[Samba] PDC for Multiple Domains from a Single Samba Box

palmer7440 at bellsouth.net palmer7440 at bellsouth.net
Tue Oct 25 00:37:50 GMT 2005

The nitty gritty is pretty nitty and gritty.  The basic things I missed was adding an additional database to the LDAP server (i.e. dc=domain2,dc=quena,dc=org), and getting the system to authenticate through both databases.  The steps below should shed additional light.  I can post configuration files if anyone is still interested after following the steps below.

1. Follow the "Making User's Happy" section in the "Samba-3 by Example" documentation to set up the first domain (MEGANET2).  Include the steps of authenticating Linux users (Posix users) using ldap (via NSS and PAM).
2. Create an additional IP address (alias) say
3. Copy the /etc/samba directory to /etc/samba/DOMAIN2.
4. Modify both of the smb.conf files to bind only to specific interfaces using the interfaces and the bind interfaces only smb.conf parameters.  The first domain gets eth0 and lo (for access to the ldap server ) while the second domain gets the alias interface only (i.e interfaces =  Add the private dir parameters to each of the files and separate the lock and log file parameters accordingly (i.e. /var/log/samba/DOMAIN2 and /var/run/samba/DOMAIN2).
5. Change the workgroup and netbios name for the new domain to DOMAIN2 and DOMAIN2_PDC in the new smb.conf file. 
6. Add another database to the LDAP server for the DOMAIN2 (i.e. dc=domain2, dc=quena, dc=org).  To do this, duplicate the first database section (i.e. dc=quena, dc=org).  The new database section (dc=domain2, dc=quena, dc=org) needs to appear before the old in the /etc/openldap/slapd.conf file.  Restart ldap (i.e. rcldap restart).
7. Get a SID for the new domain using the net getsid DOMAIN2.
8. Execute smbpasswd –c /etc/samba/DOMAIN2/smb.conf –w secret to set the password for DOMAIN2.
9. Copy the /var/lib/samba/sbin scripts (Idealx) to /var/lib/samba/sbin/DOMAIN2 and modify the base DN, suffix, and SID parameters in the perl configuration module file of the copy.
10. Run the smbldap-populate script for the new DOMAIN to add initial entries to the new LDAP database.  You will have to change the Administrator name for the new domain to something like DOMAIN2_Administrator since you can’t have duplicate uids.  You should be able to verify they got added using slapcat or ldapsearch (you may have to restart the LDAP server).
11. Modify your /etc/ldap.conf file to get the system to authenticate using both databases (since Samba requires all users and machines to have Posix accounts).  To do this, duplicate the first section of the file within the file and change the LDAP info in the new section.  You can verify that you’ve done this correctly by running getent passwd.  You should see all of the old entries, plus the new entries.
12. Start your new smbd and nmbd processes specifying the new smb.conf file (i.e. smbd –l /var/log/samba/DOMAIN2 –D –s /etc/samba/DOMAIN2/smb.conf)
13. You should be able to verify the operation of the new domain by running smbclient –U % -L DOMAIN2_PDC.

More information about the samba mailing list