[Samba] Two domains on same LDAP backend
aforrow at comintel.co.uk
Thu Apr 14 10:44:38 GMT 2005
I have two samba hosted domains at two different offices. I would like
them to use the same LDAP backend so that the accounts are exactly the
same. Unfortunately, it seems that a users SID is linked to the domain
that created it, so another domain cannot authenticate the user, even if
it can see it in the LDAP directory, because the user SID doesn't match
My first thought was to use an Interdomain trust, but the Samba official
guide (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/) states:
"Given that Samba-3 has the capability to function with a scalable
backend authentication database such as LDAP, and given its ability to
run in Primary as well as Backup Domain Control modes, the administrator
would be well advised to consider alternatives to the use of Interdomain
I took this to mean that I could have two domains using the backend to
get the trust, as I am attempting to do.
I have considered using a single domain for both sites, but have decided
this idea would not be feasible because the link between the offices is
relatively slow and uptime cannot be guaranteed. I would need to ensure
computers at one office would only logon to the PDC/BDC at it's side of
the link. The most important point is that the two offices must be able
to work independantly when required.
Here is some information about the domains
Redhat 9 with Samba 3.0.2 and OpenLDAP 2.2.23
Fedora Core 3 with Samba 3.0.10 and OpenLDAP 2.2.13
My latest thought would be to set the domain SIDs the same on the two
domains, could that help?
Any points in the right direction would be greatly appreciated.
More information about the samba