[tech] Changes to Samba (Windows 7 should work on the domain soon)
David Adam
zanchey at ucc.gu.uwa.edu.au
Fri May 28 12:44:01 WST 2010
I have been trying to get Samba working with the Windows 7 machines in the
clubroom. http://lists.samba.org/archive/samba/2010-March/154351.html is a
brief discussion of the problem.
After doing some testing on murjan (a random Dell) I am pretty sure that I
know what the problem is. Windows uses security identifiers (SIDs) in much
the same way that Unix uses UIDs, but it appears that the SID for our
Samba domain is not entirely valid, and is rejected by Windows 7.
This is reasonably easy to fix; the domain SID is stored in LDAP and is
easy to change. However, as all user and machine accounts are based on the
domain SID, renumbering the domain will require renumbering all accounts -
easy enough with sed and slapcat/slapadd.
However (again), this will almost certainly break domain memberships and
local filesystem permissions (e.g. permissions local copies of roaming
profiles) on the XP machine(s) currently joined to the domain, so I think
we need to unjoin them and then make the changes before rejoining them to
the domain.
To do this with minimal disruption I am planning on commandeering the
Windows machines in the clubroom before the LAN tomorrow.
Secondly, I am a bit sick of the hoops you have to jump through to create
Samba machine accounts, specifically the part where you need to create a
local Unix account on the domain controller machine. I have some minimal
changes to the Samba config that will create the machine accounts in LDAP
under ou=Computers whenever a new machine joins the domain, so I think we
can probably get rid of that step.
This will have the advantage of a) speeding up Samba with the use of
ldapsam:trusted and b) allowing Winadmins to join new boxes to the domain
without requiring wheel group intervention.
David Adam
UCC Wheel Group
zanchey at ucc.gu.uwa.edu.au
More information about the tech
mailing list