[Samba] Implementing samba3/LDAP with several domains drawn from
jim at gangermin.co.uk
Sun Sep 26 20:43:12 GMT 2004
Can anyone help me with the follwing scenario? I've moved this from
the samba-general discussion, as I think it requires a deeper knowledge
of how users and domains are processed within Samba....
> Hi Jim, i am not sure if that can be done ( one ldap tree 2 domains )
> better ask the gurus
> As var i can say trusts work very well , and i have no problem with
> them, also no problem with ldap master smb pdc ldap slave smb bdc
> i would say a setup up to 1000 User should be no problem for
> on one domain ( ldap master-slave )
> But i am sure the samba team will help you wtih more info
> Jim Potter schrieb:
>> I was hoping to do this without trusts - I would like to be able to
>> grow this to incorporate more schools, and there becomes a point
>> where trusts are not enough... I've played with a setup like this:
>> 2 domains from the same LDAP tree:
>> domain SUBDOMAIN with LDAP info drawn from ou=subdomain,o=domain
>> users kept in ou=subdomain,o=domain
>> domain SUPERDOMAIN with LDAP info drawn from o=domain
>> users kept in o=domain
>> I've set this up with 2 PDCs, and users in ou=subdomain can log into
>> both systems, wheras users in o=domain can only log into SUPERDOMAIN.
>> This does work, even if the SambaSIDs of the users do not match the
>> domain's SID (which is very useful)
>> What is needed is a way of qualifying the username to state which
>> part of the tree it is drawn from.
>> For example, if a 2 users named 'fredbloggs' existed, one in
>> ou=subdomain,o=domain, and one in o=domain, then there would be
>> confusion, and only one would work (cn=fredbloggs,o=domain, I
>> assume). I have Netware roots, and in an NDS system with a similar
>> setup, you could log into a system with the context set to o=domain
>> as 'fredbloggs' to log in as cn=fredbloggs,o=domain, or you couyld
>> log in as 'fredbloggs.subdomain' to log in as
>> What would be nice in my situation is to be able to log in on a
>> workstation in my school as 'jim', and get onto the system at the
>> community learning centre as 'jim.myschool' or something similar.
>> (MYSCHOOL\jim ??)
>> I hope this makes sense and doesn't sound too much like me brainstorming
>> Has anyone tried anything like this?
>> Jim Potter
>> rruegner wrote:
>>> yes its no problem, you need slave ldaps and samba bdcs in the other
>>> locations, read the samba how to,
>>> the other way is to have a own domain at each location with own pdc
>>> and make trusts
>>> What you mean with duplicate usernames?
>>> Jim Potter schrieb:
>>>> Hi All,
>>>> I am looking into the feasability of using Samba/LDAP for domain
>>>> control across several schools in my area, and would be interested
>>>> to hear of anyone who has any experience/thoughts on how this could
>>>> The schools share a community learning resource centre, and I am
>>>> looking for ways for all users to be able to log in at their own
>>>> schools, and also at the learning resource centre using the same
>>>> credentials, and be able to see thier documents from both (all
>>>> connected by 2-10M lines at present, which will probably be adequate).
>>>> Each institution needs to be a secure self sufficient entity
>>>> within its own right, allowing access to its list of users (and
>>>> their work) to the resource centre.
>>>> A big problem I see is duplicate user names between schools.
>>>> Any hints/tips/comments/feedback would be very welcome.
>>>> Jim Potter
More information about the samba-technical