Topic: How to get a second sme server to accept sme domain controller's passwords?

[Stefano]

RE: So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?

What I was saying that it was irrelevant what ibay we talked about, it is the login to the server, not the Ibay, that is the problem.

JoshAU, could you please use the standard quote code?

Thank you

Ciao
Stefano

[gzartman]

Please follow my work over at the SME Bug Tracker:

http://bugs.contribs.org/show_bug.cgi?id=4172

I have developed patches against e-smith-samba to allow SME to function in server modes other than a Workgroup server or a Primary Domain Controller.  In my situation, I wanted SME to perform as both a Domain Member and a Backup Domain Controller.

The patches contained in bug report 4172 and this bug report:

http://bugs.contribs.org/show_bug.cgi?id=4196

will allow SME to function in multiple server roles.

I will work with the SME Dev Team to incorporate this work in some fashion into the base SME packages.  I am hopeful that we will get some support for additional server roles.  From here, I'll further develop my smeserver-adv-samba package to allow SME to function in a variety of Windows Network configurations.

Greg
 

[gzartman]

I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm

This Howto was created for SME 6.x.  It WILL NOT WORK for SME 7.x.  It will get you in the ball park, but there are many missing pieces.

Please see my previous post on this topic.

Greg

[brentonv]

Please follow my work over at the SME Bug Tracker:
http://bugs.contribs.org/show_bug.cgi?id=4172
http://bugs.contribs.org/show_bug.cgi?id=4196
will allow SME to function in multiple server roles.

this is absolutely fantastic work greg. do we need to install both the RPM and the patch? or do they both do the same thing? can't wait to test it out. will finally allow remote office SME's to authenticate over VPN to PDC. etc etc.
 
regards,
brentonv

[gzartman]

this is absolutely fantastic work greg. do we need to install both the RPM and the patch? or do they both do the same thing? can't wait to test it out. will finally allow remote office SME's to authenticate over VPN to PDC. etc etc.

Brent,

I am very happy you are excited about the work I've been doing with SME and Samba.  Please participate in the bug report I started on this topic: http://bugs.contribs.org/show_bug.cgi?id=4172

Just to make things clear:  The work I have done with SME and Samba has nothing to do with VPN. 

In a nut shell, I am working with the SME Dev Team to advance SME's ability to participate in a MS Windows Networks.  It is my desire to enable SME Server to function as if it were any MS Network Server.  However, I also respect that the SME Dev team proceeds with caution with respect to change so that SME will remain stable.  In time, I am confident that SME Server will provide full support for Windows Networks.  Until this time occurs, smeserver-adv-samba will fill the gap.

Greg 

[joshAU]

First.

JoshAU, could you please use the standard quote code?

Done!
Sorry about that.

OK, as gzartman mentioned, my above link is a bit outdated....like 5 years plus...

However, gzartman has kindly provided info in his links on how to achieve this.

AND NOW.... its working! - I can now log into the SME DC and access shares from the SME fileserver!

Oh, I'm so happy
And a big thank you to gzartman for providing the means to do it. (see his above links for info).

Lets hope this gets included as a standard feature.

Thank you for all your input.

JoshAU

[Alex Schaft]

I've got this setup working fine. Having duplicated the user accounts on the second server

security = domain

password server = *

Can't see anything else that needed changing apart from joining the domain

Ibays need to be set up to allow the user group, or everyone, access

[brentonv]

hello again greg,

It is my desire to enable SME Server to function as if it were any MS Network Server.

i assume you will be posting a how-to when development is complete, but if you have time could you please elaborate on the following?

1: i am still unclear if i apply a series of patches? e-smith-samba-1.14.1-serverrole.patch, e-smith-pptpd-1.12.0-serverrole.patch, e-smith-lib-1.18.0-serverrole.path, e-smith-base-4.18.1-serverrole.patch from http://bugs.contribs.org/show_bug.cgi?id=4172 or do i use the smeserver-adv-samba-0.1.0-1.src.rpm from http://bugs.contribs.org/show_bug.cgi?id=4196
2:

ServerRole=PDC: SME will perform as a Windows Primary Domain Controller.
ServerRole=DM: SME will peroform as a Windows Domain Member.
ServerRole=WG (or undefined): SME will function as a Windows Workgroup Member.
ServerRole=BDC: SME will function as a Windows Backup Domain Controller (preliminary support only).
ServerRole=ADS: SME will function as a Windows Active Domain Server (preliminary support only).
ServerRole=ADM: SME will function as a Windows Active Domain Member (preliminary support only).

i was hoping you could explain the operating functionality (or perhaps limitations) of these additional roles, such as ServerRole=ADS (because as far as i was aware AD functionality is still in development in samba 4) and also possible examples of additional smb.conf parameters for *preliminary support.

thanks again for your efforts. i believe that this additional functionality will advance SME to a new level.

regards,
brentonv

[gzartman]

hello again greg,i assume you will be posting a how-to when development is complete, but if you have time could you please elaborate on the following?

I can certainly put together some documentation and post it up on the wiki or something.

1: i am still unclear if i apply a series of patches? e-smith-samba-1.14.1-serverrole.patch, e-smith-pptpd-1.12.0-serverrole.patch, e-smith-lib-1.18.0-serverrole.path, e-smith-base-4.18.1-serverrole.patch from http://bugs.contribs.org/show_bug.cgi?id=4172 or do i use the smeserver-adv-samba-0.1.0-1.src.rpm from http://bugs.contribs.org/show_bug.cgi?id=4196

The serverrole patches represent an updates of e-smith-samba.  These updates fall into three categories:

 1. Cleanup up some relic fragments that date back many years (house-cleaning);
 
 2. Improvement to the way SME functions in a windows network with respect to Network Browsing.  The changes will definitely improve network browsing speed, especially when a workgroup/domain spans subnets.

 3. Replaced the DomainMaster smb dbase property with ServerRole.  The DomainMaster smb property dates back to days in SME dev when all we were worried about was making SME perform as a member of a workgroup or as a Primary Domain Controller.  

Server Roles (via the ServerRole Property):

1:  Workgroup Server:  SME functions as a standalone file server and requires local user accounts for authentication (SME offers this now);

2.  Primary Domain Controller:  SME functions as a WinNT 4 type authentication server for windows domains -- unified login (SME Offers this now);

3.  Domain Member:  SME functions as a member to a WinNT 4 type domain.  Authentication to shares it hosts is done via another authentication server such as an SME Primary Domain controller or a Windows Domain Controller.  Basically, SME configured as a Domain Member makes it act like any Windows Machine that is a member of the Windows Domain.  (SME does not offer this functionality now, but the patches I provided and my smeserver-adv-samba package to provide this functionality).

4.  Backup Domain Controller:  Very similar to a Primary Domain Controller except the BDC will yield authentication authority to the PDC if the PDC is present and able to respond to authentication requests.  The patches to the base rpms and my smeserver-adv-samba package provide this functionality with one exception:  replication of the user accounts.  Like the PDC, the BDC must have copies of all user and machine accounts.   Once we get full LDAP support for SME, then we can reliably replicate user and machine accounts and, thus fully implement SME as a BDC.  Until then, the only way to replicate these accounts is for the PDC to push the txt dbase files to the BDC, which can be a bit tricky and does not provide a means to replicate changes made on the BDC back tot he PDC.  In other words, this server mode is highly experiential and you really need to know what you are doing to use it.  I've successfully deployed it, but I had to really keep and eye on it.

5.  Active Directory Server:  Almost identical to SME as a PDC, except it allows SME to manage active directory queries.  This functionality is still very much in the beginning phase of being implemented, but it is possible with Samba 3 to provide these functions.  Frankly, I don't use ADS, so I have little incentive to spend a bunch of time working on it.  If someone would like to jump in and help, that would be wonderful. 

6.  Active Directory Member:  Almost identical to SME as a Domain Member except it has the ability to query active directory services.  Once again:  I don't use ADS, so I have little incentive to spend a bunch of time working on it.  If someone would like to jump in and help, that would be wonderful. 

Preliminary Support simply means that additional configuration is necessary to fully deploy these server modes.  It is not possible to completely separate  all configuration to support these functions for inclusion in another package (e.g., smeserver-adv-samba) as many of the configuration parameters are integral to Samba.

I hope this helps

[brentonv]

thankyou greg. explains everything for me. i also read through your scripts, a lot of work gone into this! i noticed many changes and as you mentioned it brings a lot of things up-to-date. this will also solve a lot of trivial issues which still get posted regularly by people new to SME.

regards,
brentonv