Phil Burrow wrote:
Bjoern Tore Sund wrote:
>> If you do "net getlocalsid" on each of your SLES machines, the SID
>> that is returned should be the same for all of them if you want them
>> all to be controllers on your domain. If it's not, pick the SID you
>> want - i.e. the sambaSID all your users have in their LDAP records -
>> then "net setlocalsid MYDOMAINSID" on the servers you wish to change
>> to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid
>> MYDOMAIN" should return the same.)
It seems clear that my Samba servers are rather opinionated about what a
domain is and which one they are members of:
ukl-felles:~ # net getlocalsid
SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757
ukl-felles:~ # net setlocalsid S-1-5-21-556026149-4105021892-2038178009
ukl-felles:~ # net getlocalsid
SID for domain UKL-FELLES is: S-1-5-21-1347351597-3932655379-226643757
The sambasid entry in LDAP for sambadomainname=ukl-felles didn't change.
This server also has, and always has had:
[global]
workgroup = UNIX
realm = UNIX.UIB.NO
server string = ukl-felles
netbios name = ukl-felles
os level = 30
security = user
allow trusted domains = yes
domain master = no
local master = no
encrypt passwords = yes
The problem is security=user, I assume, on the other hand all docs I've
looked at say this is the setting when running samba with an LDAP
backend, as opposed to an AD backend. security=domain means the server
stops responding to SMB connections.
>> Then go into your LDAP directory and delete all but one of the
>> sambaDomainName=UNIX entries, and ensure the remaining one has
>> sambaSID set to MYDOMAINSID.
>>
>> That is probably all you need to do.
>
> Thanks a lot. The last remaining quiestion is then what happens when I
> rename sambaDomainname=ukl-samba to sambaDomainname=unix and proceed
> from there?
This is why you need to test it before doing it ;)
Yes, but ever so carefully, and based on as much of other people's pain
as possible. :)
If your intention is to consolidate your 4 domains into one, with a PDC
and some BDCs then provided the sambaSID in the user records is the same
as the domain SID then your setup - with your 4 servers each having the
same SID - should work correctly.
The problem becomes one of how to convince all the servers that they are
not their own domain, they want to go with the common one as their
domain name.
You might need to re-add your client machines to the new domain. I dont
know if Windows could handle the domain name changing but having the
same SID.
If you are using roaming profiles or things such as this you might
encounter Windows complaining if the SID changes, but if you use the
sambaSID you used already have then it shouldn't do.
No Windows here, this is the cifs disk server for 800 Linux clients.
None of which are members of the domain in any meaningful way. I just
want all the servers to authenticate against the same LDAP server, the
domain is irrelevant for functionality. Hmmm. Which means that I might
just get away with setting the same SID on all four domains and leave it
at that... ?
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED]
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
