[Samba] Complicated upgrade problem

Sam Bayne sbayne at sccd.ctc.edu
Thu Dec 20 16:55:55 GMT 2007 

I appologize for the length of this email in advance. I hope someone can 
help us upgrade our aging samba network environment.

======= The Environment =========================================

We have an ldap-based samba security=domain environment.

We have two sets of users/computers administrative and instructional.
There are about 1500 admin users on 958 computers in the admin domain, 
and 11000 users on 821 computers on the instruct domain.

Not all the users in these domains are active. (We keep student accounts 
disabled but not deleted for up to a year after they leave in case they 
come back.)

We're using openldap as the back end store for both domains. We started 
this before we understood domain trust, so we made some odd decisions 
for our ldap.

ldap schematic:

top-level domain
  +-instruct domain
    +-users
    +-groups
    +-computers
    +-admin domain
      +-users
      +-groups
      +-computers

That's right, the admin domain is a child of the instruct domain.

The instruct domain controller/logon server has it's ldapsam set to look 
at the instruct domain, and by virtue of parenthood, it can "see" the 
admin accounts. The admin domain controller/logon server can only "see" 
the lower half of the tree.

The result is that students can login on student lab computers, but not 
on administrative office computers, while instructors can log into their 
  office computers as well as the labs.

The ldap entries for each account specify where to find profiles and 
home directories, so roaming profiles work and everyone can see their 
home directory as I: and so forth.

We even do policies by pushing down .pol files in the login scripts.

Samba is 3.014
openldap is 2.0.27
Servers are FC4
Clients are a mix of XP/Win2k(Vista upcoming)

======= Our Issue =========================================
We would like to upgrade to more recent versions of samba. And LDAP.
Currently there is a single ldap server, because we had replication 
issues. So we just back up the ldap data more often. And use nscd to cut 
down on queries.  I'd like to take advantage of newer OS's for things 
like iscsi, and larger file systems. We'd also like to get samba support 
for aging passwords.

Anyway, when we try, we run into some issues. It turns out that our two 
domains have the same domain sid. This apparently disturbs Samba 3.020+.
So I think that our odd ldap structure won't work going forward.

What I need is some guidance on:

1. What should our new ldap schematic be?
2. How do I migrate there one domain at a time (if possible)?

More information about the samba mailing list