[Samba] Multiple domains served by a single LDAP tree

Abdul-Wahid Paterson abdulwahid at gmail.com
Tue Feb 28 11:11:34 GMT 2006


Hi,

I have a very similar question to this. Are there any Samba/LDAP
howto's or documentation on this issue.

In my situation the users are split over two subnets but many users
need the same access to coroporate resources. However, they should be
using local file server and samba authentication servers.

Any hints or tips are welcome.

Regards,

Abdul-Wahid



On 2/27/06, David B Harris <dbharris at eelf.ddts.net> wrote:
> Good {morning,afternoon,evening} everybody,
>
> A while ago I wrote to the list asking about whether the
> uidNumber/gidNumber of the "commonly-known SIDs" had to match the RID of
> the SID; the answer was "no".
>
> I asked because I intended to implement multiple NT4/Samba domains using
> a single LDAP tree; each Samba PDC/BDC instance would only use the
> relevant subset of the tree. Unix/Linux hosts would use the full LDAP
> tree to resolve every possible UID/GID, but Windows hosts would use
> DOMAIN\group and/or DOMAIN\user stuff.
>
> I've read the documentation more, in particular those bits corresponding
> to inter-Samba domain trusts, and the documentation quite clearly states
> that this isn't particularly recommended given the fragility of SMB
> trusts, and the availability of such scalable backends as LDAP.
>
> My question, then, is do people here put together multiple NT4/Samba
> domains using a single LDAP backend? I'm betting not. Assuming that's
> the case, from Windows, how does one assign permissions and whatnot?
> From a single large flatspace containing every user and group? If not,
> how are they separated?
>
> Part of this is a user-acceptance issue; I'd like it to be very clear
> that a particular user belongs to a particular business group (ie:
> DEVEL, EXEC, FINANCE).
>
> I guess the crux of the question is, "is there any way to have multiple
> NT4/Samba domains served from a single multi-branch LDAP backend without
> inter-domain trusts, or is there some better way to go about what I'm
> trying to accomplish?"
>
> Thanks very much in advance.
>
> --
>      Arguing with an engineer is like wrestling with a pig in mud.
>            After a while, you realise the pig is enjoying it.
>
>                    OpenPGP v4 key ID: 4096R/59DDCB9F
>     Fingerprint: CC53 F124 35C0 7BC2 58FE  7A3C 157D DFD9 59DD CB9F
>                      Retrieve from subkeys.pgp.net
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list