[Samba] Re: University's using samba and ldap

William Jojo jojowil at hvcc.edu
Thu Jan 13 12:03:03 GMT 2005

On Wed, 12 Jan 2005 moof48 at temple.edu wrote:

> You almost said what I wanted to hear :) The problem here is
> that we have 50k accounts in ldap and almost everything
> authenticates off of it.  We started out w/ Samba and one DC


> in 2 small test labs.  Now were looking at putting into a
> mega lab for 700 machines and hopefully control a bunch of
> stuff using samba.  The problem is that now all the other
> small colleges (departments) want to have their own control
> and possibly own domain.  Plus I dont want to administer

You are much larger than we are, so we were able to have administration
say to all departments, "The IT people do it all. If you don't like it,

You get the idea :-) Plus, nobody wants to manage someone elses nightmare
because they didn't heed your advice.

> their systems. My first thought was the SID issue but it
> seems that it worked for you.  I've decided to get a
> consultant in here for like 10 hours to just help may lay
> out the basic architecture just make sure were doing
> everything right from the get go before samba gets to big on

We have over 2200 workstations across three domains and we're
consolidating servers and expanding services all the time. Our biggest
domain has an 8-way/24GB server, the next is a 8-way 32GB (it does
Samba+other things), and a 4-way 7GB. The LDAP server is a 6-way 26GB box
and we are planning a replica on the biggie within 30 days. We're still
testing the replication on OpenLDAP 2.2.20 since it just became "stable"
like last week.

Perhaps that list can help guide you on your path of hardware selection.

> campus. Oh yeh.. We also have a Tru 64 box that everyone has
> an account on.  It has samba running on it and I joined it o
> the domain so evryone now gets their files mapped when they
> log in.  We also created a web gui so users can get their
> files when their off campus.

That's excellent. We just use sftp for their access off campus. OpenSSH
uses the AIX authenticate() function so it's tied to the secldapclntd
backend of the OS. AIX is admittedly quirky, but it was the way to go for
our money :-)

> I hope all of this work doesnt go to waste because we
> looking at syncing up our AD w/ ldap so then all of these
> labs would just use AD.  I would like to say screw AD but I
> dont see us kicking it to the curb.

You are doing the right thing by asking questions, planning, testing. The
well prepared individual will be the one to succeed in this realm. I only
wish I had time to experiment with AD.

If there's anything more you'd like to know about our installation, please
feel free to ask.


> ---- Original message ----
> >Date: Wed, 12 Jan 2005 07:03:20 -0500 (EST)
> >From: William Jojo <jojowil at hvcc.edu>
> >Subject: Re: [Samba] Re: University's using samba and ldap
> >To: "Alexander E. Patrakov" <patrakov at ums.usu.ru>
> >Cc: samba at lists.samba.org
> >
> >
> >
> >
> >> moof48 at temple.edu wrote:
> >>
> >> > Is there anyone out there from other university's that
> would
> >> > be willing to talk to me about you samba layout.  We
> already
> >> > have it in place but we other colleges within the
> university
> >> > that want to start using our setup but want there own
> >> > domains.  I'm kind of confused how this would all work.
> >>
> >
> >
> >I'd like to offer our success story from Hudson Valley
> Community College
> >in New York, USA.
> >
> >
> >We are using Samba as DC for authentication with file and
> print services.
> >
> >Our setup is a bit different from most, I would gather.
> >
> >Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with
> different domain
> >names, but the same SID. This was done to have all three
> servers share the
> >same identical LDAP backend. Eventually we'll be one
> domain, but for now
> >this works better than we could have hoped for.
> >
> >The LDAP server is a fourth AIX box with OpenLDAP 2.2.20
> using BerkeleyDB
> >4.2. I spent much time reading Gerald Carter's LDAP System
> Administration
> >book.
> >
> >We used to be an smbpasswd type setup. This didn't scale
> well as we have
> >19000+ accounts in the database (yes I said 19,000). Also
> we used to NFS
> >mount the smbpasswd file from one server to the other two
> so they shared
> >the password info. This was simply to offer a single sign
> on feature and
> >allowed machines to be in one domain and then have a
> technician move it to
> >another at will.
> >
> >We didn't use the PADL scripts. They are good scripts, but
> didn't offer
> >the flexibility we needed to have complete control of the
> database (this
> >was truly a control issue :-) ) and there were additional
> attributes we
> >needed to add for sanity checks and reconciliation of users
> against SCT
> >Banner. So we wrote our own library of functions and
> scripts in ksh (sorry
> >all you perl fans). Essentially we build user accounts
> outside of AIX and
> >Samba by creating the entries ourselves.
> >
> >We built a C program to search for the next free unix uid
> in the LDAP
> >database (which is range tunable to assist in rapid
> scripting of user
> >generation)
> >
> >We also wrote a piece of C code to migrate the user
> databases from flat
> >files to ldif format to preserve all values and add a few
> more for
> >in-house maintenance. We used the algorithmic methods of
> computing the
> >user and group rid's which is what Samba was doing
> internally using the
> >smbpasswd file for authentication info.
> >
> >So why did we set the SID's the same? We knew that
> eventually we'd be a
> >single domain installation and we knew that moving to LDAP
> was only months
> >away, so we set up all the domains that way and rejoined
> everything in
> >preparation.
> >
> >With assistance from John Terpstra who commented on my
> plans (posted here
> >several months ago) who said in theory it looked good, we
> set forth on
> >this mission. (Many hours were spent reading his Samba 3 by
> Example book
> >as well) We were lucky to also have a four server
> development area at
> >the time, so we built everything just like production. We
> joined the
> >machines using flat files, migrated to LDAP and pointed the
> server to the
> >LDAP master and....amazingly....it all still worked -
> roaming profiles and
> >all.
> >
> >One thing to note is we also do not use winbindd. AIX uses
> LDAP internally
> >for the users and we create the IDMAP entries at the time
> we create the
> >users and we have scripts to add the sambagroupmappings
> when we create a
> >unix group. So everything is integrated at the point of
> LDAP. No pam or
> >nss is involved at all. We use secldapclntd which is part
> of AIX that
> >allows us to tell AIX to listen to whatever LDAP we want.
> As I said
> >earlier we are running OpenLDAP with BerkeleyDB. We could
> have chosen
> >IBM's solution with db2, but honestly, OpenLDAP was just
> easier.
> >
> >I know much of this sounds like reinventing the wheel, but
> like I said
> >earlier, we are control freaks. :-)
> >
> >This past Sunday we migrated our entire campus to LDAP
> along with our
> >three Samba DC's.
> >
> >Although we do not savor the potential benefits of AD
> integration or
> >interdomain trusts or winbindd caching or anything like
> that, there is
> >somehting I have to say to the Samba developers:
> >
> >
> >It works and we are very happy!
> >
> >
> >Institutionally we have been using Samba since version
> 1.9.x which
> >replaced our 5 server Novell environment with a single AIX
> box in 1998.
> >
> >My hat is off to all of you. This is truly a wonderful
> product.
> >
> >
> >Great job everyone!
> >
> >
> >Bill
> >--
> >To unsubscribe from this list go to the following URL and
> read the
> >instructions:
> https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list