samba - Oct 2009 - samba PDC + BDCs + LDAP

Hi,

I'm not a seasoned samba user but I do have a little experience with it 
(mostly small setups with plain smbpasswd file and a few workstations). 
I also have some experience with OpenLDAP and I've even written some 
objectclasses and attributes when the standard ones weren't enough

However, I'm trying to set up a midsized network using LDAP for SSO and 
I can't make samba work as I'd liked...

I'm probably doing something stupid or haven't read (or understood) the 
right part of the docs... any pointer will be greatly appreciated.

I have 5 offices and a central (hosted) server.

This hosted server has a few virtual machines, each providing mostly 
only one service.

I have an LDAP server for authentication and eventually corporate white 
pages with OpenLDAP, a mail server with postfix and dovecot, a web 
server and an intranet web application.

I already created the users for the mail server and the web application 
in OpenLDAP and that's working just fine.

I have one linux server in each of the 5 offices that currently only 
work as VPN endpoints (the hosted server acts as an OpenVPN server).

There are independent windows 2000 or 2003 servers in 3 of the 5 
offices, each with it's own domain (all with the same name, although 
they are disjoint).

I want to replace the windows servers with the linux servers for file 
and print sharing... I don't need to migrate the accounts, there are not 
a lot of users and I can actually ask every user to put their password 
again once to initialize the samba accounts.

I don't want to use roaming profiles.

What I tried to do (and failed) was to install one samba server as a PDC 
in a virtual machine which wouldn't actually authenticate user, and make 
each of the linux servers in the offices a BDC for the same domain... 
for the time being, I'm using only the master LDAP server in the hosted 
server, but I will eventually make a slave LDAP server in each office 
server (I didn't want to fight samba and LDAP replication at the same time).

I created the PDC and filled it up with "net sam provision"... I then 
created one of the BDCs and I convinced it to add a user that was 
already in the LDAP tree using "smbpasswd -a user"...

However, when I then tried to add a Windows XP host to the domain, I 
can't do it... apparently, it can't find any DC even though I tried 
manually configuring the WINS server in the windows machine.

Here's the configuration for the PDC:

[global]
	workgroup = MYCOMPANY
	netbios aliases = samba0, samba-pdc
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	passdb backend = ldapsam:ldap://ldap0.i.mycompany.org
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	logon path = 
	logon home = 
	domain logons = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = cn=admin,cn=config
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=hosts
	ldap passwd sync = yes
	ldap suffix = o=mycompany
	ldap ssl = no
	ldap user suffix = ou=people
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap alloc backend = ldap
	idmap uid = 90000-99999
	idmap gid = 90000-99999
	winbind enum users = Yes
	winbind enum groups = Yes
	idmap alloc config:range = 100000-500000
	idmap alloc config:ldap_user_dn = cn=admin,cn=config
	idmap alloc config:ldap_base_dn = ou=idmap,o=mycompany
	idmap alloc config:ldap_url = ldap://ldap0.i.mycompany.org
	idmap config MYCOMPANY:range = 100000-500000
	idmap config MYCOMPANY:default = yes
	idmap config MYCOMPANY:readonly = no
	idmap config MYCOMPANY:ldap_base_dn = ou=idmap,o=mycompany
	idmap config MYCOMPANY:ldap_user_dn = cn=admin,cn=config
	idmap config MYCOMPANY:ldap_url = ldap://ldap0.i.mycompany.org
	idmap config MYCOMPANY:backend = ldap
	ldapsam:editposix = yes
	ldapsam:trusted = yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	guest ok = Yes

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers


And here's the configuration for the BDC

[global]
	workgroup = MYCOMPANY
	netbios aliases = ar, mycompany-ar
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	passdb backend = ldapsam:ldap://ldap0.i.mycompany.org
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	logon path = 
	logon home = 
	domain logons = Yes
	domain master = No
	dns proxy = No
	wins proxy = Yes
	wins server = 10.3.14.25
	ldap admin dn = cn=admin,cn=config
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=hosts
	ldap passwd sync = yes
	ldap suffix = o=mycompany
	ldap ssl = no
	ldap user suffix = ou=people
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap alloc backend = ldap
	idmap uid = 90000-99999
	idmap gid = 90000-99999
	winbind enum users = Yes
	winbind enum groups = Yes
	idmap alloc config:range = 100000-500000
	idmap alloc config:ldap_user_dn = cn=admin,cn=config
	idmap alloc config:ldap_base_dn = ou=idmap,o=mycompany
	idmap alloc config:ldap_url = ldap://ldap0.i.mycompany.org
	idmap config MYCOMPANY:range = 100000-500000
	idmap config MYCOMPANY:default = yes
	idmap config MYCOMPANY:readonly = no
	idmap config MYCOMPANY:ldap_base_dn = ou=idmap,o=mycompany
	idmap config MYCOMPANY:ldap_user_dn = cn=admin,cn=config
	idmap config MYCOMPANY:ldap_url = ldap://ldap0.i.mycompany.org
	idmap config MYCOMPANY:backend = ldap
	ldapsam:editposix = yes
	ldapsam:trusted = yes

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	guest ok = Yes

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers



One thing that makes me a little suspicious is that running "smbclient 
-L localhost -N" on the BDC doesn't show me the master:

Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 3.3.2]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      Network Logon Service
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (storni server (Samba, Ubuntu))
Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 3.3.2]

	Server               Comment
	---------            -------
	AR                   storni server (Samba, Ubuntu)
	MYCOMPANY-AR         storni server (Samba, Ubuntu)
	STORNI               storni server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	MYCOMPANY            


When I do the same in the PDC, I see:

Domain=[CEJIL] OS=[Unix] Server=[Samba 3.3.2]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      Network Logon Service
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (auth0 server (Samba, Ubuntu))
Domain=[CEJIL] OS=[Unix] Server=[Samba 3.3.2]

	Server               Comment
	---------            -------
	AUTH0                auth0 server (Samba, Ubuntu)
	SAMBA-PDC            auth0 server (Samba, Ubuntu)
	SAMBA0               auth0 server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	CEJIL                AUTH0


What can I be doing wrong?

TIA

-- 
Mariano Absatz - "El Baby"
el.baby at gmail.com
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If knowledge can create problems, it is not through
ignorance that we can solve them.
         -- Isaac Asimov
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org