[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Soohoon Lee soohoon at gmail.com
Fri Aug 1 16:22:11 GMT 2008 

Those samba servers only serve files, so no login is allowed and I only
modifed /etc/nsswitch.conf.
Thanks,
On Fri, Aug 1, 2008 at 12:17 PM, Soohoon Lee <soohoon at gmail.com> wrote:

>
> Thanks, now it's crystal clear.
> One thing I like to ask more is why other servers will be BDC?
> Not just a workstation or a DC client? Where do they backup or cache
> account info?
> Will smb.conf look different from using NT4 PDC?
> Thanks,
> Soohoon.
>   On Fri, Aug 1, 2008 at 11:58 AM, Adam Williams <
> awilliam at mdah.state.ms.us> wrote:
>
>> yes to share a single set of users/groups in LDAP to multiple samba
>> servers you will need LDAP and a PDC and the other servers will be BDCs.
>> yes you will join BDC's with net rpc join -D domain -S pdc_server_name -U
>> root%password
>>
>> read chapter 5.3 of samba 3 by example.pdf
>>
>>
>> Soohoon Lee wrote:
>>
>>
>> Thanks,
>> 'sharing LDAP server' is to share the same set of users/groups in the LDAP
>> DB, not separate sets of users/groups for each samba servers.
>> It looks like PDC ??? maybe what I want is more like NIS.
>> So IIUC, to share a single set of users/groups in the LDAP server from
>> multiple samba servers, I need LDAP and samba DC?
>> And samba servers have to join the samba DC by net rpc join?
>>
>> Thanks a lot.
>> Soohoon.
>>
>> On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams <awilliam at mdah.state.ms.us
>> > wrote:
>>
>>> sure you can have multiple domains with all the account info in LDAP.  if
>>> you really want it to work together well you'll have a PDC and BDC's
>>> though.  you may be able to try samba intertrust relationships, but i've
>>> never used that
>>>
>>> Soohoon Lee wrote:
>>>
>>>
>>> Thanks all
>>> This is my smb.conf
>>> [global]
>>>         dos charset = UTF-8
>>>         workgroup = DOMSMB
>>>         security = user
>>>         allow trusted domains = No
>>>         password server = NULL
>>>         passdb backend = ldapsam:ldap://10.17.124.190/
>>>         max log size = 50
>>>         load printers = No
>>>         stat cache = No
>>>         os level = 10
>>>         dns proxy = No
>>>         ldap suffix = dc=my-domain,dc=com
>>>         ldap user suffix = ou=Users
>>>         ldap group suffix = ou=Groups
>>>         ldap admin dn = cn=Manager,dc=my-domain,dc=com
>>>         ldap ssl = no
>>>
>>> And I like to make multiple samba servers to share single LDAP server
>>> without using domain controller feature.
>>> I'm getting feeling that pure LDAP server is for single samba server or
>>> the LDAP server should have samba DC to serve multiple samba servers?
>>>
>>> Thanks,
>>> Soohoon.
>>>
>>> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski <lukas at dcs.qmul.ac.uk>wrote:
>>>
>>>>  Lukasz Zalewski wrote:
>>>>
>>>>> Adam Williams wrote:
>>>>>
>>>>>> are you using security = user or security = domain on your multiple
>>>>>> servers?
>>>>>> Soohoon Lee wrote:
>>>>>>
>>>>>>> Hi
>>>>>>> Is it possible to use single LDAP server and multiple samba servers?
>>>>>>> The problem I'm having now is
>>>>>>> Each server thinks their host name is their LDAP domain name, or
>>>>>>> sambaDomainName, and
>>>>>>> complain the user's SID is different so can't authenticate.
>>>>>>> How do I make samba servers use one domain name and SID?
>>>>>>>
>>>>>>> LDAP domain name is DOMSMB
>>>>>>>
>>>>>>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>>>>>>> sambaSID: S-1-5-21-2479917030-3150298425-213194246
>>>>>>>
>>>>>>> And samba server created a new domain after its hostname.
>>>>>>>
>>>>>>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>>>>>>> sambaSID: S-1-5-21-4202146032-850913369-3381557932
>>>>>>> And complain user's SID is different from its SID.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Soohoon.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>> We have student domain and staff domain and one LDAP server. We wanted
>>>>> staff members to log onto student domain. So we considered two options:
>>>>> 1. Interdomain trust relationship (
>>>>> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html)
>>>>>
>>>>> However this option was not good for us as we didn't want to open up
>>>>> the firewall and we wanted staff members to get the proper student
>>>>> experience (i.e. home dirs and profiles on the student server). So that
>>>>> brought us to the second option:
>>>>> 2. ldap translucent proxy overlay (
>>>>> http://linux.die.net/man/5/slapo-translucent)
>>>>> In this setting we override sids (i.e. domain sid part of the staff
>>>>> domain is substituted with student domain portion of the sid) for users and
>>>>> groups and point samba to the overlay. Bear in mind that all of the changes
>>>>> make by samba like machine passwords, user passwords, idmap mappings etc
>>>>> will go no further than the proxy so great care must be taken in LDAP setups
>>>>> that use referrals.
>>>>>
>>>>>
>>>>> Now the most important question is what do you use you two domains for?
>>>>>
>>>>> HTH
>>>>>
>>>>> Lukasz
>>>>>
>>>>
>>>> Ah sorry I didn't read the Subject line properly you do not want PDC. As
>>>> Andy pointed out maybe you should have one of the servers as a domain member
>>>> of the other domain
>>>>
>>>> Lukasz
>>>>
>>>
>>>
>>
>

More information about the samba mailing list