I have 10 XP clients authenticating against a Samba PDC, using passwd as the passdb backend. The Samba PDC provides several shares to the XP clients.

Priviledges on the Samba PDC are controlled by *nix user and group permissions.

I do not have any Windows servers on my network, so we do not use any of the Windows group capabilities beyond the default groups.

My Samba PDC is running out of room, so I want to move the shares to a new server with more storage, but I want the Samba PDC to continue to authenticate my XP clients.

Should I maintain the definition of the shares on the Samba PDC, but actually store the data on the new server and make it available to the PDC via NFS. In other words, do not use Samba on the new server, but use NFS instead?

OR

Should I use Samba and winbind on the new server to provide access to the shares and control permissions?

Any thoughts or experiences are appreciated.

hmm, that's an interesting idea. I don't see why it wouldn't work. but you are adding another level of complexity and your NFS set up had better be dead right. In production environments, taking even small risks is not always possible..... I'm intrigued by this, i might have a go on my hp-ux servers!


can't you get samba on the new server to use the old PDC to authenticate (ab)users onto it? but if you are going to do that, surely it would be eaiser to just move the samba pdc functions to the new server (as this would be fairly easy)....

what's the thinking behind keeping the old box as PDC?

Thank you for the response and interest.

To answer your second question first, you are right. The simple solution would have been to make the new box the PDC, which I may still do. However, I may be adding a second member server soon, so I needed to figure out how to integrate the member server into my network anyway.

On to your first question. I have been able to get samba on the new server to use the old PDC to authenticate the users. And, I have been able to verify with wbinfo -u. However, I run into a problem with group permissions.

When I do a wbinfo -r <username> on the member server, I get a list of numeric group ids for the user. The count matches the number of groups that the user belongs to on the PDC. Having virtually no experience with samba, I thought that might not be a big deal, especially since I could determine the group name by using the following commands:

wbinfo -G <group-id>
wbinfo -s <SID from the command above>

For, example:
wbinfo -G 10012 returns S-1-5-21-...-3003
S-1-5-21-...-3003 returns PP+fl_staff 2

However, when I tried to set up one of the directories that I want to move from the existing PDC to the member server, I could not assign the appropriate group to the directory.

For examble, on the member server:

chgrp PP+fl_staff pub
chgrp "PP+fl_staff" pub
chgrp "PP+fl_staff 2" pub

all return an error:

chgrp: invalid group name `PP+fl_staff'

Now, if I change the group ownership to the appropriate GID (in this case, 10012), the chgrp command works and my XP clients can access the directory with the appropriate permissions, which I guess I can do. But, if something happens to winbind idmap tables and things get renumbered for some reason, I don't want to have to face the task of fixing the GIDs across some files and directories.

Does any of that make sense?

I am running Debian-sarge, which uses samba 3.0.14.

have you actually created the groups on the other server in /etc/group ??

On the member server? No, do I need to do that?

And, what should I do if there is overlap? For example, when I first set up the PDC, I took advantage of what appeared to be a default group, staff (GID=50), which of course is on the member server as GID 50, but the member server sees it as GID 10001. Should I just replace it with some new group that does not overlap with any of the default groups?

the chgrp command relies on /etc/group

so i would suggest just copying the file from one box to another..... you could also use nis to share such files...

Hmmm...well, I guess that explains it. For some reason, I thought that winbind would take care of mapping the group names as well as the usernames, but clearly, I was mistaken.

And, after doing a quick test by using scp, it appears that I am going to have to manually reset the permissions on the files and folders after I move them from the PDC to the member server. That just seems like a lot of work. I wish that there was an easier way to do.

Thank you for your help and your quick responses. At least now, I can stop trying to get over this hurdle and move forward. Thanks again.

try using "scp" to copy the files. that way you can preserve the file persmission using the "-p" option. providing the guid's are the same etc.

anyway, using a tape backup or whatever will achieve the same, as the uid and guid will be preserved. again dont forget that it's the id number not name that determines the ownership...