4 samba domains/one ldap backend/2 methods/which to use?
Barry Smoke
bsmoke at bryantschools.org
Mon Feb 2 22:44:59 GMT 2004
in both methods tried, we can't successfully add xp machines to the
domain at the remote locations
main samba is on our main campus, behind a 10.10 internal lan
remote samba's are on remote campuses, behind a 10.xx network
10.11
10.12
all connected with our internal lan via VPN
######################################################################
Method 1) ALL PDC's, using same ldap database(thus inherant problems,
allusers have SID's generated with primary domain's SID)
a)We set up our master ldap server, and samba server on the same machine.
b)replicated ldap to remote samba servers, and set up referrals, so that
transactions to modify ldap go back to master
c)install idealx smbldap-tools on all samba servers, using different
SID's on each server
d) attempt to join xp machine to domain using
results:
samba authenticates users correctly, and users are added correctly.
adding samba machine accounts at remote servers errors out, while it
works on main server.
the errors are sporadic, such as can't find domain, can't find user,
questions:
why would users in the ldap database generated with the master
samba/ldap domain/server be able to log in at remote
site/domain...wouldn't the SID's conflict?
why would we not be able to join xp machine to domain, with the remote
server's SID configured in smbldap-tools(remember remote server has
different SID in smbldap-tools, thus adds users locally, whihc is
referred to the master.)?
when run manually, the machine entry get's put into ldap, and it gets
put into ldap from the xp wizard also,
but it does not get the sambaSamAccount objectclass, along with the
sid's samba generates, thus causes an error(user not found)
speculations:
our remote domain needs a "domain admins" group wiht it's sid, so that a
root user can be added to ldap (remoteroot), so machines can be added
wiht that user's info...
the problem is we get these errors wiht smbldap-tools:
[root at proxy samba]# smbldap-usershow desroot
/usr/local/sbin/smbldap-usershow: user desroot doesn't exist
[root at proxy samba]# smbldap-groupshow desdomadm
dn: cn=desdomadm,ou=Groups,dc=bryantschools,dc=org
objectClass: posixGroup,sambaGroupMapping
cn: desdomadm
gidNumber: 1040
sambaSID: S-1-5-21-3567609034-2183773975-620293219-3081
sambaGroupType: 2
[root at proxy samba]# smbldap-useradd -a -g desdomadm desroot
Use of uninitialized value in pattern match (m//) at
/usr/local/sbin//smbldap_tools.pm line 733.
/usr/local/sbin/smbldap-useradd: unknown group desdomadm
thus, I can't test the theory...
#######################################################################
Method 2) believeing method 1 had something to do with an SID problem,
we proceeded to set up the remote locations as BDC's
a)set up master ldap server, and samba server on same machine,
b) set up replica's and referrals back to master
c) set up remote servers as BDC's using same SID
d)set up SID in smbldaptools to be the same
results:
samba added the xp machines to the domain, but we could not log in upon
reboot.
questions:
on method1 above, we have some users that get special shares based upon
the %m, meaning the domain they put to log in box.
This works on the pdc, but we can't get it to work on a BDC.(Why don't
domain aliases work on a BDC?)
this e-mail mentions the correct way to do multiple domains in the same
ldap database....is different branches...
where is any documentation on the correct way / designed way to do this?
http://lists.samba.org/archive/samba-technical/2003-December/033422.html
Thanks in advance,
Barry Smoke
District Network Admin
Bryant Public Schools
More information about the samba-technical
mailing list