[Samba] Multiple domains served by a single LDAP tree

David B Harris dbharris at eelf.ddts.net
Mon Feb 27 19:32:52 GMT 2006


Good {morning,afternoon,evening} everybody,

A while ago I wrote to the list asking about whether the
uidNumber/gidNumber of the "commonly-known SIDs" had to match the RID of
the SID; the answer was "no".

I asked because I intended to implement multiple NT4/Samba domains using
a single LDAP tree; each Samba PDC/BDC instance would only use the
relevant subset of the tree. Unix/Linux hosts would use the full LDAP
tree to resolve every possible UID/GID, but Windows hosts would use
DOMAIN\group and/or DOMAIN\user stuff.

I've read the documentation more, in particular those bits corresponding
to inter-Samba domain trusts, and the documentation quite clearly states
that this isn't particularly recommended given the fragility of SMB
trusts, and the availability of such scalable backends as LDAP.

My question, then, is do people here put together multiple NT4/Samba
domains using a single LDAP backend? I'm betting not. Assuming that's
the case, from Windows, how does one assign permissions and whatnot?
From a single large flatspace containing every user and group? If not,
how are they separated?

Part of this is a user-acceptance issue; I'd like it to be very clear
that a particular user belongs to a particular business group (ie:
DEVEL, EXEC, FINANCE).

I guess the crux of the question is, "is there any way to have multiple
NT4/Samba domains served from a single multi-branch LDAP backend without
inter-domain trusts, or is there some better way to go about what I'm
trying to accomplish?"

Thanks very much in advance.

-- 
     Arguing with an engineer is like wrestling with a pig in mud.
	   After a while, you realise the pig is enjoying it.

		   OpenPGP v4 key ID: 4096R/59DDCB9F
    Fingerprint: CC53 F124 35C0 7BC2 58FE  7A3C 157D DFD9 59DD CB9F
		     Retrieve from subkeys.pgp.net


More information about the samba mailing list