Multiple domains in one ldap directory (patch)

Barry Smoke bsmoke at
Tue Feb 3 15:52:56 GMT 2004

We are very interested in this!
We are going to try your patch on a test server.
can you include your schema file?
and I would like to get your admin perl scripts as well...

we would also like to see this native in samba.

Barry Smoke
District Network Administrator
Bryant Public Schools

>we are trying to establish our Openldap server as central directory for 
>all kinds of services. 
>A lot of services are already using it, but the biggest missing part is NT 
>We already know, that Samba 3 is able to take over that part. The only 
>problem is that we would like to achieve a "one account/one password" 
>solution. Supporting more than one NT domain is also mandatory for us.
>AFAIK the designed way to do that, is to create user entries for each 
>domain in different branches in the directory 
>(i.e. ou=people,ou=dom_a,dc=acme,dc=com / 
>That, of course, means, that we have to multiply the account entries and 
>to introduce synchronisation mechanisms to achieve
>the "one password" for our users. Also that would increase the amount of 
>data in our directory unneccessarily. 
>So we looked into the sources and wrote a little (quick and dirty) patch, 
>to be able to use our existing user entries simultaneously 
>for more than one domain. (patch for 3.0.1rc2 is attached)
>Of course the samba schema had to be changed also:
>sambaSID, sambaPrimaryGroupSID and sambaDomainName have to be multi-valued 
>instead of single-valued.
>I also needed sambaSID to be not mandatory for sambaSamAccount (for our 
>admin interface).
>Our LDAP looks like that:
>user entries:           ou=people,dc=acme,dc=com
>root user entries:      uid=root,ou=dom_a,ou=itaccounts,dc=acme,dc=com / 
>( we need different root users because there are different domain admins; 
>root uidnumbers are != 0; we don't have an account "Administrator" )
>group entries:          ou=dom_a,ou=posixgroups,dc=acme,dc=com / 
>machine entries:        ou=dom_a,ou=devices,dc=acme,dc=com / 
>domain entries:         sambadomainname=dom_a,dc=acme,dc=com / 
>On each Samba pdc I configured the filters in /etc/ldap.conf: 
>nss_base_passwd ou=people,dc=acme,dc=com?one?sambadomainname=dom_a[/b]
>nss_base_group             ou=dom_a[/b],ou=posixgroups,dc=acme,dc=com?one
>ldap suffix =  dc=acme,dc=com
>ldap user suffix = ou=People
>ldap machine suffix = ou=dom_a[/b],ou=Devices
>ldap group suffix = ou=dom_a[/b],ou=posixgroups
>ldap filter =  (&(uid=%u)(sambadomainname=dom_a[/b]))
>To add a user, which has already all sambaSamAccount attributes in his 
>entry for dom_a, 
>to dom_b, we simply add three attributes: 
>sambaSID=userSID in dom_b
>sambaPrimaryGroupSID=prim. group SID in dom_b
>We now can use the same entry in two different domains. 
>Of course disabling the account in one domain, by using the account flags, 
>disables it in all domains. 
>But we can live with that, because if you want to disable it in only one 
>domain, simply remove the 3 
>attributes for that domain.
>As already mentioned, our patch is quick and dirty and probably breaks 
>smbpasswd and pdbedit (not really tested). 
>For our needs this is not a real problem because I wrote a perl CGI-script 
>as domain admin interface 
>which works mainly directly in our directory.
>But apart of that, the patch seems to work very well. :-) 
>At least, I did not notice anything until now, which does not work 
>properly, including interdomain trusts.
>So our question is: Is there any chance, that this functionality can be 
>included in one of  the next releases ?
>Maybe by introducing a new config parameter like "ldap multidomain user 
>entries = yes" and of course a
>few (?) changes to the samba sources. 
>We believe, that this could be another advantage of Samba compared to MS 
>OSes, especially when we think of
>larger environments with one central directory, like ours ;-)
>Of course, we can send you our admin script, if you are interested.
>Pierre Filippone

More information about the samba-technical mailing list