[Samba] Using LDAP, no PDC/BDC, for multiple samba servers
Adam Williams
awilliam at mdah.state.ms.us
Fri Aug 1 15:58:02 GMT 2008
yes to share a single set of users/groups in LDAP to multiple samba
servers you will need LDAP and a PDC and the other servers will be
BDCs. yes you will join BDC's with net rpc join -D domain -S
pdc_server_name -U root%password
read chapter 5.3 of samba 3 by example.pdf
Soohoon Lee wrote:
>
> Thanks,
> 'sharing LDAP server' is to share the same set of users/groups in the
> LDAP DB, not separate sets of users/groups for each samba servers.
> It looks like PDC ??? maybe what I want is more like NIS.
> So IIUC, to share a single set of users/groups in the LDAP server from
> multiple samba servers, I need LDAP and samba DC?
> And samba servers have to join the samba DC by net rpc join?
>
> Thanks a lot.
> Soohoon.
>
> On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams
> <awilliam at mdah.state.ms.us <mailto:awilliam at mdah.state.ms.us>> wrote:
>
> sure you can have multiple domains with all the account info in
> LDAP. if you really want it to work together well you'll have a
> PDC and BDC's though. you may be able to try samba intertrust
> relationships, but i've never used that
>
>
> Soohoon Lee wrote:
>>
>> Thanks all
>> This is my smb.conf
>> [global]
>> dos charset = UTF-8
>> workgroup = DOMSMB
>> security = user
>> allow trusted domains = No
>> password server = NULL
>> passdb backend = ldapsam:ldap://10.17.124.190/
>> <http://10.17.124.190/>
>> max log size = 50
>> load printers = No
>> stat cache = No
>> os level = 10
>> dns proxy = No
>> ldap suffix = dc=my-domain,dc=com
>> ldap user suffix = ou=Users
>> ldap group suffix = ou=Groups
>> ldap admin dn = cn=Manager,dc=my-domain,dc=com
>> ldap ssl = no
>>
>> And I like to make multiple samba servers to share single LDAP
>> server without using domain controller feature.
>> I'm getting feeling that pure LDAP server is for single samba
>> server or the LDAP server should have samba DC to serve multiple
>> samba servers?
>>
>> Thanks,
>> Soohoon.
>>
>> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski
>> <lukas at dcs.qmul.ac.uk <mailto:lukas at dcs.qmul.ac.uk>> wrote:
>>
>> Lukasz Zalewski wrote:
>>
>> Adam Williams wrote:
>>
>> are you using security = user or security = domain on
>> your multiple servers?
>> Soohoon Lee wrote:
>>
>> Hi
>> Is it possible to use single LDAP server and
>> multiple samba servers?
>> The problem I'm having now is
>> Each server thinks their host name is their LDAP
>> domain name, or
>> sambaDomainName, and
>> complain the user's SID is different so can't
>> authenticate.
>> How do I make samba servers use one domain name
>> and SID?
>>
>> LDAP domain name is DOMSMB
>>
>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>> sambaSID: S-1-5-21-2479917030-3150298425-213194246
>>
>> And samba server created a new domain after its
>> hostname.
>>
>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>> sambaSID: S-1-5-21-4202146032-850913369-3381557932
>> And complain user's SID is different from its SID.
>>
>> Thanks,
>> Soohoon.
>>
>>
>>
>>
>> We have student domain and staff domain and one LDAP
>> server. We wanted staff members to log onto student
>> domain. So we considered two options:
>> 1. Interdomain trust relationship
>> (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html)
>>
>> However this option was not good for us as we didn't want
>> to open up the firewall and we wanted staff members to
>> get the proper student experience (i.e. home dirs and
>> profiles on the student server). So that brought us to
>> the second option:
>> 2. ldap translucent proxy overlay
>> (http://linux.die.net/man/5/slapo-translucent)
>> In this setting we override sids (i.e. domain sid part of
>> the staff domain is substituted with student domain
>> portion of the sid) for users and groups and point samba
>> to the overlay. Bear in mind that all of the changes make
>> by samba like machine passwords, user passwords, idmap
>> mappings etc will go no further than the proxy so great
>> care must be taken in LDAP setups that use referrals.
>>
>>
>> Now the most important question is what do you use you
>> two domains for?
>>
>> HTH
>>
>> Lukasz
>>
>>
>> Ah sorry I didn't read the Subject line properly you do not
>> want PDC. As Andy pointed out maybe you should have one of
>> the servers as a domain member of the other domain
>>
>> Lukasz
>>
>>
>
More information about the samba
mailing list