[Samba] Implementing samba3/LDAP with several domains drawn from one tree

Jim Potter jim at gangermin.co.uk
Sun Sep 26 20:43:12 GMT 2004

Hi All,
    Can anyone help me with the follwing scenario? I've moved this from 
the samba-general discussion, as I think it requires a deeper knowledge 
of how users and domains are processed within Samba....


Jim Potter

rruegner wrote:

> Hi Jim, i am not sure if that can be done ( one ldap tree 2 domains )
> better ask the gurus
> As var i can say trusts work very well , and i have no problem with 
> them, also no problem with ldap master smb pdc ldap slave smb bdc 
> scenario
> i would say a setup up to 1000 User should be no problem for
> on one domain ( ldap master-slave )
> But i am sure the samba team will help you wtih more info
> Regards
> Jim Potter schrieb: 


>> I was hoping to do this without trusts - I would like to be able to 
>> grow this to incorporate more schools, and there becomes a point 
>> where trusts are not enough... I've played with a setup like this:
>> 2 domains from the same LDAP tree:
>> domain SUBDOMAIN with LDAP info drawn from ou=subdomain,o=domain
>>         sambaDoimainName=SUBDOMAIN,ou=subdomain,o=domain
>>         users kept in ou=subdomain,o=domain
>> domain SUPERDOMAIN with LDAP info drawn from o=domain
>>       sambaDomainName=SUPERDOMAIN,o=domain
>>       users kept in o=domain
>> I've set this up with 2 PDCs, and users in ou=subdomain can log into 
>> both systems, wheras users in o=domain can only log into SUPERDOMAIN. 
>> This does work, even if the SambaSIDs of the users do not match the 
>> domain's SID (which is very useful)
>>    What is needed is a way of qualifying the username to state which 
>> part of the tree it is drawn from.
>>    For example, if a 2 users named 'fredbloggs' existed, one in 
>> ou=subdomain,o=domain, and one in o=domain, then there would be 
>> confusion, and only one would work (cn=fredbloggs,o=domain, I 
>> assume). I have Netware roots, and in an NDS system with a similar 
>> setup, you could log into a system with the context set to o=domain 
>> as 'fredbloggs' to log in as cn=fredbloggs,o=domain, or you couyld 
>> log in as 'fredbloggs.subdomain' to log in as 
>> cn=fredbloggs,ou=subdomain,o=domain.
>>    What would be nice in my situation is to be able to log in on a 
>> workstation in my school as 'jim', and get onto the system at the 
>> community learning centre as 'jim.myschool' or something similar. 
>> (MYSCHOOL\jim ??)
>> I hope this makes sense and doesn't sound too much like me brainstorming
>> Has anyone tried anything like this?
>> cheers
>> Jim Potter
>> UK
>> rruegner wrote:
>>> Hi,
>>> yes its no problem, you need slave ldaps and samba bdcs in the other 
>>> locations, read the samba how to,
>>> the other way is to have a own domain at each location with own pdc
>>> and make trusts
>>> What you mean with duplicate usernames?
>>> Regards
>>> Jim Potter schrieb:
>>>> Hi All,
>>>>    I am looking into the feasability of using Samba/LDAP for domain 
>>>> control across several schools in my area, and would be interested 
>>>> to hear of anyone who has any experience/thoughts on how this could 
>>>> work.
>>>>    The schools share a community learning resource centre, and I am 
>>>> looking for ways for all users to be able to log in at their own 
>>>> schools, and also at the learning resource centre using the same 
>>>> credentials, and be able to see thier documents from both (all 
>>>> connected by 2-10M lines at present, which will probably be adequate).
>>>>    Each institution needs to be a secure self sufficient entity 
>>>> within its own right, allowing access to its list of users (and 
>>>> their work) to the resource centre.
>>>>    A big problem I see is duplicate user names between schools.
>>>> Any hints/tips/comments/feedback would be very welcome.
>>>> cheers
>>>> Jim Potter
>>>> UK

More information about the samba-technical mailing list