[Samba] Samba 3 Operational Question
jojowil at hvcc.edu
Thu May 6 15:16:58 GMT 2004
We have three Samba 2.2.8a DC's. They share the smbpasswd database over
NFS. This is not a problem whatsoever. It works wonderfully!
We are becoming a complete LDAP authenticating site for everything and
want to migrate the smbpasswd file to LDAP. We have the scripts to process
all of this so I don't see a problem with merging the sambaSamAccount info
with our posixAccount stuff which I saw was very simple to do.
All the framework is ready, but where I get confused is can we continue
with three DC's and use the single database to auth everyone, or should we
be considering a consolidation to one large DC.
The reasons for three DC's originally was:
1) Load balancing
2) Distribution of different types of data and services
3) Physical separation of Academic, Administrative and EverthingElse
This all made sense then, but perhaps not so much now.
My questions are these:
1) How would the three Samba DC's share the SID attributes for a given DN
between domains so we can keep one password and one id across all domains?
It doesn't appear to me that they would. I could really use some insight
2) When do I know that I need to use winbindd? The docs seem to refer to
merging credential info between Samba and Windows servers, but we don't
plan on that.
3) The group information for Samba as laid out in 6.3.5 of the Samba By
Example book is quite exciting from the perspective of support for true
windows groups in Samba which would be awesome for adding a user as an
administrator or Debug Users and such. Will this be complicated by the
use of three DC's accessing this info?
4) Assuming I do need winbindd, AIX has LDAP method already, but Andrew's
WINBIND method looks equally exciting especially if we can implement the
extentions that allow WINBIND to have options for "authonly,db=LDAP" or
"auth=KRB5,db=LDAP". The former allows winbindd to do the AIX auth and
gather user info from LDAP. The latter one would allow for AIX to auth
against KRB, lookup user info from LDAP (which allows the use of
secldapclntd and the AIX, RFC2307 or RFC2307AIX mappings allowed by AIX so
you can use any LDAP server backend with optional schemas) keeping the
ability to still change all passwords and gather RID information from
winbindd. This mechanism is easily implemented with getauthdb and
setauthdb for AIX loadable authentication modules. Or am I just making
this too complicated and missing a rudimentary point?
5) If no SID attribute is listed in the user's DN, and no winbindd is
configured does Samba revert back to the computed RID of (uidNumber * 2 +
1000)? I can easily calculate the full SID for the user and store is in
the attribute, but I'm curious. (I'm looking throught the code, but
some things are just not obvious to me.)
I thank you all in advance for your responses and continued documentation
of all these features.
More information about the samba