[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Fri Aug 1 10:57:46 GMT 2008

Adam Williams wrote:
> are you using security = user or security = domain on your multiple 
> servers?
> Soohoon Lee wrote:
>> Hi
>> Is it possible to use single LDAP server and multiple samba servers?
>> The problem I'm having now is
>> Each server thinks their host name is their LDAP domain name, or
>> sambaDomainName, and
>> complain the user's SID is different so can't authenticate.
>> How do I make samba servers use one domain name and SID?
>> LDAP domain name is DOMSMB
>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>> sambaSID: S-1-5-21-2479917030-3150298425-213194246
>> And samba server created a new domain after its hostname.
>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>> sambaSID: S-1-5-21-4202146032-850913369-3381557932
>> And complain user's SID is different from its SID.
>> Thanks,
>> Soohoon.

We have student domain and staff domain and one LDAP server. We wanted 
staff members to log onto student domain. So we considered two options:
1. Interdomain trust relationship 
However this option was not good for us as we didn't want to open up the 
firewall and we wanted staff members to get the proper student 
experience (i.e. home dirs and profiles on the student server). So that 
brought us to the second option:
2. ldap translucent proxy overlay 
In this setting we override sids (i.e. domain sid part of the staff 
domain is substituted with student domain portion of the sid) for users 
and groups and point samba to the overlay. Bear in mind that all of the 
changes make by samba like machine passwords, user passwords, idmap 
mappings etc will go no further than the proxy so great care must be 
taken in LDAP setups that use referrals.

Now the most important question is what do you use you two domains for?



More information about the samba mailing list