[Samba] Idmap + LDAP + winbind: our first BDC - doubts about idmap ranges and winbbindd + Idmap dn

casfre at gmail.com casfre at gmail.com
Wed Feb 4 01:53:35 GMT 2009


Hi,

    My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We
are using Samba 3.0.33 (Slackware 12.0.0).

    Our layout is almost like this one
http://us1.samba.org/samba/docs/man/Samba-Guide/images/chap6-net.png,
but we have more BLDGn than this example.

    Actually, we are taking ideas from
http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html
and from http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html.

    We are reading the docs again, but I would like to clarify some
points, if possible, to understand "the picture".

    We have never had a BDC before. Winbindd is not running in our
PDC. We want a BDC to divide the authentication load with our PDC.
Initially, we will install just one BDC. We have been using Samba +
LDAP (with SSL)+ smbldaptools since the begining so, our users (people
and machines) are all in the LDAP base. In the future, if the results
were good, we will install more BDCs, using the same logic.

    We have idmap uid and idmap gid with 10000 - 20000 default values
(smb.conf in PDC). We already have more than 20000 users in our base
(actually, more than 20000 uidx; some of them were deleted). We use
nss_ldap + nscd in our PDC (nsswitch). We need to have UID/GID/SID
constant in all servers (PDC + BDCs). We used roaming profiles in the
past, but we are not using them now. User's home directories are
available using [homes] service (drive Y:).

    At this moment we will use the strategy of one LDAP master for the
two servers. We are planning to have slave LDAPs, but not now.

    Our conclusions until now:

    Modify smb.conf, in PDC to use:

    -idmap backend = ldaps://ourldap
    -idmap uid = 2147483648 - 4294967295
    -idmap gid = 2147483648 - 4294967295

    Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using
the same lines above.
    Sure, we will configure/adjusts BDC with nss_ldap and do the tests
in that guides I already told.

    What we are worried about follows:

    -Winbindd must run in PDC?
    -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)?
    -Winbindd is "the man" that will use idmap values and mantain LDAP Idmap dn?
    -Just Winbindd running in BDCs will modify LDAP Idmap dn?
    -If we run winbindd (with LDAP) and "mess the hole thing", can we
just start again without "destroying" our PDC UID/GID/SID. We have
LDAP's base backup. We do not want to, but we can restore the base in
the case of a "disaster".
    -Home directories will be kept just in PDC. Is it enough to adjust
the maps (logon path, logon drive etc) in BDC to use PDC reference? I
mean, instead of \\%L\... we will use \\OURPDCNAME\...

     I know that are a lot of questions, but we are trying to avoid
problems an to understand as much as we can before setting up our
first BDC.

     Thanks for your attention.

     Best regards,

Cássio


More information about the samba mailing list