[Samba] Re: Samba-OpenLDAP and AD question..

Andrew Bartlett abartlet at samba.org
Wed Nov 1 20:34:58 GMT 2006

On Wed, 2006-11-01 at 08:04 -0500, John Little wrote:
> Hi Andrew..
> > On Mon, 2006-10-30 at 13:14 -0800, John Little wrote:
> > > Hi all
> > >  
> > > We have slowly been migrating our NT4 domain to Samba+OpenLDAP.  
> > >Today I was told that we were going to to create an AD 'resource' 
> > >domain, put all of the workstations in it and create a trust 
> > >relationship between the two domains.  In other words the users 
> > >would be in the Samba+OpenLDAP domain and the workstations in the AD
> > >'resource' domain.  If it matters we have about 1750 workstations 
> > >with about 2000 users.
> > > 
> > > Is this a reasonable model to follow or thing to do?
> > 
> > It depends on the reasons for creating the resource domain.
> > 
> > > If we do this what sort of pitfalls, if any, should I expect to encounter?
> > > Any ideas, opinions, knowledge of this are greatly appreciated.
> > 
> > It should work.  In fact, I think I even tested it briefly at my site.
> > It will just be an interdomain trust as far as Samba and AD are
> > concerned.
> My concern is that currently the machines are joined to the NT4 domain (AD has 
> not been implemented as of yet).   We have users in the Samba domain 
> accessing shares on Windows servers joined to the NT4 domain.  Occasionally 
> these users cannot access a share and get a message about the trust 
> relationship not working.   This does not occur when the workstation is 
> joined to the Samba domain.  The workstations are Win XP pro and Win2k.  Note 
> that I am not speaking of logon issues here, just of intermittent share 
> access issues.
> Since we are a hospital patient safety and care is of utmost priority.  
> Translated into IS terms doctors and nurses have to access information 
> quickly and when they need it.  Hence my concern about keeping the 
> workstations on the NT4 or AD domain.
> Are the trust relationships more stable with AD or am I possible missing 
> something in my setup that would cause the intermittent access issues?

I don't think the technology is fundamentally unstable.  I had a setup
like this for I think a couple of years, with all users being in the
Samba domain.  

If there are issues, I would first chase them down 'as is'.  I don't
think AD would be more or less stable, but clearly you must validate
anything you do to your complete satisfaction (presumably in a realistic
test lab environment) before deploying anything to safety critical

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20061102/bfb9c066/attachment.bin

More information about the samba mailing list