[Samba] Implementing samba3/LDAP system across several schools
jim at gangermin.co.uk
Sun Sep 26 13:33:39 GMT 2004
I was hoping to do this without trusts - I would like to be able to grow
this to incorporate more schools, and there becomes a point where trusts
are not enough... I've played with a setup like this:
2 domains from the same LDAP tree:
domain SUBDOMAIN with LDAP info drawn from ou=subdomain,o=domain
users kept in ou=subdomain,o=domain
domain SUPERDOMAIN with LDAP info drawn from o=domain
users kept in o=domain
I've set this up with 2 PDCs, and users in ou=subdomain can log into
both systems, wheras users in o=domain can only log into SUPERDOMAIN.
This does work, even if the SambaSIDs of the users do not match the
domain's SID (which is very useful)
What is needed is a way of qualifying the username to state which
part of the tree it is drawn from.
For example, if a 2 users named 'fredbloggs' existed, one in
ou=subdomain,o=domain, and one in o=domain, then there would be
confusion, and only one would work (cn=fredbloggs,o=domain, I assume). I
have Netware roots, and in an NDS system with a similar setup, you could
log into a system with the context set to o=domain as 'fredbloggs' to
log in as cn=fredbloggs,o=domain, or you couyld log in as
'fredbloggs.subdomain' to log in as cn=fredbloggs,ou=subdomain,o=domain.
What would be nice in my situation is to be able to log in on a
workstation in my school as 'jim', and get onto the system at the
community learning centre as 'jim.myschool' or something similar.
I hope this makes sense and doesn't sound too much like me brainstorming
Has anyone tried anything like this?
> yes its no problem, you need slave ldaps and samba bdcs in the other
> locations, read the samba how to,
> the other way is to have a own domain at each location with own pdc
> and make trusts
> What you mean with duplicate usernames?
> Jim Potter schrieb:
>> Hi All,
>> I am looking into the feasability of using Samba/LDAP for domain
>> control across several schools in my area, and would be interested to
>> hear of anyone who has any experience/thoughts on how this could work.
>> The schools share a community learning resource centre, and I am
>> looking for ways for all users to be able to log in at their own
>> schools, and also at the learning resource centre using the same
>> credentials, and be able to see thier documents from both (all
>> connected by 2-10M lines at present, which will probably be adequate).
>> Each institution needs to be a secure self sufficient entity
>> within its own right, allowing access to its list of users (and their
>> work) to the resource centre.
>> A big problem I see is duplicate user names between schools.
>> Any hints/tips/comments/feedback would be very welcome.
>> Jim Potter
More information about the samba