Re: [Samba] Re: University's using samba and ldap
On Wed, 12 Jan 2005 [EMAIL PROTECTED] wrote: You almost said what I wanted to hear :) The problem here is that we have 50k accounts in ldap and almost everything authenticates off of it. We started out w/ Samba and one DC Sweet. in 2 small test labs. Now were looking at putting into a mega lab for 700 machines and hopefully control a bunch of stuff using samba. The problem is that now all the other small colleges (departments) want to have their own control and possibly own domain. Plus I dont want to administer You are much larger than we are, so we were able to have administration say to all departments, The IT people do it all. If you don't like it, well... You get the idea :-) Plus, nobody wants to manage someone elses nightmare because they didn't heed your advice. their systems. My first thought was the SID issue but it seems that it worked for you. I've decided to get a consultant in here for like 10 hours to just help may lay out the basic architecture just make sure were doing everything right from the get go before samba gets to big on We have over 2200 workstations across three domains and we're consolidating servers and expanding services all the time. Our biggest domain has an 8-way/24GB server, the next is a 8-way 32GB (it does Samba+other things), and a 4-way 7GB. The LDAP server is a 6-way 26GB box and we are planning a replica on the biggie within 30 days. We're still testing the replication on OpenLDAP 2.2.20 since it just became stable like last week. Perhaps that list can help guide you on your path of hardware selection. campus. Oh yeh.. We also have a Tru 64 box that everyone has an account on. It has samba running on it and I joined it o the domain so evryone now gets their files mapped when they log in. We also created a web gui so users can get their files when their off campus. That's excellent. We just use sftp for their access off campus. OpenSSH uses the AIX authenticate() function so it's tied to the secldapclntd backend of the OS. AIX is admittedly quirky, but it was the way to go for our money :-) I hope all of this work doesnt go to waste because we looking at syncing up our AD w/ ldap so then all of these labs would just use AD. I would like to say screw AD but I dont see us kicking it to the curb. You are doing the right thing by asking questions, planning, testing. The well prepared individual will be the one to succeed in this realm. I only wish I had time to experiment with AD. If there's anything more you'd like to know about our installation, please feel free to ask. Bill Original message Date: Wed, 12 Jan 2005 07:03:20 -0500 (EST) From: William Jojo [EMAIL PROTECTED] Subject: Re: [Samba] Re: University's using samba and ldap To: Alexander E. Patrakov [EMAIL PROTECTED] Cc: samba@lists.samba.org [EMAIL PROTECTED] wrote: Is there anyone out there from other university's that would be willing to talk to me about you samba layout. We already have it in place but we other colleges within the university that want to start using our setup but want there own domains. I'm kind of confused how this would all work. I'd like to offer our success story from Hudson Valley Community College in New York, USA. We are using Samba as DC for authentication with file and print services. Our setup is a bit different from most, I would gather. Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with different domain names, but the same SID. This was done to have all three servers share the same identical LDAP backend. Eventually we'll be one domain, but for now this works better than we could have hoped for. The LDAP server is a fourth AIX box with OpenLDAP 2.2.20 using BerkeleyDB 4.2. I spent much time reading Gerald Carter's LDAP System Administration book. We used to be an smbpasswd type setup. This didn't scale well as we have 19000+ accounts in the database (yes I said 19,000). Also we used to NFS mount the smbpasswd file from one server to the other two so they shared the password info. This was simply to offer a single sign on feature and allowed machines to be in one domain and then have a technician move it to another at will. We didn't use the PADL scripts. They are good scripts, but didn't offer the flexibility we needed to have complete control of the database (this was truly a control issue :-) ) and there were additional attributes we needed to add for sanity checks and reconciliation of users against SCT Banner. So we wrote our own library of functions and scripts in ksh (sorry all you perl fans). Essentially we build user accounts outside of AIX and Samba by creating the entries ourselves. We built a C program to search for the next free unix uid in the LDAP database (which is range tunable to assist in rapid scripting of user generation) We also wrote a piece of C code to migrate the user databases from
[Samba] Re: University's using samba and ldap
[EMAIL PROTECTED] wrote: Is there anyone out there from other university's that would be willing to talk to me about you samba layout. We already have it in place but we other colleges within the university that want to start using our setup but want there own domains. I'm kind of confused how this would all work. We do use SAMBA in the Dialog computer class in the Urals State University. The setup is a more or less by-the-book (minus typos) single LDAP-based domain controller. A patched version of LAM is used for administration (but we should definitely use something different, LAM is just too slow with 1000 users). The patch, all configuration files and sample LDAP content will be sent upon request privately. However, I cannot call this a success story. The reason is that operators require re-teaching, and I (as a person responsible for the domain) just receive no additional salary for that additional task. Since even after explanation operators continue to create new users with inconsistent capitalization of names and home directories, I consider migration back to Windows 2000 Server. It's more forgiving. The problem is just how to migrate all the users into Active Directory while preserving organizational units :( Any ideas? -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: University's using samba and ldap
[EMAIL PROTECTED] wrote: Is there anyone out there from other university's that would be willing to talk to me about you samba layout. We already have it in place but we other colleges within the university that want to start using our setup but want there own domains. I'm kind of confused how this would all work. I'd like to offer our success story from Hudson Valley Community College in New York, USA. We are using Samba as DC for authentication with file and print services. Our setup is a bit different from most, I would gather. Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with different domain names, but the same SID. This was done to have all three servers share the same identical LDAP backend. Eventually we'll be one domain, but for now this works better than we could have hoped for. The LDAP server is a fourth AIX box with OpenLDAP 2.2.20 using BerkeleyDB 4.2. I spent much time reading Gerald Carter's LDAP System Administration book. We used to be an smbpasswd type setup. This didn't scale well as we have 19000+ accounts in the database (yes I said 19,000). Also we used to NFS mount the smbpasswd file from one server to the other two so they shared the password info. This was simply to offer a single sign on feature and allowed machines to be in one domain and then have a technician move it to another at will. We didn't use the PADL scripts. They are good scripts, but didn't offer the flexibility we needed to have complete control of the database (this was truly a control issue :-) ) and there were additional attributes we needed to add for sanity checks and reconciliation of users against SCT Banner. So we wrote our own library of functions and scripts in ksh (sorry all you perl fans). Essentially we build user accounts outside of AIX and Samba by creating the entries ourselves. We built a C program to search for the next free unix uid in the LDAP database (which is range tunable to assist in rapid scripting of user generation) We also wrote a piece of C code to migrate the user databases from flat files to ldif format to preserve all values and add a few more for in-house maintenance. We used the algorithmic methods of computing the user and group rid's which is what Samba was doing internally using the smbpasswd file for authentication info. So why did we set the SID's the same? We knew that eventually we'd be a single domain installation and we knew that moving to LDAP was only months away, so we set up all the domains that way and rejoined everything in preparation. With assistance from John Terpstra who commented on my plans (posted here several months ago) who said in theory it looked good, we set forth on this mission. (Many hours were spent reading his Samba 3 by Example book as well) We were lucky to also have a four server development area at the time, so we built everything just like production. We joined the machines using flat files, migrated to LDAP and pointed the server to the LDAP master andamazinglyit all still worked - roaming profiles and all. One thing to note is we also do not use winbindd. AIX uses LDAP internally for the users and we create the IDMAP entries at the time we create the users and we have scripts to add the sambagroupmappings when we create a unix group. So everything is integrated at the point of LDAP. No pam or nss is involved at all. We use secldapclntd which is part of AIX that allows us to tell AIX to listen to whatever LDAP we want. As I said earlier we are running OpenLDAP with BerkeleyDB. We could have chosen IBM's solution with db2, but honestly, OpenLDAP was just easier. I know much of this sounds like reinventing the wheel, but like I said earlier, we are control freaks. :-) This past Sunday we migrated our entire campus to LDAP along with our three Samba DC's. Although we do not savor the potential benefits of AD integration or interdomain trusts or winbindd caching or anything like that, there is somehting I have to say to the Samba developers: It works and we are very happy! Institutionally we have been using Samba since version 1.9.x which replaced our 5 server Novell environment with a single AIX box in 1998. My hat is off to all of you. This is truly a wonderful product. Great job everyone! Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: University's using samba and ldap
You almost said what I wanted to hear :) The problem here is that we have 50k accounts in ldap and almost everything authenticates off of it. We started out w/ Samba and one DC in 2 small test labs. Now were looking at putting into a mega lab for 700 machines and hopefully control a bunch of stuff using samba. The problem is that now all the other small colleges (departments) want to have their own control and possibly own domain. Plus I dont want to administer their systems. My first thought was the SID issue but it seems that it worked for you. I've decided to get a consultant in here for like 10 hours to just help may lay out the basic architecture just make sure were doing everything right from the get go before samba gets to big on campus. Oh yeh.. We also have a Tru 64 box that everyone has an account on. It has samba running on it and I joined it o the domain so evryone now gets their files mapped when they log in. We also created a web gui so users can get their files when their off campus. I hope all of this work doesnt go to waste because we looking at syncing up our AD w/ ldap so then all of these labs would just use AD. I would like to say screw AD but I dont see us kicking it to the curb. Original message Date: Wed, 12 Jan 2005 07:03:20 -0500 (EST) From: William Jojo [EMAIL PROTECTED] Subject: Re: [Samba] Re: University's using samba and ldap To: Alexander E. Patrakov [EMAIL PROTECTED] Cc: samba@lists.samba.org [EMAIL PROTECTED] wrote: Is there anyone out there from other university's that would be willing to talk to me about you samba layout. We already have it in place but we other colleges within the university that want to start using our setup but want there own domains. I'm kind of confused how this would all work. I'd like to offer our success story from Hudson Valley Community College in New York, USA. We are using Samba as DC for authentication with file and print services. Our setup is a bit different from most, I would gather. Setup: 3 - AIX 5.2 boxes with Samba 3.0.10 each with different domain names, but the same SID. This was done to have all three servers share the same identical LDAP backend. Eventually we'll be one domain, but for now this works better than we could have hoped for. The LDAP server is a fourth AIX box with OpenLDAP 2.2.20 using BerkeleyDB 4.2. I spent much time reading Gerald Carter's LDAP System Administration book. We used to be an smbpasswd type setup. This didn't scale well as we have 19000+ accounts in the database (yes I said 19,000). Also we used to NFS mount the smbpasswd file from one server to the other two so they shared the password info. This was simply to offer a single sign on feature and allowed machines to be in one domain and then have a technician move it to another at will. We didn't use the PADL scripts. They are good scripts, but didn't offer the flexibility we needed to have complete control of the database (this was truly a control issue :-) ) and there were additional attributes we needed to add for sanity checks and reconciliation of users against SCT Banner. So we wrote our own library of functions and scripts in ksh (sorry all you perl fans). Essentially we build user accounts outside of AIX and Samba by creating the entries ourselves. We built a C program to search for the next free unix uid in the LDAP database (which is range tunable to assist in rapid scripting of user generation) We also wrote a piece of C code to migrate the user databases from flat files to ldif format to preserve all values and add a few more for in-house maintenance. We used the algorithmic methods of computing the user and group rid's which is what Samba was doing internally using the smbpasswd file for authentication info. So why did we set the SID's the same? We knew that eventually we'd be a single domain installation and we knew that moving to LDAP was only months away, so we set up all the domains that way and rejoined everything in preparation. With assistance from John Terpstra who commented on my plans (posted here several months ago) who said in theory it looked good, we set forth on this mission. (Many hours were spent reading his Samba 3 by Example book as well) We were lucky to also have a four server development area at the time, so we built everything just like production. We joined the machines using flat files, migrated to LDAP and pointed the server to the LDAP master andamazinglyit all still worked - roaming profiles and all. One thing to note is we also do not use winbindd. AIX uses LDAP internally for the users and we create the IDMAP entries at the time we create the users and we have scripts to add the sambagroupmappings when we create a unix group. So everything is integrated at the point of LDAP. No pam or nss is involved at all. We use secldapclntd which is part of AIX that allows us to tell AIX to listen
