main samba is on our main campus, behind a 10.10 internal lan
remote samba's are on remote campuses, behind a 10.xx network
10.11
10.12
all connected with our internal lan via VPN
######################################################################
Method 1) ALL PDC's, using same ldap database(thus inherant problems, allusers have SID's generated with primary domain's SID)
a)We set up our master ldap server, and samba server on the same machine.
b)replicated ldap to remote samba servers, and set up referrals, so that transactions to modify ldap go back to master
c)install idealx smbldap-tools on all samba servers, using different SID's on each server
d) attempt to join xp machine to domain using
results:
samba authenticates users correctly, and users are added correctly.
adding samba machine accounts at remote servers errors out, while it works on main server.
the errors are sporadic, such as can't find domain, can't find user,
questions:
why would users in the ldap database generated with the master samba/ldap domain/server be able to log in at remote site/domain...wouldn't the SID's conflict?
why would we not be able to join xp machine to domain, with the remote server's SID configured in smbldap-tools(remember remote server has different SID in smbldap-tools, thus adds users locally, whihc is referred to the master.)?
when run manually, the machine entry get's put into ldap, and it gets put into ldap from the xp wizard also,
but it does not get the sambaSamAccount objectclass, along with the sid's samba generates, thus causes an error(user not found)
speculations:
our remote domain needs a "domain admins" group wiht it's sid, so that a root user can be added to ldap (remoteroot), so machines can be added wiht that user's info...
the problem is we get these errors wiht smbldap-tools:
[EMAIL PROTECTED] samba]# smbldap-usershow desroot
/usr/local/sbin/smbldap-usershow: user desroot doesn't exist
[EMAIL PROTECTED] samba]# smbldap-groupshow desdomadm
dn: cn=desdomadm,ou=Groups,dc=bryantschools,dc=org
objectClass: posixGroup,sambaGroupMapping
cn: desdomadm
gidNumber: 1040
sambaSID: S-1-5-21-3567609034-2183773975-620293219-3081
sambaGroupType: 2
[EMAIL PROTECTED] samba]# smbldap-useradd -a -g desdomadm desroot
Use of uninitialized value in pattern match (m//) at /usr/local/sbin//smbldap_tools.pm line 733.
/usr/local/sbin/smbldap-useradd: unknown group desdomadm
thus, I can't test the theory...
####################################################################### Method 2) believeing method 1 had something to do with an SID problem, we proceeded to set up the remote locations as BDC's
a)set up master ldap server, and samba server on same machine, b) set up replica's and referrals back to master c) set up remote servers as BDC's using same SID d)set up SID in smbldaptools to be the same
results:
samba added the xp machines to the domain, but we could not log in upon reboot.
questions:
on method1 above, we have some users that get special shares based upon the %m, meaning the domain they put to log in box.
This works on the pdc, but we can't get it to work on a BDC.(Why don't domain aliases work on a BDC?)
this e-mail mentions the correct way to do multiple domains in the same ldap database....is different branches...
where is any documentation on the correct way / designed way to do this?
http://lists.samba.org/archive/samba-technical/2003-December/033422.html
Thanks in advance, Barry Smoke District Network Admin Bryant Public Schools
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
