Samba PDC+LDAP and home directories on different servers
When I first setup Samba as a PDC, it was on the same box as the NFS server, so there were no problems with posix locking. But now we have our big fileserver which is hosted someplace else, so I didn't move the PDC out with it. The home directories are automounted, and the homedir map is in ldap, along with all the userinfo(Samba+Ldap).
But now that the home directories are nfs mounted on the PDC, posix locking errors happen, and logging in is a bit slow. I found the nis homedir and homedir map options and set them on the PDC. I also setup Samba on the fileserver to work as a domain member(is this good or bad? dont know) I'm able to connect to the fileserver by hand(ie Map a network drive), but when I log in, the PDC still serves the nfs mounted homes. Why is it not going to the fileserver? I though thats what those options do, tell the client machine to do a smb connect to the fileserver for its files.
So whats going on? (Both servers are running the same version of samba 3.0.26) Here is the PDC smb.conf
[global]
workgroup = CBI
netbios name = PDC
map to guest = Bad User
encrypt passwords = yes
passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx
log level = 2
syslog = 0
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-group-del '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon path = \\%L\profiles
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=samba,ou=DSA,dc=xxx,dc=xxx,dc=xxx
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=machines
ldap passwd sync = Yes
ldap suffix = dc=cbi,dc=utsa,dc=edu
ldap ssl = start tls
ldap user suffix = ou=people
## printer admin = '@Print, Operators'
printing = cups
create mask = 0640
directory mask = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
nis homedir = yes
homedir map = auto.home
[homes]
comment = Home Directories
path = %p
valid users = %S
read only = No
directory mask = 0700
locking = No
[netlogon]
comment = Network Logon Service
path = /etc/samba/netlogon
guest ok = Yes
[profiles]
path = /home/%u/.profile
valid users = %U, '@Domain, Admins'
force user = %U
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No
csc policy = disable
And here is the smb.conf on the fileserver
[global]
interfaces = ce0 127.0.0.1
bind interfaces only = yes
encrypt passwords = yes
workgroup = CBI
security = domain
name resolve order = wins bcast host
deadtime = 5
ldap machine suffix = ou=machines
ldap admin dn = cn=samba,ou=DSA,dc=xxx,dc=xxx,dc=xxx
preferred master = no
ldap idmap suffix = ou=Idmap
allow trusted domains = yes
netbios name = cajal
lanman auth = YES
ldap group suffix = ou=group
wins support = no
ldap user suffix = ou=people
ldap suffix = dc=xxx,dc=xxx,dc=xxx
ldap passwd sync = Yes
ldap ssl = start tls
wins server = xxx.xxx.xxx.xxx
max smbd processes = 0
server string = cajal
winbind trusted domains only = Yes
os level = 8
passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
use spnego = yes
ntlm auth = YES
syslog = 0
log level = 0
[homes]
read only = No
valid users = %S
comment = Home Directories
path = /tray1/home/%u
So any ideas? I guess I can setup the PDC on the fileserver, and make the local server that is on the same subnet as our clients a domain member(I know that will work since I setup a domain member on a gateway that isolates the internal machines), but I see no reason why this shouldn't work.
Thanks before hand to those who help.
|