On Tuesday 03 February 2009 19:53:35 cas...@gmail.com wrote: > Hi, > > My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We > are using Samba 3.0.33 (Slackware 12.0.0). > > Our layout is almost like this one > http://us1.samba.org/samba/docs/man/Samba-Guide/images/chap6-net.png, > but we have more BLDGn than this example.
OK. When I wrote that chapter I reduced the number of sites. I have installed Samba 3.0.x in one company that had 11 sites - when you get a two site installation working correctly the others are just copies of the second one. > Actually, we are taking ideas from > http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html > and from > http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html. OK. > We are reading the docs again, but I would like to clarify some > points, if possible, to understand "the picture". I'll try to answer. > We have never had a BDC before. Winbindd is not running in our > PDC. We want a BDC to divide the authentication load with our PDC. With Samba 3.0.x the use of winbind is not imperative. You can run without it. > Initially, we will install just one BDC. We have been using Samba + > LDAP (with SSL)+ smbldaptools since the begining so, our users (people > and machines) are all in the LDAP base. In the future, if the results > were good, we will install more BDCs, using the same logic. That's OK. Take it slowly, add on BDC at a time, that way you will be better able to see what is going on. > We have idmap uid and idmap gid with 10000 - 20000 default values > (smb.conf in PDC). If you are not running winbind you do not need the idmap entries. > We already have more than 20000 users in our base > (actually, more than 20000 uidx; some of them were deleted). We use > nss_ldap + nscd in our PDC (nsswitch). Be careful with nscd, there can be side-effects to using it. It does work though. > We need to have UID/GID/SID constant in all servers (PDC + BDCs). > We used roaming profiles in the past, but we are not using them now. That is achieved via LDAP using nss_ldap - nothing to do with Samba in your case. > User's home directories are available using [homes] service (drive Y:). Again, this is done through LDAP. You have control over this via LDAP. You can use the pdbedit tool to change home directory locations. > At this moment we will use the strategy of one LDAP master for the > two servers. We are planning to have slave LDAPs, but not now. That's fine. > Our conclusions until now: > > Modify smb.conf, in PDC to use: > > -idmap backend = ldaps://ourldap > -idmap uid = 2147483648 - 4294967295 > -idmap gid = 2147483648 - 4294967295 As I said, only needed if running winbind. If you specify this make sure it is written in smb.conf like this: idmap uid = 2147483648-4294967295 Note: No space between the numbers and the '-' > Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using > the same lines above. Again, not needed if you do not run winbind. > Sure, we will configure/adjusts BDC with nss_ldap and do the tests > in that guides I already told. Good. > What we are worried about follows: > > -Winbindd must run in PDC? Not essential. I always do, but it is not essential. > -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)? Depends on what your Linux platform supports. > -Winbindd is "the man" that will use idmap values and mantain LDAP > Idmap dn? -Just Winbindd running in BDCs will modify LDAP Idmap dn? No, you both will depending on how you configure LDAP and Samba. Both CAN update LDAP if you wish - it does no harm. > -If we run winbindd (with LDAP) and "mess the hole thing", can we > just start again without "destroying" our PDC UID/GID/SID. We have > LDAP's base backup. We do not want to, but we can restore the base in > the case of a "disaster". In the worst case, just delete the ou=idmap tree from your LDAP directory and start again. What is your concern? > -Home directories will be kept just in PDC. Is it enough to adjust > the maps (logon path, logon drive etc) in BDC to use PDC reference? I > mean, instead of \\%L\... we will use \\OURPDCNAME\... Home directories can be stored on any server on which it is convenient to store them. It does not HAVE to be the PDC. > I know that are a lot of questions, but we are trying to avoid > problems an to understand as much as we can before setting up our > first BDC. I hope this helps. Please, please do your learning and testing on a test network. It is a bad idea to experiment on a live network. Enjoy Samba! Cheers, John T. -- John H Terpstra "If at first you don't succeed, don't go sky-diving!" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
