[Samba] multiple domains and one PDC w/ ldap?

[Adam Williams]

samba at piven.org wrote:
> Adam Williams wrote:
>> Is it possible to have multiple domains and all of them authenticate 
>> to one PDC running openldap?
>>
>> Each building at work has a network segment, 10.8.1.x - 10.8.18.x, 
>> each having their own samba server using smbpasswd and DOMAIN name.  
>> Like the server arrowhead 10.8.9.2 has domain = HPADMIN in smb.conf, 
>> server archives 10.8.8.2 has domain = OLDCAPITOL in smb.conf, roark 
>> 10.8.2.3 has domain = ADMIN in smb.conf.
>>
>> I'd like to replace all of these smbpasswd backends with a single 
>> LDAP server and am reading Samba 3 by Example.  Would it be possible 
>> to have each server keep its seperate DOMAIN = configuration, but 
>> have them all use the PDC of roark for authentication on its OpenLDAP 
>> configuration?
>
> You can't use a single PDC, but you can have all your inidividual PDCs 
> use the same LDAP server as a backend -- you just reconfigure each of 
> the existing domain controllers with its own base distinguished name 
> within the LDAP server... e.g.:
>
>     dc=hpadmin,dc=your,dc=domain
>     dc=oldcapitol,dc=your,dc=domain
>     dc=admin,dc=your,dc=domain
>
> Migrating the accounts from the local smbpasswd to LDAP is left as an 
> exercise for the sysadmin :-) but as long as you give each domain its 
> own branch in your LDAP database, you should not run into problems.
>
> Don Piven

What about just having a dc=ldap,dc=your,dc=domain with all the user 
accounts in it, and then every samba PDC use passdb backend = 
ldapsam:ldap://ldap.your.domain

Basically I just want it so all the username/passwords are in a central 
location so when a user does ctrl-alt-del and clicks change password, it 
will change their windows logon password, their email password, etc.  i 
just have to also keep the legacy PDC servers because of registry and 
file permissions.  otherwise I have to load the registry hive of 100 
users and change the permissions on them and their profiles.