Samba 3.0 Schema changes

Steve Langasek vorlon at
Thu Jun 19 05:07:43 GMT 2003

On Wed, Jun 18, 2003 at 09:56:57PM -0700, Ronny Bremer wrote:

> I am a bit concerened about storing just one SID at the user object.
> Consider this setup:

> One LDAP tree, a user dn: cn=test,ou=users,o=acme
> I want two Samba domains, MKTG and ENG due to some restrictions in the
> applications being used.
> The same user needs to work in both domains.

> I do not believe, this would be possible by using just a single SID.

> I would rather recommend, that we make the SID at the user or group
> object a multivalued attribute and for each value list the Domain dn and
> the SID in that domain, for example:
> Samba domain MKTG has dn: cn=MKTG,ou=samba-internal,o=acme
> Samba domain ENG has dn: cn=ENG,ou=samba-internal,o=acme

> So user would get:
> sambaSID: cn=MKTG,ou=samba-internal,o=acme:x-567-xxx-xxxxx-1234
> sambaSID: cn=ENG,ou=samba-internal,o=acme:x-123-xxx-xxxxx-5678

> Doing this we allow multiple samba domains to be added to a single
> directory without breaking the ability to have just a single domain.
> There is an LDAP syntax for such attributes as well, but I need to check
> for the correct one, because many just define the associated number
> field as an integer and that would not be enough for a SID (but for a
> RID??)

If there are two SIDs, this is no longer a single user from NT's
perspective, but two separate users with a common name.  This will give
confusing and undesirable results when, upon authenticating to one
domain, a user tries to access resources that were created on behalf of
the SID from the other domain.  What you really want here is domain
trust, so your single user SID is recognized across multiple domains.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list