[Samba] Domain Logins across VPN
Rob Hall
rob at desynched.net
Thu May 25 12:39:52 GMT 2006
----- Original Message -----
rob at desynched.net wrote:
>> rob at desynched.net wrote:
>>> I've been trying to get this to work for a few days now. I read that
>>> domain requests are sent via broadcast, and to use WINS to get around
>>> it.
>>>
>>> Well, I've enabled the WINS server on my Samba PDC, and told the BDC's
>>> on
>>> each VPN segment that the PDC is a WINS server. WINS resolution works
>>> apparently, I can sit on a VPN'd network segment and ping machines
>>> across
>>> the VPN via their NETBIOS name, but I can't log into the domain. Windows
>>> tells me it can't find the domain. Is there something I'm missing?
>> sorry rob, i forgot to reply-to-all the first time.
>>
>> do you have
>>
>> domain master = no
>> domain logons = yes
>>
>> that set up works for me. and i also use
>>
>> local master = yes
>>
>> though i don't think the local master is required for bdc functionality.
>>
>> --
>> Anthony
>
> Yeah, I have that in my conf. Actually, I got it working earlier, but I
> had to tell samba to use my master LDAP server to do it - I was hoping I
> could make samba read off of the local slave server so if the connection
> to the master was severed, domain logins would still be functional. I'll
> tool around with it some more tomorrow and see if I can make it work the
> way I intend.
hmmm... i also use a replicated ldap server on the bdc localhost.
could you post your smb.conf and any errors you see in your samba log?
--
Anthony
sure, here's my smb.conf:
[global]
netbios name = <servername here>
workgroup = WORKGROUP
server string = Server String
security = user
hosts allow = 192.168.0. 127.
load printers = no
log file = var/log/samba.%m
max log size = 50
log level = 1
passdb backend = ldapsam:ldap://<master LDAP IP>
socket options = TCP_NODELAY
interfaces = <localnet ip/netmask>
os level = 64
domain master = no
preferred master = auto
domain logons = yes
#LDAP stuff:
ldap admin dn = cn=<ID>,dc=<domain>,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = yes
ldap suffix = dc=<domain>,dc=com
ldap user suffix = ou=Users
idmap backend = ldap:ldap://127.0.01
idmap uid = 10000-20000
idmap gid = 10000-20000
logon script = logon.bat
logon path =
logon drive = H:
wins server = <PDC LAN>
wins proxy = yes
dns proxy = no
# domain user stuff:
add user script = /usr/local/sbin/smbldap-useradd -a '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
-------------------------------
This configuration works. If I change passdb to 127.0.0.1 instead of the
Master LDAP's IP, this pops up in samba.smbd:
[2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198)
failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com
with: Server is unwilling to perform
shadow context; no update referral
[2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258)
Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL
That's the only error I see popping up. Ideas?
--
Rob
More information about the samba
mailing list