have more BLDGn than this example.
OK. When I wrote that chapter I reduced the number of sites.  I have installed 
Samba 3.0.x in one company that had 11 sites - when you get a two site 
installation working correctly the others are just copies of the second one.
>     Actually, we are taking ideas from
> http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html
> and from
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html.
OK.
>     We are reading the docs again, but I would like to clarify some
> points, if possible, to understand "the picture".
I'll try to answer.
>     We have never had a BDC before. Winbindd is not running in our
> PDC. We want a BDC to divide the authentication load with our PDC.
With Samba 3.0.x the use of winbind is not imperative. You can run without it.
> Initially, we will install just one BDC. We have been using Samba +
> LDAP (with SSL)+ smbldaptools since the begining so, our users (people
> and machines) are all in the LDAP base. In the future, if the results
> were good, we will install more BDCs, using the same logic.
That's OK. Take it slowly, add on BDC at a time, that way you will be better
able to see what is going on.
>     We have idmap uid and idmap gid with 10000 - 20000 default values
> (smb.conf in PDC). 
If you are not running winbind you do not need the idmap entries.
> We already have more than 20000 users in our base
> (actually, more than 20000 uidx; some of them were deleted). We use
> nss_ldap + nscd in our PDC (nsswitch). 
Be careful with nscd, there can be side-effects to using it.  It does work 
though.
> We need to have UID/GID/SID constant in all servers (PDC + BDCs). 
> We used roaming profiles in the past, but we are not using them now. 
That is achieved via LDAP using nss_ldap - nothing to do with Samba in your 
case.
> User's home directories are available using [homes] service (drive Y:).
Again, this is done through LDAP.  You have control over this via LDAP.  You 
can use the pdbedit tool to change home directory locations.
>     At this moment we will use the strategy of one LDAP master for the
> two servers. We are planning to have slave LDAPs, but not now.
That's fine.
>     Our conclusions until now:
>
>     Modify smb.conf, in PDC to use:
>
>     -idmap backend = ldaps://ourldap
>     -idmap uid = 2147483648 - 4294967295
>     -idmap gid = 2147483648 - 4294967295
As I said, only needed if running winbind. If you specify this make sure it is 
written in smb.conf like this:

	idmap uid =  2147483648-4294967295

Note: No space between the numbers and the '-'
>     Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using
> the same lines above.
Again, not needed if you do not run winbind.
>     Sure, we will configure/adjusts BDC with nss_ldap and do the tests
> in that guides I already told.
Good.
>     What we are worried about follows:
>
>     -Winbindd must run in PDC?
Not essential.  I always do, but it is not essential.
>     -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)?
Depends on what your Linux platform supports.
>     -Winbindd is "the man" that will use idmap values and mantain
LDAP
> Idmap dn? -Just Winbindd running in BDCs will modify LDAP Idmap dn?
No, you both will depending on how you configure LDAP and Samba. Both CAN 
update LDAP if you wish - it does no harm.
>     -If we run winbindd (with LDAP) and "mess the hole thing",
can we
> just start again without "destroying" our PDC UID/GID/SID. We
have
> LDAP's base backup. We do not want to, but we can restore the base in
> the case of a "disaster".
In the worst case,  just delete the ou=idmap tree from your LDAP directory and 
start again. What is your concern?
>     -Home directories will be kept just in PDC. Is it enough to adjust
> the maps (logon path, logon drive etc) in BDC to use PDC reference? I
> mean, instead of \\%L\... we will use \\OURPDCNAME\...
Home directories can be stored on any server on which it is convenient to 
store them.  It does not HAVE to be the PDC.
>      I know that are a lot of questions, but we are trying to avoid
> problems an to understand as much as we can before setting up our
> first BDC.
I hope this helps.  Please, please do your learning and testing on a test 
network.  It is a bad idea to experiment on a live network.

Enjoy Samba!

Cheers,
John T.
--
John H Terpstra

"If at first you don't succeed, don't go sky-diving!"