Those samba servers only serve files, so no login is allowed and I only modifed /etc/nsswitch.conf. Thanks, On Fri, Aug 1, 2008 at 12:17 PM, Soohoon Lee <[EMAIL PROTECTED]> wrote:
> > Thanks, now it's crystal clear. > One thing I like to ask more is why other servers will be BDC? > Not just a workstation or a DC client? Where do they backup or cache > account info? > Will smb.conf look different from using NT4 PDC? > Thanks, > Soohoon. > On Fri, Aug 1, 2008 at 11:58 AM, Adam Williams < > [EMAIL PROTECTED]> wrote: > >> yes to share a single set of users/groups in LDAP to multiple samba >> servers you will need LDAP and a PDC and the other servers will be BDCs. >> yes you will join BDC's with net rpc join -D domain -S pdc_server_name -U >> root%password >> >> read chapter 5.3 of samba 3 by example.pdf >> >> >> Soohoon Lee wrote: >> >> >> Thanks, >> 'sharing LDAP server' is to share the same set of users/groups in the LDAP >> DB, not separate sets of users/groups for each samba servers. >> It looks like PDC ??? maybe what I want is more like NIS. >> So IIUC, to share a single set of users/groups in the LDAP server from >> multiple samba servers, I need LDAP and samba DC? >> And samba servers have to join the samba DC by net rpc join? >> >> Thanks a lot. >> Soohoon. >> >> On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams <[EMAIL PROTECTED] >> > wrote: >> >>> sure you can have multiple domains with all the account info in LDAP. if >>> you really want it to work together well you'll have a PDC and BDC's >>> though. you may be able to try samba intertrust relationships, but i've >>> never used that >>> >>> Soohoon Lee wrote: >>> >>> >>> Thanks all >>> This is my smb.conf >>> [global] >>> dos charset = UTF-8 >>> workgroup = DOMSMB >>> security = user >>> allow trusted domains = No >>> password server = NULL >>> passdb backend = ldapsam:ldap://10.17.124.190/ >>> max log size = 50 >>> load printers = No >>> stat cache = No >>> os level = 10 >>> dns proxy = No >>> ldap suffix = dc=my-domain,dc=com >>> ldap user suffix = ou=Users >>> ldap group suffix = ou=Groups >>> ldap admin dn = cn=Manager,dc=my-domain,dc=com >>> ldap ssl = no >>> >>> And I like to make multiple samba servers to share single LDAP server >>> without using domain controller feature. >>> I'm getting feeling that pure LDAP server is for single samba server or >>> the LDAP server should have samba DC to serve multiple samba servers? >>> >>> Thanks, >>> Soohoon. >>> >>> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski <[EMAIL PROTECTED]>wrote: >>> >>>> Lukasz Zalewski wrote: >>>> >>>>> Adam Williams wrote: >>>>> >>>>>> are you using security = user or security = domain on your multiple >>>>>> servers? >>>>>> Soohoon Lee wrote: >>>>>> >>>>>>> Hi >>>>>>> Is it possible to use single LDAP server and multiple samba servers? >>>>>>> The problem I'm having now is >>>>>>> Each server thinks their host name is their LDAP domain name, or >>>>>>> sambaDomainName, and >>>>>>> complain the user's SID is different so can't authenticate. >>>>>>> How do I make samba servers use one domain name and SID? >>>>>>> >>>>>>> LDAP domain name is DOMSMB >>>>>>> >>>>>>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com >>>>>>> sambaSID: S-1-5-21-2479917030-3150298425-213194246 >>>>>>> >>>>>>> And samba server created a new domain after its hostname. >>>>>>> >>>>>>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com >>>>>>> sambaSID: S-1-5-21-4202146032-850913369-3381557932 >>>>>>> And complain user's SID is different from its SID. >>>>>>> >>>>>>> Thanks, >>>>>>> Soohoon. >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> We have student domain and staff domain and one LDAP server. We wanted >>>>> staff members to log onto student domain. So we considered two options: >>>>> 1. Interdomain trust relationship ( >>>>> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html) >>>>> >>>>> However this option was not good for us as we didn't want to open up >>>>> the firewall and we wanted staff members to get the proper student >>>>> experience (i.e. home dirs and profiles on the student server). So that >>>>> brought us to the second option: >>>>> 2. ldap translucent proxy overlay ( >>>>> http://linux.die.net/man/5/slapo-translucent) >>>>> In this setting we override sids (i.e. domain sid part of the staff >>>>> domain is substituted with student domain portion of the sid) for users >>>>> and >>>>> groups and point samba to the overlay. Bear in mind that all of the >>>>> changes >>>>> make by samba like machine passwords, user passwords, idmap mappings etc >>>>> will go no further than the proxy so great care must be taken in LDAP >>>>> setups >>>>> that use referrals. >>>>> >>>>> >>>>> Now the most important question is what do you use you two domains for? >>>>> >>>>> HTH >>>>> >>>>> Lukasz >>>>> >>>> >>>> Ah sorry I didn't read the Subject line properly you do not want PDC. As >>>> Andy pointed out maybe you should have one of the servers as a domain >>>> member >>>> of the other domain >>>> >>>> Lukasz >>>> >>> >>> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
