[Samba] samba file/service server authentication vs. a remote samba PDC

[Grzegorz Kusnierz]

Hi.

We've got a following network topology:


                   INTERNET
		      |
		      | ppp0
		    __|__
		   [__A__] linux samba PDC ("A")
		    |   |
	       eth0 |   | eth1                     __ __
	 [HUB]______|   |_______[HUB]_____________[__B__]
	 | | |                  | | |                    
      some win2k            some more win2k
     workstations             workstations   +  linux samba ("B")
     (192.168.1.*)           (192.168.2.*) 
		   
The problem:

A is (beside being a firewall,router,www/ftp/dhcp/ssh server,etc.) a samba 2.2.2 linux PDC. It holds a large number of accounts and due to a high load, we've decided to move most samba-corelated stuff to another linux server - B. The only thing which is still handled by samba at A is the user database and authentication. The B is thought to serve files - home dirs, profiles and common shares. We would also like to give the users an access to a shell via ssh, to files via ftpd and so on. The main problem is that we would like to have it all authenticated versus the PDC (A).

Up to today's morning we had been doing the thing with winbind - daemon, nsswitch and pam module, but we had to reinstall the system due to a hardware failure. We aren't quite happy with winbind which is still not very stable, reliable or efficient. What's more it is meant for some other purposes and does too much unneeded (in our case) things, such as translating UIDs to SIDs and then back to UIDs. Due to this inconvieniences we're searching for some other solution.

A solution we've taken into consideration is eg. pam_smbpass module + password server option in smb.conf. Would this do? And what about 'creating' local accounts or something which would pretend them (as nsswitch + winbind)?

Thanks in advance for any help.

Grzegorz 'Konik' Kusnierz
 <konik at v-lo.krakow.pl>