<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE></TITLE> <META http-equiv=Content-Type content=text/html;charset=ISO-8859-1> <META content="MSHTML 6.00.2900.2769" name=GENERATOR></HEAD> <BODY text=#000000 bgColor=#ffffff> <DIV> You only have one PCD The second machine is configured as a menbour server or a BDC This is the same as a windows NT setup The second server can be joined to the domain (SAMBA permissions will be shared but no unix permissions) OR Use LDAP for combined Unix Samba permissions from a common back end.</DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader>-----Original Message----- From: k12osn-bounces@redhat.com [mailto:k12osn-bounces@redhat.com]On Behalf Of Mark Gumprecht Sent: 13 December 2005 11:46 To: Support list for opensource software in schools. Subject: Re: [K12OSN] HELP: can there be two samba servers in one domain? </DIV>That's the can of worms I opened. I started what I thought was going to be a simple task, and ended up replacing my win2k domaincontroller. It is a 1024 subnet and 700 + users and did it 2 weeks before school started. Sweat pumps were in high speed. I must say that my problems have been fewer and log in times greatly reduced. I checked into fds then but just couldn't seem to grasp it. I tried all the windows to linux authing and storage, could get the authing easy enough, but the storage thing just didn't come, over my head at this point, maybe next year I will understand it better. Nothing ventured, nothing gained.....of course, many a rabbit don't make it across the road. Mark john wrote: <BLOCKQUOTE cite=mid2be970b50512121251x401c07b8p328fe8531d5cd886@mail.gmail.com type="cite"><PRE wrap="">say that Thanks Mark, I am sort of amazed the more I look into this. As far as I can tell, Multiple boxes running Samba really don't have a native way to share a single backend via AD. </PRE><PRE wrap="">Look for LDAP AD is a MS LDAP copy </PRE><PRE wrap=""> I'd love to be wrong about this. I am sort of thinking out loud here, perhaps it will help me or someone else who has this problem in the future. I am not able to move to OpenLdap since the scope of this project =! complete network paradigm shift at this time. The newly released FC4 Directory Server <A class=moz-txt-link-freetext href="http://directory.fedora.redhat.com/wiki/Main_Page">http://directory.fedora.redhat.com/wiki/Main_Page</A> which could be a substitute for AD someday seems too green to me. </PRE><PRE wrap="">Directory has a long history as a Netscape project it is not green The more I look into trying to have more than a single Samba box share credentials with AD it looks like I have to do one of the following, all of which seem to have _way_ too many moving parts to be reliable. 1) Hack Samba (this is beyond my meager skillset, I assume if it were obvious someone would have scratched this itch by now) <A class=moz-txt-link-freetext href="http://www.linux-faqs.com//HOWTO/Samba-HOWTO-Collection/cfgsmarts.php">http://www.linux-faqs.com//HOWTO/Samba-HOWTO-Collection/cfgsmarts.php</A> 2) use someone else's hack by way of a seemingly moribund project on Source Forge <A class=moz-txt-link-freetext href="http://groups.google.com/group/linux.samba/browse_thread/thread/e9d0a4caedd67473/40b697830a6dce06?lnk=st&q=multiple+samba+ads&rnum=10&hl=en#40b697830a6dce06">http://groups.google.com/group/linux.samba/browse_thread/thread/e9d0a4caedd67473/40b697830a6dce06?lnk=st&q=multiple+samba+ads&rnum=10&hl=en#40b697830a6dce06</A> following directions from here: <A class=moz-txt-link-freetext href="http://www.securityfocus.com/infocus/1563">http://www.securityfocus.com/infocus/1563</A> 3)Or use MS Unix tools <A class=moz-txt-link-freetext href="http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx">http://www.microsoft.com/windowsserversystem/sfu/downloads/default.mspx</A> using these directions <A class=moz-txt-link-freetext href="http://www.oo-services.com/en/articles/sso.html">http://www.oo-services.com/en/articles/sso.html</A> Frankly, this seems like WAY to much work, just to spread a little storage around. I'll keep looking into this, and would love to have someone set me straight, and tell me (in an easy to follow step by step manner :-) )how easy this project really is.</PRE><PRE wrap="">If correcly configured you can just join windows devices to the domain John On 12/12/05, Mark Gumprecht <A class=moz-txt-link-rfc2396E href="mailto:gumprechtm@msad3.org"><gumprechtm@msad3.org></A> wrote: </PRE> <BLOCKQUOTE type="cite"><PRE wrap="">John I'm no pro and ran out of time with the beginning of school to get mine in so....net getlocalsid will pull up the local domain sid. Man net will give you some other commands like setlocalsid, not much, but HTH Mark john wrote: </PRE> <BLOCKQUOTE type="cite"><PRE wrap="">Hi all, I need some advice and I hope folks here can help. I have set up k12ltsp to provide single sign on and file storage for users in Windows Domain which uses ADS. However instead of storing the files locally on the k12ltsp box, I would like to have my file storage on a separate Samba file server (and in the future several Samba servers). So basically multiple Samba installations using ADS and all using the same SID==>GID/UID mapping. So here's the scenerio: Linux box A is running FC4 , Samba and NFS. This box exports /home via NFS to Linux Box B running K12LTSP and Winbind. I have single sign (for windows and terminal clients) via winbind working on box B. Problem: I need someway to keep SID ==> GID/UID mapping consistent </PRE></BLOCKQUOTE><PRE wrap="">>from box to box, if I run two version of winbind, mappings will be out </PRE> <BLOCKQUOTE type="cite"><PRE wrap="">of sync. I THINK i need to create a unified IDMAP and point box A to it. I've been looking at IDMap_RID here <A class=moz-txt-link-freetext href="http://tr.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2567740">http://tr.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2567740</A> but I am not sure that this is even in the ball park. Also, some folks seem to believe the only way to accomplish this is with a Unix snap in for AD. I could really use some help on this! TIA, _______________________________________________ K12OSN mailing list <A class=moz-txt-link-abbreviated href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A> <A class=moz-txt-link-freetext href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> For more info see <A class=moz-txt-link-rfc2396E href="http://www.k12os.org"><http://www.k12os.org></A> </PRE></BLOCKQUOTE><PRE wrap="">-- Mark Gumprecht Data Systems Specialist MSAD3 Unity, ME <A class=moz-txt-link-abbreviated href="mailto:gumprechtm@msad3.org">gumprechtm@msad3.org</A> _______________________________________________ K12OSN mailing list <A class=moz-txt-link-abbreviated href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A> <A class=moz-txt-link-freetext href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> For more info see <A class=moz-txt-link-rfc2396E href="http://www.k12os.org"><http://www.k12os.org></A> </PRE></BLOCKQUOTE><PRE wrap=""> _______________________________________________ K12OSN mailing list <A class=moz-txt-link-abbreviated href="mailto:K12OSN@redhat.com">K12OSN@redhat.com</A> <A class=moz-txt-link-freetext href="https://www.redhat.com/mailman/listinfo/k12osn">https://www.redhat.com/mailman/listinfo/k12osn</A> For more info see <A class=moz-txt-link-rfc2396E href="http://www.k12os.org"><http://www.k12os.org></A> </PRE></BLOCKQUOTE> <PRE class=moz-signature cols="72">-- Mark Gumprecht Data Systems Specialist MSAD3 Unity, ME <A class=moz-txt-link-abbreviated href="mailto:gumprechtm@msad3.org">gumprechtm@msad3.org</A> </PRE></BLOCKQUOTE></BODY></HTML>