[Samba] samba PDC + BDCs + LDAP
Mariano Absatz
el.baby at gmail.com
Thu Oct 8 15:28:14 MDT 2009
Hi,
I'm not a seasoned samba user but I do have a little experience with it
(mostly small setups with plain smbpasswd file and a few workstations).
I also have some experience with OpenLDAP and I've even written some
objectclasses and attributes when the standard ones weren't enough
However, I'm trying to set up a midsized network using LDAP for SSO and
I can't make samba work as I'd liked...
I'm probably doing something stupid or haven't read (or understood) the
right part of the docs... any pointer will be greatly appreciated.
I have 5 offices and a central (hosted) server.
This hosted server has a few virtual machines, each providing mostly
only one service.
I have an LDAP server for authentication and eventually corporate white
pages with OpenLDAP, a mail server with postfix and dovecot, a web
server and an intranet web application.
I already created the users for the mail server and the web application
in OpenLDAP and that's working just fine.
I have one linux server in each of the 5 offices that currently only
work as VPN endpoints (the hosted server acts as an OpenVPN server).
There are independent windows 2000 or 2003 servers in 3 of the 5
offices, each with it's own domain (all with the same name, although
they are disjoint).
I want to replace the windows servers with the linux servers for file
and print sharing... I don't need to migrate the accounts, there are not
a lot of users and I can actually ask every user to put their password
again once to initialize the samba accounts.
I don't want to use roaming profiles.
What I tried to do (and failed) was to install one samba server as a PDC
in a virtual machine which wouldn't actually authenticate user, and make
each of the linux servers in the offices a BDC for the same domain...
for the time being, I'm using only the master LDAP server in the hosted
server, but I will eventually make a slave LDAP server in each office
server (I didn't want to fight samba and LDAP replication at the same time).
I created the PDC and filled it up with "net sam provision"... I then
created one of the BDCs and I convinced it to add a user that was
already in the LDAP tree using "smbpasswd -a user"...
However, when I then tried to add a Windows XP host to the domain, I
can't do it... apparently, it can't find any DC even though I tried
manually configuring the WINS server in the windows machine.
Here's the configuration for the PDC:
[global]
workgroup = MYCOMPANY
netbios aliases = samba0, samba-pdc
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
passdb backend = ldapsam:ldap://ldap0.i.mycompany.org
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
logon path =
logon home =
domain logons = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,cn=config
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=hosts
ldap passwd sync = yes
ldap suffix = o=mycompany
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap alloc backend = ldap
idmap uid = 90000-99999
idmap gid = 90000-99999
winbind enum users = Yes
winbind enum groups = Yes
idmap alloc config:range = 100000-500000
idmap alloc config:ldap_user_dn = cn=admin,cn=config
idmap alloc config:ldap_base_dn = ou=idmap,o=mycompany
idmap alloc config:ldap_url = ldap://ldap0.i.mycompany.org
idmap config MYCOMPANY:range = 100000-500000
idmap config MYCOMPANY:default = yes
idmap config MYCOMPANY:readonly = no
idmap config MYCOMPANY:ldap_base_dn = ou=idmap,o=mycompany
idmap config MYCOMPANY:ldap_user_dn = cn=admin,cn=config
idmap config MYCOMPANY:ldap_url = ldap://ldap0.i.mycompany.org
idmap config MYCOMPANY:backend = ldap
ldapsam:editposix = yes
ldapsam:trusted = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
And here's the configuration for the BDC
[global]
workgroup = MYCOMPANY
netbios aliases = ar, mycompany-ar
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
passdb backend = ldapsam:ldap://ldap0.i.mycompany.org
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
logon path =
logon home =
domain logons = Yes
domain master = No
dns proxy = No
wins proxy = Yes
wins server = 10.3.14.25
ldap admin dn = cn=admin,cn=config
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=hosts
ldap passwd sync = yes
ldap suffix = o=mycompany
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap alloc backend = ldap
idmap uid = 90000-99999
idmap gid = 90000-99999
winbind enum users = Yes
winbind enum groups = Yes
idmap alloc config:range = 100000-500000
idmap alloc config:ldap_user_dn = cn=admin,cn=config
idmap alloc config:ldap_base_dn = ou=idmap,o=mycompany
idmap alloc config:ldap_url = ldap://ldap0.i.mycompany.org
idmap config MYCOMPANY:range = 100000-500000
idmap config MYCOMPANY:default = yes
idmap config MYCOMPANY:readonly = no
idmap config MYCOMPANY:ldap_base_dn = ou=idmap,o=mycompany
idmap config MYCOMPANY:ldap_user_dn = cn=admin,cn=config
idmap config MYCOMPANY:ldap_url = ldap://ldap0.i.mycompany.org
idmap config MYCOMPANY:backend = ldap
ldapsam:editposix = yes
ldapsam:trusted = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
One thing that makes me a little suspicious is that running "smbclient
-L localhost -N" on the BDC doesn't show me the master:
Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 3.3.2]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk Printer Drivers
IPC$ IPC IPC Service (storni server (Samba, Ubuntu))
Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 3.3.2]
Server Comment
--------- -------
AR storni server (Samba, Ubuntu)
MYCOMPANY-AR storni server (Samba, Ubuntu)
STORNI storni server (Samba, Ubuntu)
Workgroup Master
--------- -------
MYCOMPANY
When I do the same in the PDC, I see:
Domain=[CEJIL] OS=[Unix] Server=[Samba 3.3.2]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk Printer Drivers
IPC$ IPC IPC Service (auth0 server (Samba, Ubuntu))
Domain=[CEJIL] OS=[Unix] Server=[Samba 3.3.2]
Server Comment
--------- -------
AUTH0 auth0 server (Samba, Ubuntu)
SAMBA-PDC auth0 server (Samba, Ubuntu)
SAMBA0 auth0 server (Samba, Ubuntu)
Workgroup Master
--------- -------
CEJIL AUTH0
What can I be doing wrong?
TIA
--
Mariano Absatz - "El Baby"
el.baby at gmail.com
www.clueless.com.ar
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If knowledge can create problems, it is not through
ignorance that we can solve them.
-- Isaac Asimov
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org
More information about the samba
mailing list