[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?

Tue Sep 28 19:56:25 GMT 2004

> I can answer most questions. There are no secrets, just some things that
> you could help to better document - if you feel so inclined.

Precisely what I intend.

> On the other hand, most of us a rather busy people and give our
...
> down.

Well, I've been bashing at this issue for quite some time. Several 
months off and on, actually. Now I'm unemployed again (my contract 
ended) and I would like to update the Mandrake Samba 3 HOWTO with a more 
proper dn for accessing the database.

Due to my personal poverty though, I will not be hiring anyone.

Here is what I wrote to the other gentleman who responded. Somehow it 
did not get posted:

OK, let me take another shot.

Folks have been telling me that it is best for one's Domain Controller 
if it has it's own dn for accessing the ldap server rather than using 
the ldap server's root dn. One of the issues is scalability. If you have 
several balancing domain controllers, how do you know which one has made 
changes to the database?  They will all show up in the logs as the root 
dn unless you have it set up otherwise.

What I've been hearing is that one does this by adding the 
simpleSecurityObject to a host record so that it now has a password. 
Then you include the dn of that host record as a member of the group 
'Domain Controllers' and set up the LDAP ACLs so that this group has access.

I can't get it to work to save my life.  For one thing, when I set it up 
I frequently have problems with devfsd on startup.  Basically it simply 
never completes so the startup process hangs.  If I comment out the line 
below in /etc/devfsd.conf then devfsd will start but I don't know the 
security implications so I would rather avoid it.

Jim C.

P.S. As always, Mr. Terpstra, your personal attention is greatly 
appreciated.  Really, I just can't express how much since learning 
things like Samba might someday be a way out of my own desperately poor 
personal circumstances.  THANK YOU. :-)
-- 
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
-----------------------------------------------------------------