[Samba] Implementing samba3/LDAP system across several schools

Jim Potter jim at gangermin.co.uk
Sun Sep 26 13:33:39 GMT 2004

I was hoping to do this without trusts - I would like to be able to grow 
this to incorporate more schools, and there becomes a point where trusts 
are not enough... I've played with a setup like this:

2 domains from the same LDAP tree:
domain SUBDOMAIN with LDAP info drawn from ou=subdomain,o=domain
        users kept in ou=subdomain,o=domain

domain SUPERDOMAIN with LDAP info drawn from o=domain
      users kept in o=domain

I've set this up with 2 PDCs, and users in ou=subdomain can log into 
both systems, wheras users in o=domain can only log into SUPERDOMAIN. 
This does work, even if the SambaSIDs of the users do not match the 
domain's SID (which is very useful)
   What is needed is a way of qualifying the username to state which 
part of the tree it is drawn from.
   For example, if a 2 users named 'fredbloggs' existed, one in 
ou=subdomain,o=domain, and one in o=domain, then there would be 
confusion, and only one would work (cn=fredbloggs,o=domain, I assume). I 
have Netware roots, and in an NDS system with a similar setup, you could 
log into a system with the context set to o=domain as 'fredbloggs' to 
log in as cn=fredbloggs,o=domain, or you couyld log in as 
'fredbloggs.subdomain' to log in as cn=fredbloggs,ou=subdomain,o=domain.
   What would be nice in my situation is to be able to log in on a 
workstation in my school as 'jim', and get onto the system at the 
community learning centre as 'jim.myschool' or something similar. 
(MYSCHOOL\jim ??)

I hope this makes sense and doesn't sound too much like me brainstorming

Has anyone tried anything like this?


Jim Potter

rruegner wrote:

> Hi,
> yes its no problem, you need slave ldaps and samba bdcs in the other 
> locations, read the samba how to,
> the other way is to have a own domain at each location with own pdc
> and make trusts
> What you mean with duplicate usernames?
> Regards
> Jim Potter schrieb:
>> Hi All,
>>    I am looking into the feasability of using Samba/LDAP for domain 
>> control across several schools in my area, and would be interested to 
>> hear of anyone who has any experience/thoughts on how this could work.
>>    The schools share a community learning resource centre, and I am 
>> looking for ways for all users to be able to log in at their own 
>> schools, and also at the learning resource centre using the same 
>> credentials, and be able to see thier documents from both (all 
>> connected by 2-10M lines at present, which will probably be adequate).
>>    Each institution needs to be a secure self sufficient entity 
>> within its own right, allowing access to its list of users (and their 
>> work) to the resource centre.
>>    A big problem I see is duplicate user names between schools.
>> Any hints/tips/comments/feedback would be very welcome.
>> cheers
>> Jim Potter
>> UK

More information about the samba mailing list