[Samba] Multiple samba servers with LDAP

giuseppe pasqualotto giuseppe.pasqualotto at unifi.it
Mon Mar 7 15:29:42 GMT 2005

cooper mail wrote:

>   Thanks for the response.  I have read both the HowTo and the By
>Example.  Neither covers much in regard to my situation.  I have NO
>windows servers, only samba servers.
>I am using LDAP, nss_ldap, and pam_ldap to handle the local unix
>accounts.  The samba PDC is also using ldap as its passdb backend. 
>Every thing is working fine at this time.  I have tried both of the
>setups I have mentioned, and both work.  I am just wondering what is
>the recomended/best practice setup.
>I am not using windbind at this time.  I read in another post from
>Jerry, that the only reason I would need windbind, in my scenario, is
>if I had a trust relationship with another domain.  I do not.
>On Sun, 06 Mar 2005 21:23:27 -0700, Craig White <craigwhite at azapple.com> wrote:
>>On Sun, 2005-03-06 at 21:23 -0500, cooper mail wrote:
>>>I was wondering what the best practice is for setting up several SAMBA
>>>servers in a SAMBA domain all on the same LAN.  Here is what I am
>>>looking at
>>>PDC: LDAP, Samba, nss_ldap, pam_ldap
>>>Member1: Samba, nss_ldap, pam_ldap
>>>Member2: Samba, nss_ldap, pam_ldap
>>>Member . . . .
>>>Should I set the member servers up with:
>>>Security = domain
>>>and join the severs with net rpc join
>>>or, whould it be better to set them up with:
>>>passdb backend = ldapsam:ldap://pdc.domain.com
>>>security = server
>>>Do you see where I am going?  If you need more details to answer, let me know.
>>You should probably consult both the HOWTO and more specifically, the BY
>>EXAMPLE documentation for discussions about this as only you can decide
>>the value of this.
>>Nowhere did you mention winbindd...
>>Given local unix accounts are necessary for samba connections, I would
>>think an overall strategy should be thought out carefully.
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/listinfo/samba
I was in the same situation and I chose to build up a central Samba/LDAP
in one domain with other Samba/LDAP authenticating user against the 
first one.
The solution is to provide different user configuration in every single 
Samba/LDAP, managing
centrally the account and the password repository for all users.
You have many Samba/PDC server but only one is delegated to 
authenticated users
in the domain. You have to set the global directive in smb.conf 
"security=server" and add
"password server=server name or server ip".
Then, when a Windows client connects to a Samba/LDAP it cans retrive 
personal account informations
but the password validation is a challenge between the two Samba/LDAP 
servers (the first,
receiving and opening a client connection, and the second you set in 
smb.conf "password server" directive)

More information about the samba mailing list