[Samba] Samba as PDC w/LDAP backend

Dennis Pinckard dpinckard at aegislg.com
Fri Mar 22 08:04:04 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am looking for someone to help me with setting up a new network
using Samba & OpenLDAP to operate as PDC.  I know there are many
people out there that have this working successfully, and would like
to pick your brains to get it working quickly.  It's a simple network
of about 30-40 users with one office.  At this point, I'm ready for
copies of config files, ldif's, etc to get a working, stable
environment.

If anyone is willing to help with this, I'd really appreciate it. 
I've attached a long-winded description below, so if you make it to
the end and feel you can help, but need more info, please get it
touch.

Thanks in advance.

Dennis Pinckard
Network Administrator
Aegis Learning Group



Here's the background:

I am currently in the process of combining the networks of two merged
companies, one with Windows 2000 AD and one that is peer-to-peer
(Windows 2000, WinNT, Linux).  The goal is to establish a Linux only
server room.  I've installed RedHat 7.2 and configured Samba 2.2.1a
as a PDC in a new domain.  I've successfully created an OpenLDAP
repository for users and groups and Samba can authenticate from it
via PAM.  File shares, printer shares, and printer drivers have also
been configured.  I use Directory Administrator to create and edit
the users/groups in LDAP.

I've compiled a custom kernel to include LVM and XFS support (system
started as Mandrake, but we've decided to standardize on RedHat). 
The box is a Dell 4100 single 1GHz processor with 512MB of ram and
220 GB of storage using LVM.  A single 4GB hard drive holds the OS. 
I'm using XFS for most logical volumes so that users can manage
permissions using Windows 2000's security tab in Explorer.

I was just about ready to turn it on when I saw that 2.2.3a has the
ability to store the smbpasswd info in LDAP directly.  RedHat doesn't
yet have a 2.2.3a for download, but I downloaded their RawHide
version.  Rebuilt it using the IdealX.com Samba2.2.2/LDAP PDC howto
to include LDAP support.  I also used the CVS version of IDEALX.com's
scripts to create/manage users and groups in LDAP.  I modified them
somewhat to add an additional LDAP object class (inetOrgPerson, I
think, don't have it in front of me, but it's the schema that
includes mail, jpeg photo, etc.  Directory Administrator uses these
attributes)

At that point things started getting wierd.  Groups were no longer
showing up on the Windows 2000 Pro workstation that I'd joined to the
domain.  Instead of group names, I'd get something like
'unix_group.nnnnnnnn' where nnnnnnnn is some number.  I'd created
about 7 or 8 unix groups that would control access to the various
file systems (Finance, IT, Devel).  Under 2.2.1a, I could see those
groups in Windows and manage users and files easily.

After about 2 days of fighting with 2.2.3, including downloading the
source from a samba mirror and compiling that, 
I gave up and attempted to back down to 2.2.1a.  Of course, there's
no system backup, why would I backup a test system?!  I do have the
config files I used to set up the Mandrake and RedHat systems though.
 I uninstalled the samba rpms, deleted all samba config files, and
deleted the LDAP databases.  Then I reinstalled Samba from the RedHat
RPMS, restore the smb.conf, and rebuild the LDAP database.

But for some reason, I can only get "Domain Admins" to appear on the
Windows 2000 Pro workstation.  Password sync is also broken.  I can
change the SMB password just fine, but no luck with sync turned on. 
I've tried passwd and smbldap-passwd.sh but they both keep failing. 
Remember my user accounts are in LDAP.  The server is configured via
auth-config to use LDAP.

Some extra bullet points that may or may not be relevant (my fingers
are tired!)

* We will use RedHat as the server OS (I know there are other
excellent distro's, but the decision is made).
* All desktops will be Windows 2000 Pro, joined to the domain.
* System (root,etc) and service accounts (oracle, ArcServ, etc) will
live in the /etc/passwd files for the various linux servers,  User
accounts will exist in LDAP.  (Again, LDAP is a decision that's been
made)
* Home directories are shared via Samba and NFS so that users have
one home directory no matter what machine they login on.
* To ease management and updates, I would like to stay with stock
RPMS as much as possible.  Reconfigured and recompiled SRPMS are OK
as well.  As a last resort, I'll work with pure source.


References I've used:
	http://IDEALX.com - Samba-2.2.2/LDAP PDC HOWTO and accompanying
scripts
	Samba 2.2.x - Samba-LDAP-HOWTO
	Various LDAP Howto's and tutorials.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPJtVpXBWGat9hZ87EQKpOACfWNN1o5hmaC+gVpd9hWOJNPiiEl4AmgIX
CybdXaHBwWA656TeR9gWA+J0
=NHTW
-----END PGP SIGNATURE-----




More information about the samba mailing list