[Samba] Re: University's using samba and ldap

William Jojo jojowil at hvcc.edu
Wed Jan 12 12:03:20 GMT 2005 



> moof48 at temple.edu wrote:
>
> > Is there anyone out there from other university's that would
> > be willing to talk to me about you samba layout.  We already
> > have it in place but we other colleges within the university
> > that want to start using our setup but want there own
> > domains.  I'm kind of confused how this would all work.
>


I'd like to offer our success story from Hudson Valley Community College
in New York, USA.


We are using Samba as DC for authentication with file and print services.

Our setup is a bit different from most, I would gather.

Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with different domain
names, but the same SID. This was done to have all three servers share the
same identical LDAP backend. Eventually we'll be one domain, but for now
this works better than we could have hoped for.

The LDAP server is a fourth AIX box with OpenLDAP 2.2.20 using BerkeleyDB
4.2. I spent much time reading Gerald Carter's LDAP System Administration
book.

We used to be an smbpasswd type setup. This didn't scale well as we have
19000+ accounts in the database (yes I said 19,000). Also we used to NFS
mount the smbpasswd file from one server to the other two so they shared
the password info. This was simply to offer a single sign on feature and
allowed machines to be in one domain and then have a technician move it to
another at will.

We didn't use the PADL scripts. They are good scripts, but didn't offer
the flexibility we needed to have complete control of the database (this
was truly a control issue :-) ) and there were additional attributes we
needed to add for sanity checks and reconciliation of users against SCT
Banner. So we wrote our own library of functions and scripts in ksh (sorry
all you perl fans). Essentially we build user accounts outside of AIX and
Samba by creating the entries ourselves.

We built a C program to search for the next free unix uid in the LDAP
database (which is range tunable to assist in rapid scripting of user
generation)

We also wrote a piece of C code to migrate the user databases from flat
files to ldif format to preserve all values and add a few more for
in-house maintenance. We used the algorithmic methods of computing the
user and group rid's which is what Samba was doing internally using the
smbpasswd file for authentication info.

So why did we set the SID's the same? We knew that eventually we'd be a
single domain installation and we knew that moving to LDAP was only months
away, so we set up all the domains that way and rejoined everything in
preparation.

With assistance from John Terpstra who commented on my plans (posted here
several months ago) who said in theory it looked good, we set forth on
this mission. (Many hours were spent reading his Samba 3 by Example book
as well) We were lucky to also have a four server development area at
the time, so we built everything just like production. We joined the
machines using flat files, migrated to LDAP and pointed the server to the
LDAP master and....amazingly....it all still worked - roaming profiles and
all.

One thing to note is we also do not use winbindd. AIX uses LDAP internally
for the users and we create the IDMAP entries at the time we create the
users and we have scripts to add the sambagroupmappings when we create a
unix group. So everything is integrated at the point of LDAP. No pam or
nss is involved at all. We use secldapclntd which is part of AIX that
allows us to tell AIX to listen to whatever LDAP we want. As I said
earlier we are running OpenLDAP with BerkeleyDB. We could have chosen
IBM's solution with db2, but honestly, OpenLDAP was just easier.

I know much of this sounds like reinventing the wheel, but like I said
earlier, we are control freaks. :-)

This past Sunday we migrated our entire campus to LDAP along with our
three Samba DC's.

Although we do not savor the potential benefits of AD integration or
interdomain trusts or winbindd caching or anything like that, there is
somehting I have to say to the Samba developers:


It works and we are very happy!


Institutionally we have been using Samba since version 1.9.x which
replaced our 5 server Novell environment with a single AIX box in 1998.

My hat is off to all of you. This is truly a wonderful product.


Great job everyone!


Bill

More information about the samba mailing list