[Samba] Samba 2.2.5 + OpenLDAP 2.x - Caveats?

Andrew Bartlett abartlet at samba.org
Mon Sep 30 01:35:01 GMT 2002

"Freeman, Peter (ERHS)" wrote:
> Hi List(s)
> I'm in the process of configuring a new PDC using Samba 2.2.5.
> At the present time we have 9 other Samba PDCs in nonconnected
> sites.  In the next few months, these sites will become part of
> a WAN and we're looking to migrate authentication for these
> servers to a single box, for obvious administration benefits.
> The client base is primarily Win2k, SP2 & SP3.
> Now I'm making the presumption that Samba + LDAP is the right path
> to go down in this type of situation, correct me if I'm wrong, I've
> only been looking into this for the past week or so, and yes I've
> been reading the Samba docs and the OpenLDAP docs, so don't tell me
> to RTFM :), I'm just after real world experiences here....
> Can anyone with experience in this type of setup comment on any
> issues they struck while migrating from smbpasswd based systems
> to central LDAP authentication.
> What version of OpenLDAP would you recommend?  2.0.x or 2.1.x?
> Pros/cons for either version?  I notice the schema file packaged with
> Samba has support for 2.1.x.

I had to move to 2.1 becouse of database corruption issues with 2.0,
(Net::LDAP scripts seem to triger some bug in the ldap server side).

If running 2.1, I think you will need Samba 2.2.6pre2 if you are not
keeping your unix accounts in ldap too.  (But given the setup, I presume
you are).
> Were there any issues in migrating existing users, ie: file permissions,
> profiles, etc?

If you are migrating between domains, then this will be an issue,
becouse you will have one global UID and RID space, rather than
one-per-site.  You will probably have to solve this manually.  You will
therefore need to rejoin machines to the domain etc.

> What is the speed like over a WAN environment for a local Samba box
> to authenticate against a remote LDAP server, over say a 64k link?
> Any other comments?

Samba can hit your LDAP server *hard*.  I would suggest keeping LDAP on
localhost if at all possible - and use LDAP replication from there.  So
make the on-site machines BDCs, and have one PDC centrally.   This type
of solution has been implemented.

Watch out your version of nss_ldap - some are buggy and cause a lot of
'connection reset by peer' stuff.  

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list