I have a network of 20 linux servers. My plan was to have one act like a PDC and allow single sign-on for the rest of the servers. The reason I say PDC rather than an ADS system is I want to avaid running LDAP. I will also have things like shares between the machines etc. I have done something like this before however there was a windows ADS controller on the network all ready.
Also I am currently not in front of the machines so I can't give you the full contents of my smb.conf files (only what I remember).
So the story so far.
The PDC
[Global]
workgroup = MYDOM
Domain master = yes
local master = yes
Domain logons = yes
security = user
.............
The clients
[Global]
workgroup = MYDOM
Domain master =no
local master = no
security = user
Now the first thing is thet testparam for the client tells me it is a stand alone machine. and most of the 'net' commands refuse to work as they say it is a standalone machine.
if I change security to DOMAIN (on the client) then it claims to be a domain member. If I do it on the server it starts claiming it is a BDC. and then any normal commands complain that there is no PDC... Also from the docs I have read you must have security=user for a Samba PDC and Samba Client pair...
The next part of the equation is winbind. As I stated earlier I have managed to get that working with a Real ADS controller. However if use winbind with the configuration I have discribed above if flatly refuses to accept that there is a PDC or Domain present.
So now I am very confused and fustrated.
So the short version of the question is. Can I have a Samba only network, with a Samba PDC, Samba clients, security=user and have winbind do the single sign on for the clients using the PDC. (and without using LDAP)
Hope this is not too long winded.
James
I believe that you definitely need to set your member servers to "security = domain" and then attempt to join the domain (net rpc join -S servername).
Also, there are definitely elements of the samba manual and examples that are either plain wrong or misleading.
If you could post the output of a net rpc join on a member server, that might help debug the problem.
I'm not totally sure about the answer to your final question, but as SAMBA can replace windows for both of the things you want it to do independently, I would assume that it could do both at the same time (be a PDC and a member server).
The winbind error you are getting is because you have "security = user" which effectively means that winbind has no reason to be running because it thinks its a standalone machine.
Finally, please check that you have a "passdb = something" in the configuration of the PDC.
Sorry for the rambling response, but there are alot of things to go wrong and any one of them will make things very broken.
-Bacon
If you are looking for a SSO setup, and you have no need for Windows file and print services (ever), then you might be better off setting up Kerberos authentication, which provides just the SSO portion of what you're setting up right now, and can be easily implemented through a small PAM change on each client.
You didn't mention if you would ever have windows clients connecting at some point, so this might be a slightly easier way to deal with your situation.
You need to define passwords for your administrator (usually root) and to create machines accounts. So you have to
create a system user for each machine ending with a $ sign:
useradd -d /dev/null -g 100 -s /bin/false -M $
create a samba password with smbpasswd for each machine.