[Samba] Samba 2.2.5 + OpenLDAP 2.x - Caveats?
abartlet at samba.org
Mon Sep 30 01:35:01 GMT 2002
"Freeman, Peter (ERHS)" wrote:
> Hi List(s)
> I'm in the process of configuring a new PDC using Samba 2.2.5.
> At the present time we have 9 other Samba PDCs in nonconnected
> sites. In the next few months, these sites will become part of
> a WAN and we're looking to migrate authentication for these
> servers to a single box, for obvious administration benefits.
> The client base is primarily Win2k, SP2 & SP3.
> Now I'm making the presumption that Samba + LDAP is the right path
> to go down in this type of situation, correct me if I'm wrong, I've
> only been looking into this for the past week or so, and yes I've
> been reading the Samba docs and the OpenLDAP docs, so don't tell me
> to RTFM :), I'm just after real world experiences here....
> Can anyone with experience in this type of setup comment on any
> issues they struck while migrating from smbpasswd based systems
> to central LDAP authentication.
> What version of OpenLDAP would you recommend? 2.0.x or 2.1.x?
> Pros/cons for either version? I notice the schema file packaged with
> Samba has support for 2.1.x.
I had to move to 2.1 becouse of database corruption issues with 2.0,
(Net::LDAP scripts seem to triger some bug in the ldap server side).
If running 2.1, I think you will need Samba 2.2.6pre2 if you are not
keeping your unix accounts in ldap too. (But given the setup, I presume
> Were there any issues in migrating existing users, ie: file permissions,
> profiles, etc?
If you are migrating between domains, then this will be an issue,
becouse you will have one global UID and RID space, rather than
one-per-site. You will probably have to solve this manually. You will
therefore need to rejoin machines to the domain etc.
> What is the speed like over a WAN environment for a local Samba box
> to authenticate against a remote LDAP server, over say a 64k link?
> Any other comments?
Samba can hit your LDAP server *hard*. I would suggest keeping LDAP on
localhost if at all possible - and use LDAP replication from there. So
make the on-site machines BDCs, and have one PDC centrally. This type
of solution has been implemented.
Watch out your version of nss_ldap - some are buggy and cause a lot of
'connection reset by peer' stuff.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba