PDA

View Full Version : Converting PDC/Samba to VMWare



gfellerj
30-Jul-2013, 15:07
Hello,

Here is my entire scenario.

We have a physical box running Samba File Server and is acting as the PDC. It is pointing to a separate virtual server for LDAP configuration so all of the users accounts are placed on that server via Yast2.

I am very new to Suse Enterprise server and have been administered to setup a new Samba PDC as a virtual so we can migrate the samba configs off of the older physical box, but leave all the file and shares on the physical box. I have copied over the samba config file to the new server. I was able to NFS mount the file shares to the new virtual server and I can even run a logon script to the new virtual server name and map some network drive shares.

Samba seems to store the machine accounts on the samba server instead of the LDAP server even though we are pointing to that separate server for LDAP. My worry is will I have to rejoin all of these machines to the domain again so they join up to my new Samba virtual server?

Another thought was setting up my new virtual server as a BDC but when I try to select that in yast2 I get "Unable to find suatable server for domain "mydomain".

Can anyone advise me or get my brain spinning in the right direction on how to finish this up?

Thanks

jmozdzen
30-Jul-2013, 16:40
Hi gfellerj,

Hello,

Here is my entire scenario.

We have a physical box running Samba File Server and is acting as the PDC. It is pointing to a separate virtual server for LDAP configuration so all of the users accounts are placed on that server via Yast2.

I am very new to Suse Enterprise server and have been administered to setup a new Samba PDC as a virtual so we can migrate the samba configs off of the older physical box, but leave all the file and shares on the physical box. I have copied over the samba config file to the new server. I was able to NFS mount the file shares to the new virtual server and I can even run a logon script to the new virtual server name and map some network drive shares.

Samba seems to store the machine accounts on the samba server instead of the LDAP server even though we are pointing to that separate server for LDAP. My worry is will I have to rejoin all of these machines to the domain again so they join up to my new Samba virtual server?

Another thought was setting up my new virtual server as a BDC but when I try to select that in yast2 I get "Unable to find suatable server for domain "mydomain".

Can anyone advise me or get my brain spinning in the right direction on how to finish this up?

Thanks

from you description I see three machines

1. (phyiscal) server running the original Samba server / PDC, configured file shares
2. (physical) server running LDAP
3. (virtual) server

not to mention the clients involved ;)

- What version of Samba (and while we're at it, which OS) are you running on server1?
- Is server2 running OpenLDAP?
- Which version of SLES are you experimenting with on server3?

We run a similar structure at one of our locations:
- PDC is a SLES11(SP1) VM (in dire need of updating to SP3 :) )
- a replicating OpenLDAP cluster is installed on the same and other VMs
- another physical (SAN/NAS) server is running Samba, too, and acting as a simple file server from this perspective

All user accounts are stored in the LDAP directory and used both for Samba and Linux authentication.

The reasoning "so we can migrate the samba configs off of the older physical box, but leave all the file and shares on the physical box" might need some further explanation - that physical server will have to run Samba, too, in order to handle the shares.

> Samba seems to store the machine accounts on the samba server instead of the LDAP server even though we are pointing to that separate server for LDAP

It would be helpful to see the according smb.conf in order to further diagnose this.

> Can anyone advise me or get my brain spinning in the right direction on how to finish this up?

From what I can tell, you're already on the right track - maybe all it needs is some tweaking of your configuration.

Regards,
Jens

gfellerj
30-Jul-2013, 17:01
Hello, My server 1 PDC is running Suse Enterprises 11 SP1.
My server 2 is yes indeed running openLDAP.
Server 3 is running Suse Enterprise 11 SP3.

We will leave Samba running on the physical box to support the NFS mounts from the Virtual. I have attached my SMB.conf and have deleted out IP addresses and machine names.

Thanks for your help!


# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2009-09-30
[global]
workgroup = "my domain"
netbios name = "my server name"
server string = file server
netbios aliases = "alias name"
domain logons = Yes
domain master = Yes
security = user
wins support = Yes
# Setting log level and one log per client
syslog = 4
log file = /var/log/samba/log.%m
# To keep from Samba listening from port 445
smb ports = 139
# Setting up Samba printing services
#printing = cups
#printcap name = cups
#printcap cache time = 750
#cups options = raw
#load printers = yes
map to guest = Bad User
include = /etc/samba/dhcp.conf
##logon path = \\%L\profiles\.msprofile
# The next line disable roaming profiles
logon home = \\%L\%U\.9xprofile
logon drive = H:
logon script = logon.bat
usershare allow guests = No

# LDAP Settings
passdb backend = ldapsam:ldap://"myLdap Server"
ldap admin dn = cn=Admin, dc=, dc=, dc=
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = dc=i, dc=k, dc=edu
ldap user suffix = ou=people
add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
admin users = autoconfig, clsroot, chw, root
store dos attributes = yes
map acl inherit = yes
enable privileges = yes
##ldapsam:trusted = yes
# Added by 09-01-2011 for idmap plug-ina
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://myldap server/
idmap alloc config : ldap_base_dn = ou=Idmap,dc=i,dc=k,dc=e
# extra debug messages
#log level = 3
hosts allow = 129.130. 10.130. 10.131. 127.0.0.1
remote announce = 129.130.42.255/"hostname"
name resolve order = wins host bcast
time server = Yes
# The following few lines to disable printing in samba
load printers = yes
printing = cups
printcap name = cups
cups server = "iP"
#disable spoolss = yes
local master = Yes
os level = 65
preferred master = Yes
ldap ssl = Off
idmap backend = ldap:ldap://"myldap server"

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = Yes
read only = No
inherit acls = Yes
# [profiles]
# comment = Network Profiles Service
# path = %H
# read only = No
# store dos attributes = Yes
# create mask = 0600
# directory mask = 0700
# [groups]
# comment = All groups
# path = /home/groups
# read only = No
# inherit acls = Yes

## Share disabled by YaST
[printers]
comment = All Printers
path = /var/tmp
printable = No
create mask = 0600
browseable = yes
printer admin = @Admins


[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = clsroot
browseable = yes
guest ok = yes
#read only = no
##force group = DomainAdmins
##create mask = 0664
directory mask = 0775

[common]
comment = Common Volume
inherit acls = Yes
force create mode = 0777
security mask = 0777
directory security mask = 0777
force directory mode = 0777
#force security mode = 0
#force directory security mode = 0
path = /common/
read only = No
writeable = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = @Admins
guest ok = no
writeable = no
locking = no
read only = No

[web_backup_aries$]
comment = Website backup from Aries
inherit acls = Yes
path = /home/web_back/Aries/
read only = No
browseable = No
valid users = @Admins

[staff]
path = /home/staff/staff
# force group = Staff
force create mode = 0770
security mask = 0770
directory security mask = 0770
force security mode = 0
force directory security mode = 0
browseable = no
writeable = Yes
read only = No
write list = @faculty @Staff
valid users = @faculty @Staff

[health]
#path = /home/health
path = /research/health
#force group = Health
browseable = no
force create mode = 0777
security mask = 0777
directory security mask = 0777
force security mode = 0
force directory security mode = 0
writeable = yes
read only = No
write list = @Health
valid users = @Health

[apps]
comment = apps shared for the computer lab
#valid users = %S
guest ok = No
inherit acls = Yes
path = /home/appvol/
read only = Yes
write list = @Admins

# [images]
# inherit acls = Yes
# path = /home/images/
# read only = No
# valid users = clsroot, chw

[backup$]
comment = backup to Elijah
guest ok = No
inherit acls = Yes
path = /home
read only = No
valid users = @Admins
write list = @Admins
[iesearch]
#path = /home/iesearch
path = /research/iesearch
force group = iesearch
browseable = no
force create mode = 0777
security mask = 0777
directory security mask = 0777
force security mode = 0
force directory security mode = 0
writeable = yes
read only = No
write list = @iesearch
valid users = @iesearch
[qelab]
path = /research/qelab
force group = qelab
browseable = no
writeable = yes
read only = No
write list = @qelab
valid users = @qelab
force create mode = 0770
force directory mode = 0770
directory security mask = 0777
force directory security mode = 0
force security mode = 0
security mask = 0777
[humlog]
path = /research/humlog
force group = humlog
browseable = no
writeable = yes
read only = No
write list = @humlog @Admins
valid users = @humlog @Admins
force create mode = 0770
force directory mode = 0770
directory security mask = 0777
force directory security mode = 0
force security mode = 0
security mask = 0777
[humlog_srdesign]
path = /research/humlog_srdesign
force group = humlog_srdesign
browseable = no
writeable = yes
read only = No
write list = @humlog_srdesign @Admins
valid users = @humlog_srdesign @Admins
force create mode = 0770
force directory mode = 0770
directory security mask = 0777
force directory security mode = 0
force security mode = 0
security mask = 0777
[vch]
path = /research/vch
force group = vch
browseable = no
writeable = yes
read only = No
write list = @vch @Admins
valid users = @vch @Admins
force create mode = 0770
force directory mode = 0770
directory security mask = 0777
force directory security mode = 0
force security mode = 0
security mask = 0777

[research$]
path = /research/
force group = Admins
browseable = no
writeable = yes
read only = No
write list = @Admins
valid users = @Admins
force create mode = 0770
force directory mode = 0770
directory security mask = 0777
force directory security mode = 0
force security mode = 0
security mask = 0777
[license]
comment = apps shared for the computer lab
guest ok = No
inherit acls = Yes
path = /home/license_vol/
read only = Yes
# valid users = @Staff, @Faculty, autoconfig
write list = @Admins

jmozdzen
31-Jul-2013, 11:05
Hi gfellerj,


Hello, My server 1 PDC is running Suse Enterprises 11 SP1.
My server 2 is yes indeed running openLDAP.
Server 3 is running Suse Enterprise 11 SP3.

We will leave Samba running on the physical box to support the NFS mounts from the Virtual. I have attached my SMB.conf and have deleted out IP addresses and machine names.

your smb.conf does look ok, from an SP1 point of view. SLES11SP3 comes with Samba 3.6.3, while SP1 has Samba 3.4.3, so there may have been changes in smb.conf syntax and/or semantics - I haven't yet had time to check for such pitfalls.

> We will leave Samba running on the physical box to support the NFS mounts from the Virtual.

Do I see it right that you want to mount the file shares (on server1, physical) via NFS on server3 (virtual), and then share from server3 for client access via SMB? Then you'd need no Samba on server1, just nfs. But OTOH, this sounds pretty "sub-optimum" to me: all file share traffic would first go from client to server3 (via SMB), then to server1 (via NFS) and the responses go the complete chain backwards. Wouldn't it be better to set up server1 as Samba server (no DC, just file server) and have all clients use server1 directly when accessing those shares? server3 then would mostly serve as a domain controller and probably some other shares (like network printing and whatever else you'd put there).

server1 would obviously then need some differing settings, ie.

local master = no
preferred master = no
domain master = False
since it no longer is the DC - but it can of course still access the LDAP-stored user configuration, too.

In your original message you wrote

Samba seems to store the machine accounts on the samba server instead of the LDAP server even though we are pointing to that separate server for LDAP. My worry is will I have to rejoin all of these machines to the domain again so they join up to my new Samba virtual server?

What do you see that makes you think so? Are the machine accounts missing from LDAP on the remote machine? Are these stored inside a local LDAP (on server1)? It sure might depend on how server1 is set up LDAP-wise (you're using a YaST script to add the machine accounts, I have not checked how that script determines where to store the information... might be the PAM settings for user accounts, rather than smb.conf!) - but I wonder how things could have been working when you set up samba to use LDAPSAM but the machine accounts are stored separately...

Regards,
Jens

smflood
06-Aug-2013, 22:14
> gfellerj;14970 Wrote:

>> one other thing I have been tasked with is setting up a Linux Print
>> quota type server that I can point to the user accounts on my LDAP
>> server and put a numbered paper count quote on each user account. Know
>> any good software setup for this?

By "software" are you looking for free (open source) or commercial
software?

if the latter then you might want to take a look at PaperCut[1].

HTH.

[1] http://www.papercut.com/
--
Simon
SUSE Knowledge Partner