[Samba] Two domains on same LDAP backend

Alex Forrow aforrow at comintel.co.uk
Thu Apr 14 10:44:38 GMT 2005

Hi folks,

I have two samba hosted domains at two different offices. I would like 
them to use the same LDAP backend so that the accounts are exactly the 
same. Unfortunately, it seems that a users SID is linked to the domain 
that created it, so another domain cannot authenticate the user, even if 
it can see it in the LDAP directory, because the user SID doesn't match 
the domain.

My first thought was to use an Interdomain trust, but the Samba official 
guide (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/) states:

"Given that Samba-3 has the capability to function with a scalable 
backend authentication database such as LDAP, and given its ability to 
run in Primary as well as Backup Domain Control modes, the administrator 
would be well advised to consider alternatives to the use of Interdomain 

I took this to mean that I could have two domains using the backend to 
get the trust, as I am attempting to do.

I have considered using a single domain for both sites, but have decided 
this idea would not be feasible because the link between the offices is 
relatively slow and uptime cannot be guaranteed. I would need to ensure 
computers at one office would only logon to the PDC/BDC at it's side of 
the link. The most important point is that the two offices must be able 
to work independantly when required.

Here is some information about the domains
Redhat 9 with Samba 3.0.2 and OpenLDAP 2.2.23
Fedora Core 3 with Samba 3.0.10 and OpenLDAP 2.2.13

My latest thought would be to set the domain SIDs the same on the two 
domains, could that help?

Any points in the right direction would be greatly appreciated.



More information about the samba mailing list