Re: [Samba] Samba/LDAP Domains and multiple File Servers
The only SID that matters on a DC is the domain SID, if they are identical all should be fine, setting the BDC "local" SID to that of the domain does not harm anyway. Simo. On Wed, 2006-03-22 at 10:07 -0500, Matt Ingram wrote: > if I run # net getdomainsid is get this: > > PDC (hostname home): > SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 > SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 > > BDC: > SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 > SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 > > > Simo, are you saying that my BDC should have the SID of > S-1-5-21-3186883984-1813041273-1898769360 ? > > Thanks, > Matt > > simo wrote: > > On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: > > > >> The intent of samba software is that PDC and any/all BDC's have the > >> exact same LDAP data - at least as far as all Samba user/group/computer > >> attributes are concerned and a BDC would have it's own SID, not the same > >> SID as the PDC. That would track the methodology of a Windows NT 4 type > >> DOMAIN. > >> > > > > Sorry to get into the discussion, the previous statement is not clear to > > me and I would like to make it clear that in an NT4 style domain all the > > DCs must have the same SID, as the DCs have only the DOMAIN SID, this is > > different from domain members which have a local machine SID but > > recognize domain users with the domain SID. > > > > Simo. > > > > > -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
That sort of makes sense. How are the scripts being accessed on the BDC? Are you running them from command line on each BDC? I hope that the LDAP referenced in your smb.conf is your 'master' LDAP server and that the changes to the master propogate to the 'slaves' (your BDC) and that make take a few seconds. Craig I am just running the scripts from the command line on the BDC (so far just the one BDC). Our current plan for the domain is: Building A: PDC is a server that will just handle the the duties of being a PDC, little to no fileshares. The Master LDAP is running on this server. BDCa1 is the primary file server for Building A Building B BDCb1 is the primary file server for Building B Building C BDCc1 is the primary file server for Building C Currently, the BDC I've talked about so far, is just a dummy server for testing. And as of right now, we are not using a Slave LDAP server. Thanks again, Craig. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
It should have the same DOMAIN and SID (Simo made me check) ;-) Craig On Wed, 2006-03-22 at 10:07 -0500, Matt Ingram wrote: > if I run # net getdomainsid is get this: > > PDC (hostname home): > SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 > SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 > > BDC: > SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 > SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 > > > Simo, are you saying that my BDC should have the SID of > S-1-5-21-3186883984-1813041273-1898769360 ? > > Thanks, > Matt > > simo wrote: > > On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: > > > >> The intent of samba software is that PDC and any/all BDC's have the > >> exact same LDAP data - at least as far as all Samba user/group/computer > >> attributes are concerned and a BDC would have it's own SID, not the same > >> SID as the PDC. That would track the methodology of a Windows NT 4 type > >> DOMAIN. > >> > > > > Sorry to get into the discussion, the previous statement is not clear to > > me and I would like to make it clear that in an NT4 style domain all the > > DCs must have the same SID, as the DCs have only the DOMAIN SID, this is > > different from domain members which have a local machine SID but > > recognize domain users with the domain SID. > > > > Simo. > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 10:01 -0500, Matt Ingram wrote: > > >> hmm are you referring to the chapter on Making Happy Users? That > >> chapter does not address the the scenario I am going for. The sample > >> given is still using home drives that reside on the PDC and mounted on > >> the BDC via NFS; which is not what I'm looking for. What I'm looking > >> for is, Site one's users home drives exclusively running off of BDC1; > >> site 2's users home drives exclusively running off of BDC2, and so on. > >> > >> Here's what I've tried: > >> on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that > >> of the PDC instead of the BDC's SID, while things like the home drive > >> are pointing to the BDC, instead of the PDC. This seems to work, the > >> way I was hoping.. are you aware of any problems having the setup like > >> this? > >> > > > > let's keep this on list please. > > > > > > doesn't sound remotely like the samba documentation describes it and if > > it works for you - great. > > > > The intent of samba software is that PDC and any/all BDC's have the > > exact same LDAP data - at least as far as all Samba user/group/computer > > attributes are concerned and a BDC would have it's own SID, not the same > > SID as the PDC. That would track the methodology of a Windows NT 4 type > > DOMAIN. > > > > > which is what I'm doing. The BDC still does have its own SID and it > uses the exact same ldap data as the PDC. It's just in the > /etc/smbldap-tools/smbldap.conf file on the BDC, I set the SID to use > that of the PDC. When I had the SID set to the BDC (in the > smbldap.conf), logons didn't work when an account was generated with the > smbldap-useradd on the BDC. I'm assuming the SID of a user on the domain > has to have the SID prefix of the PDC, not any other server on the domain. > > Since a passdb of LDAP or tdb types actually permit you to have user > > home drives and profiles set individually, it really isn't much effort > > to assign these paths individually for users to whichever server you > > want them to use. > > > > > you're right, it isn't much effort to modify the home drives a users on > different servers. But being able to use the smbldap-tools to do all of > that for you, is a smoother solution, imo - assuming there is no issues > in doing it. > > Am I aware of any problems having the setup like you have described > > yours to be? No - but I tend towards setting things up as they were > > intended to be done. > > > I don't think I'm doing anything that strange here.. I've just added the > smbldap-tools to the BDC as well, and modified the smbldap.conf file so > that it will create users home drives and ldap settings to use a home > drive on the BDC. If I am doing something strange here, in a way samba > is not intended to be used, please point it out to me. I don't want to > shoot myself in the foot later on ;). That sort of makes sense. How are the scripts being accessed on the BDC? Are you running them from command line on each BDC? I hope that the LDAP referenced in your smb.conf is your 'master' LDAP server and that the changes to the master propogate to the 'slaves' (your BDC) and that make take a few seconds. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
if I run # net getdomainsid is get this: PDC (hostname home): SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 BDC: SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 Simo, are you saying that my BDC should have the SID of S-1-5-21-3186883984-1813041273-1898769360 ? Thanks, Matt simo wrote: On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. which is what I'm doing. The BDC still does have its own SID and it uses the exact same ldap data as the PDC. It's just in the /etc/smbldap-tools/smbldap.conf file on the BDC, I set the SID to use that of the PDC. When I had the SID set to the BDC (in the smbldap.conf), logons didn't work when an account was generated with the smbldap-useradd on the BDC. I'm assuming the SID of a user on the domain has to have the SID prefix of the PDC, not any other server on the domain. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. you're right, it isn't much effort to modify the home drives a users on different servers. But being able to use the smbldap-tools to do all of that for you, is a smoother solution, imo - assuming there is no issues in doing it. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. I don't think I'm doing anything that strange here.. I've just added the smbldap-tools to the BDC as well, and modified the smbldap.conf file so that it will create users home drives and ldap settings to use a home drive on the BDC. If I am doing something strange here, in a way samba is not intended to be used, please point it out to me. I don't want to shoot myself in the foot later on ;). Thanks greatly for your help. Matt -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 09:42 -0500, simo wrote: > On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: > > The intent of samba software is that PDC and any/all BDC's have the > > exact same LDAP data - at least as far as all Samba user/group/computer > > attributes are concerned and a BDC would have it's own SID, not the same > > SID as the PDC. That would track the methodology of a Windows NT 4 type > > DOMAIN. > > Sorry to get into the discussion, the previous statement is not clear to > me and I would like to make it clear that in an NT4 style domain all the > DCs must have the same SID, as the DCs have only the DOMAIN SID, this is > different from domain members which have a local machine SID but > recognize domain users with the domain SID. you are correct, I was wrong Thanks Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: > The intent of samba software is that PDC and any/all BDC's have the > exact same LDAP data - at least as far as all Samba user/group/computer > attributes are concerned and a BDC would have it's own SID, not the same > SID as the PDC. That would track the methodology of a Windows NT 4 type > DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 08:43 -0500, Matt Ingram wrote: > > Craig White wrote: > > -- > > why fly by the seat of your pants on this when the documentation tells > > you what you need to know? > > > > see http://www.samba.org/samba/docs - the "By Example" where it > > discusses PDC's and BDC's and how to manage them > > > hmm are you referring to the chapter on Making Happy Users? That > chapter does not address the the scenario I am going for. The sample > given is still using home drives that reside on the PDC and mounted on > the BDC via NFS; which is not what I'm looking for. What I'm looking > for is, Site one's users home drives exclusively running off of BDC1; > site 2's users home drives exclusively running off of BDC2, and so on. > > Here's what I've tried: > on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that > of the PDC instead of the BDC's SID, while things like the home drive > are pointing to the BDC, instead of the PDC. This seems to work, the > way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Tue, 2006-03-21 at 09:26 -0500, Matt Ingram wrote: > Hi All, > > I have a domain setup soon to go into production. We have 3 buildings, > each containing a fileserver for that buildings users (home drives/share > drives). I've been using the smbldap-tools on the PDC, which is all > working fine. Is it possible to join another server to the domain, also > using the smbldap-tools, with a different config, that will setup a > users home drive, etc on that server, or will a setup like this need to > be done manually? I have a test BDC that I've been playing with trying > to do this, but if I do smbldap-useradd from the BDC the user can't get > logged on with an error message "A device attached to the system is not > functioning" on the windows client (the account does get setup in > ldap). In the smbldap-tools config I used the SID of the BDC, which I'm > guessing might be my problem... should I change that to the SID of the PDC? why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the "By Example" where it discusses PDC's and BDC's and how to manage them > > Also, with a samba/ldap domains setup - how can I allow a user to have > shell access on one server on the domain, but not on the other servers > on the domain? Can this be done through the domain/ldap, or in this > scenario will shell logons have to be managed locally on the individual > servers ? I'm quite certain that is possible but I haven't done it. It is not a samba question at all but working through your LDAP implementation as it relates to the posix structures on each UNIX/Linux system that you offer shell accounts and thus, well out of the scope of this list. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP Domains and multiple File Servers
Hi All, I have a domain setup soon to go into production. We have 3 buildings, each containing a fileserver for that buildings users (home drives/share drives). I've been using the smbldap-tools on the PDC, which is all working fine. Is it possible to join another server to the domain, also using the smbldap-tools, with a different config, that will setup a users home drive, etc on that server, or will a setup like this need to be done manually? I have a test BDC that I've been playing with trying to do this, but if I do smbldap-useradd from the BDC the user can't get logged on with an error message "A device attached to the system is not functioning" on the windows client (the account does get setup in ldap). In the smbldap-tools config I used the SID of the BDC, which I'm guessing might be my problem... should I change that to the SID of the PDC? Also, with a samba/ldap domains setup - how can I allow a user to have shell access on one server on the domain, but not on the other servers on the domain? Can this be done through the domain/ldap, or in this scenario will shell logons have to be managed locally on the individual servers ? Thanks, Matt. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
