[Samba] Complicated upgrade problem
Sam Bayne
sbayne at sccd.ctc.edu
Thu Dec 20 16:55:55 GMT 2007
I appologize for the length of this email in advance. I hope someone can
help us upgrade our aging samba network environment.
======= The Environment =========================================
We have an ldap-based samba security=domain environment.
We have two sets of users/computers administrative and instructional.
There are about 1500 admin users on 958 computers in the admin domain,
and 11000 users on 821 computers on the instruct domain.
Not all the users in these domains are active. (We keep student accounts
disabled but not deleted for up to a year after they leave in case they
come back.)
We're using openldap as the back end store for both domains. We started
this before we understood domain trust, so we made some odd decisions
for our ldap.
ldap schematic:
top-level domain
+-instruct domain
+-users
+-groups
+-computers
+-admin domain
+-users
+-groups
+-computers
That's right, the admin domain is a child of the instruct domain.
The instruct domain controller/logon server has it's ldapsam set to look
at the instruct domain, and by virtue of parenthood, it can "see" the
admin accounts. The admin domain controller/logon server can only "see"
the lower half of the tree.
The result is that students can login on student lab computers, but not
on administrative office computers, while instructors can log into their
office computers as well as the labs.
The ldap entries for each account specify where to find profiles and
home directories, so roaming profiles work and everyone can see their
home directory as I: and so forth.
We even do policies by pushing down .pol files in the login scripts.
Samba is 3.014
openldap is 2.0.27
Servers are FC4
Clients are a mix of XP/Win2k(Vista upcoming)
======= Our Issue =========================================
We would like to upgrade to more recent versions of samba. And LDAP.
Currently there is a single ldap server, because we had replication
issues. So we just back up the ldap data more often. And use nscd to cut
down on queries. I'd like to take advantage of newer OS's for things
like iscsi, and larger file systems. We'd also like to get samba support
for aging passwords.
Anyway, when we try, we run into some issues. It turns out that our two
domains have the same domain sid. This apparently disturbs Samba 3.020+.
So I think that our odd ldap structure won't work going forward.
What I need is some guidance on:
1. What should our new ldap schematic be?
2. How do I migrate there one domain at a time (if possible)?
More information about the samba
mailing list