[Samba] Problem w/ Samba 3 & LDAP

Craig White craigwhite at azapple.com
Fri Apr 2 05:16:38 GMT 2004

On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote:
> 	Ldapsearch was being a pain, so just grabbed the info from a "slapcat"
> instead, which was simpler.
crutches - life with LDAP is infinitely easier when you can get command
of the ldap queries from the command line. That sharpens your
understanding and skills of using LDAP.
> 	So, now that I know what my "problem" is/was....  I am able
> to move forward.  The only issue I have now is that I have 9000 users
> that I want to be able to log onto multiple domains.  By having
> to have the SID match the domain....  It presents a problem...
> I only want one password database to maintain...  I guess I could get
> clever with LDAP replication and have multiple LDAP's...   This is a less
> than Ideal solution.   At this time I have large smbpasswd files that I
> would like to not use.   I guess my ideal solution would look like:
>               /--- Domain A
>              /
> LDAP -------+
>              \
>               \--- Domain B
> Since we use a web based password changer,  I could have a separate
> LDAP per Domain.   I guess, in my ideal world I would have an LDAP
> with multiple sambaSID's, each samba server would just pick the one
> out of the LDAP that was appropriate to that Domain.   I realize
> that the current schema does not allow for this and that samba is not set 
> up to handle it either.   Any ides on how to accomplish something similar
> without that ability.
ahh - the million dollar question.

Don't you want users to be able to change their password using the
typical Windows change password tool instead of requiring them to change
it via http? What about UserMgr.exe?

Anyway, if your LDAP skills are strong enough (I suspect not), you can
use replication to have each PDC run the master of the primary Domain it
is serving up and become a slave on the domains that it is not. Together
with winbindd, this should prove to be the most flexible - of course you
must set up 'trusts' between the various domains.

LDAP is the tiger that you apparently don't want to ride but I have
found it to be quite predictable.


More information about the samba mailing list