[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Adam Williams awilliam at mdah.state.ms.us
Fri Aug 1 15:58:02 GMT 2008 

yes to share a single set of users/groups in LDAP to multiple samba 
servers you will need LDAP and a PDC and the other servers will be 
BDCs.  yes you will join BDC's with net rpc join -D domain -S 
pdc_server_name -U root%password

read chapter 5.3 of samba 3 by example.pdf

Soohoon Lee wrote:
>  
> Thanks,
> 'sharing LDAP server' is to share the same set of users/groups in the 
> LDAP DB, not separate sets of users/groups for each samba servers.
> It looks like PDC ??? maybe what I want is more like NIS.
> So IIUC, to share a single set of users/groups in the LDAP server from 
> multiple samba servers, I need LDAP and samba DC?
> And samba servers have to join the samba DC by net rpc join?
>  
> Thanks a lot.
> Soohoon.
>
> On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams 
> <awilliam at mdah.state.ms.us <mailto:awilliam at mdah.state.ms.us>> wrote:
>
>     sure you can have multiple domains with all the account info in
>     LDAP.  if you really want it to work together well you'll have a
>     PDC and BDC's though.  you may be able to try samba intertrust
>     relationships, but i've never used that
>
>
>     Soohoon Lee wrote:
>>      
>>     Thanks all
>>     This is my smb.conf
>>     [global]
>>             dos charset = UTF-8
>>             workgroup = DOMSMB
>>             security = user
>>             allow trusted domains = No
>>             password server = NULL
>>             passdb backend = ldapsam:ldap://10.17.124.190/
>>     <http://10.17.124.190/>
>>             max log size = 50
>>             load printers = No
>>             stat cache = No
>>             os level = 10
>>             dns proxy = No
>>             ldap suffix = dc=my-domain,dc=com
>>             ldap user suffix = ou=Users
>>             ldap group suffix = ou=Groups
>>             ldap admin dn = cn=Manager,dc=my-domain,dc=com
>>             ldap ssl = no
>>
>>     And I like to make multiple samba servers to share single LDAP
>>     server without using domain controller feature.
>>     I'm getting feeling that pure LDAP server is for single samba
>>     server or the LDAP server should have samba DC to serve multiple
>>     samba servers?
>>      
>>     Thanks,
>>     Soohoon.
>>      
>>     On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski
>>     <lukas at dcs.qmul.ac.uk <mailto:lukas at dcs.qmul.ac.uk>> wrote:
>>
>>         Lukasz Zalewski wrote:
>>
>>             Adam Williams wrote:
>>
>>                 are you using security = user or security = domain on
>>                 your multiple servers?
>>                 Soohoon Lee wrote:
>>
>>                     Hi
>>                     Is it possible to use single LDAP server and
>>                     multiple samba servers?
>>                     The problem I'm having now is
>>                     Each server thinks their host name is their LDAP
>>                     domain name, or
>>                     sambaDomainName, and
>>                     complain the user's SID is different so can't
>>                     authenticate.
>>                     How do I make samba servers use one domain name
>>                     and SID?
>>
>>                     LDAP domain name is DOMSMB
>>
>>                     dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>>                     sambaSID: S-1-5-21-2479917030-3150298425-213194246
>>
>>                     And samba server created a new domain after its
>>                     hostname.
>>
>>                     dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>>                     sambaSID: S-1-5-21-4202146032-850913369-3381557932
>>                     And complain user's SID is different from its SID.
>>
>>                     Thanks,
>>                     Soohoon.
>>                      
>>
>>
>>
>>             We have student domain and staff domain and one LDAP
>>             server. We wanted staff members to log onto student
>>             domain. So we considered two options:
>>             1. Interdomain trust relationship
>>             (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html)
>>
>>             However this option was not good for us as we didn't want
>>             to open up the firewall and we wanted staff members to
>>             get the proper student experience (i.e. home dirs and
>>             profiles on the student server). So that brought us to
>>             the second option:
>>             2. ldap translucent proxy overlay
>>             (http://linux.die.net/man/5/slapo-translucent)
>>             In this setting we override sids (i.e. domain sid part of
>>             the staff domain is substituted with student domain
>>             portion of the sid) for users and groups and point samba
>>             to the overlay. Bear in mind that all of the changes make
>>             by samba like machine passwords, user passwords, idmap
>>             mappings etc will go no further than the proxy so great
>>             care must be taken in LDAP setups that use referrals.
>>
>>
>>             Now the most important question is what do you use you
>>             two domains for?
>>
>>             HTH
>>
>>             Lukasz
>>
>>
>>         Ah sorry I didn't read the Subject line properly you do not
>>         want PDC. As Andy pointed out maybe you should have one of
>>         the servers as a domain member of the other domain
>>
>>         Lukasz
>>
>>
>

More information about the samba mailing list