You almost said what I wanted to hear :) The problem here is that we have 50k accounts in ldap and almost everything authenticates off of it. We started out w/ Samba and one DC in 2 small test labs. Now were looking at putting into a mega lab for 700 machines and hopefully control a bunch of stuff using samba. The problem is that now all the other small colleges (departments) want to have their own control and possibly own domain. Plus I dont want to administer their systems. My first thought was the SID issue but it seems that it worked for you. I've decided to get a consultant in here for like 10 hours to just help may lay out the basic architecture just make sure were doing everything right from the get go before samba gets to big on campus. Oh yeh.. We also have a Tru 64 box that everyone has an account on. It has samba running on it and I joined it o the domain so evryone now gets their files mapped when they log in. We also created a web gui so users can get their files when their off campus.
I hope all of this work doesnt go to waste because we looking at syncing up our AD w/ ldap so then all of these labs would just use AD. I would like to say screw AD but I dont see us kicking it to the curb. ---- Original message ---- >Date: Wed, 12 Jan 2005 07:03:20 -0500 (EST) >From: William Jojo <[EMAIL PROTECTED]> >Subject: Re: [Samba] Re: University's using samba and ldap >To: "Alexander E. Patrakov" <[EMAIL PROTECTED]> >Cc: samba@lists.samba.org > > > > >> [EMAIL PROTECTED] wrote: >> >> > Is there anyone out there from other university's that would >> > be willing to talk to me about you samba layout. We already >> > have it in place but we other colleges within the university >> > that want to start using our setup but want there own >> > domains. I'm kind of confused how this would all work. >> > > >I'd like to offer our success story from Hudson Valley Community College >in New York, USA. > > >We are using Samba as DC for authentication with file and print services. > >Our setup is a bit different from most, I would gather. > >Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with different domain >names, but the same SID. This was done to have all three servers share the >same identical LDAP backend. Eventually we'll be one domain, but for now >this works better than we could have hoped for. > >The LDAP server is a fourth AIX box with OpenLDAP 2.2.20 using BerkeleyDB >4.2. I spent much time reading Gerald Carter's LDAP System Administration >book. > >We used to be an smbpasswd type setup. This didn't scale well as we have >19000+ accounts in the database (yes I said 19,000). Also we used to NFS >mount the smbpasswd file from one server to the other two so they shared >the password info. This was simply to offer a single sign on feature and >allowed machines to be in one domain and then have a technician move it to >another at will. > >We didn't use the PADL scripts. They are good scripts, but didn't offer >the flexibility we needed to have complete control of the database (this >was truly a control issue :-) ) and there were additional attributes we >needed to add for sanity checks and reconciliation of users against SCT >Banner. So we wrote our own library of functions and scripts in ksh (sorry >all you perl fans). Essentially we build user accounts outside of AIX and >Samba by creating the entries ourselves. > >We built a C program to search for the next free unix uid in the LDAP >database (which is range tunable to assist in rapid scripting of user >generation) > >We also wrote a piece of C code to migrate the user databases from flat >files to ldif format to preserve all values and add a few more for >in-house maintenance. We used the algorithmic methods of computing the >user and group rid's which is what Samba was doing internally using the >smbpasswd file for authentication info. > >So why did we set the SID's the same? We knew that eventually we'd be a >single domain installation and we knew that moving to LDAP was only months >away, so we set up all the domains that way and rejoined everything in >preparation. > >With assistance from John Terpstra who commented on my plans (posted here >several months ago) who said in theory it looked good, we set forth on >this mission. (Many hours were spent reading his Samba 3 by Example book >as well) We were lucky to also have a four server development area at >the time, so we built everything just like production. We joined the >machines using flat files, migrated to LDAP and pointed the server to the >LDAP master and....amazingly....it all still worked - roaming profiles and >all. > >One thing to note is we also do not use winbindd. AIX uses LDAP internally >for the users and we create the IDMAP entries at the time we create the >users and we have scripts to add the sambagroupmappings when we create a >unix group. So everything is integrated at the point of LDAP. No pam or >nss is involved at all. We use secldapclntd which is part of AIX that >allows us to tell AIX to listen to whatever LDAP we want. As I said >earlier we are running OpenLDAP with BerkeleyDB. We could have chosen >IBM's solution with db2, but honestly, OpenLDAP was just easier. > >I know much of this sounds like reinventing the wheel, but like I said >earlier, we are control freaks. :-) > >This past Sunday we migrated our entire campus to LDAP along with our >three Samba DC's. > >Although we do not savor the potential benefits of AD integration or >interdomain trusts or winbindd caching or anything like that, there is >somehting I have to say to the Samba developers: > > >It works and we are very happy! > > >Institutionally we have been using Samba since version 1.9.x which >replaced our 5 server Novell environment with a single AIX box in 1998. > >My hat is off to all of you. This is truly a wonderful product. > > >Great job everyone! > > >Bill >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba