"Freeman, Peter (ERHS)" wrote: > > Hi List(s) > > I'm in the process of configuring a new PDC using Samba 2.2.5. > At the present time we have 9 other Samba PDCs in nonconnected > sites. In the next few months, these sites will become part of > a WAN and we're looking to migrate authentication for these > servers to a single box, for obvious administration benefits. > The client base is primarily Win2k, SP2 & SP3. > > Now I'm making the presumption that Samba + LDAP is the right path > to go down in this type of situation, correct me if I'm wrong, I've > only been looking into this for the past week or so, and yes I've > been reading the Samba docs and the OpenLDAP docs, so don't tell me > to RTFM :), I'm just after real world experiences here.... > > Can anyone with experience in this type of setup comment on any > issues they struck while migrating from smbpasswd based systems > to central LDAP authentication. > > What version of OpenLDAP would you recommend? 2.0.x or 2.1.x? > Pros/cons for either version? I notice the schema file packaged with > Samba has support for 2.1.x.
I had to move to 2.1 becouse of database corruption issues with 2.0, (Net::LDAP scripts seem to triger some bug in the ldap server side). If running 2.1, I think you will need Samba 2.2.6pre2 if you are not keeping your unix accounts in ldap too. (But given the setup, I presume you are). > Were there any issues in migrating existing users, ie: file permissions, > profiles, etc? If you are migrating between domains, then this will be an issue, becouse you will have one global UID and RID space, rather than one-per-site. You will probably have to solve this manually. You will therefore need to rejoin machines to the domain etc. > What is the speed like over a WAN environment for a local Samba box > to authenticate against a remote LDAP server, over say a 64k link? > > Any other comments? Samba can hit your LDAP server *hard*. I would suggest keeping LDAP on localhost if at all possible - and use LDAP replication from there. So make the on-site machines BDCs, and have one PDC centrally. This type of solution has been implemented. Watch out your version of nss_ldap - some are buggy and cause a lot of 'connection reset by peer' stuff. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
