[tech] Changes to Samba (Windows 7 should work on the domain soon)

[David Adam]

I have been trying to get Samba working with the Windows 7 machines in the 
clubroom. http://lists.samba.org/archive/samba/2010-March/154351.html is a 
brief discussion of the problem.

After doing some testing on murjan (a random Dell) I am pretty sure that I 
know what the problem is. Windows uses security identifiers (SIDs) in much 
the same way that Unix uses UIDs, but it appears that the SID for our 
Samba domain is not entirely valid, and is rejected by Windows 7.

This is reasonably easy to fix; the domain SID is stored in LDAP and is 
easy to change. However, as all user and machine accounts are based on the 
domain SID, renumbering the domain will require renumbering all accounts - 
easy enough with sed and slapcat/slapadd.

However (again), this will almost certainly break domain memberships and 
local filesystem permissions (e.g. permissions local copies of roaming 
profiles) on the XP machine(s) currently joined to the domain, so I think 
we need to unjoin them and then make the changes before rejoining them to 
the domain.

To do this with minimal disruption I am planning on commandeering the 
Windows machines in the clubroom before the LAN tomorrow.

Secondly, I am a bit sick of the hoops you have to jump through to create 
Samba machine accounts, specifically the part where you need to create a 
local Unix account on the domain controller machine. I have some minimal 
changes to the Samba config that will create the machine accounts in LDAP 
under ou=Computers whenever a new machine joins the domain, so I think we 
can probably get rid of that step.

This will have the advantage of a) speeding up Samba with the use of 
ldapsam:trusted and b) allowing Winadmins to join new boxes to the domain 
without requiring wheel group intervention.

David Adam
UCC Wheel Group
zanchey at ucc.gu.uwa.edu.au