[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Lukasz Zalewski lukas at dcs.qmul.ac.uk
Fri Aug 1 11:02:57 GMT 2008

Lukasz Zalewski wrote:
> Adam Williams wrote:
>> are you using security = user or security = domain on your multiple 
>> servers?
>> Soohoon Lee wrote:
>>> Hi
>>> Is it possible to use single LDAP server and multiple samba servers?
>>> The problem I'm having now is
>>> Each server thinks their host name is their LDAP domain name, or
>>> sambaDomainName, and
>>> complain the user's SID is different so can't authenticate.
>>> How do I make samba servers use one domain name and SID?
>>> LDAP domain name is DOMSMB
>>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>>> sambaSID: S-1-5-21-2479917030-3150298425-213194246
>>> And samba server created a new domain after its hostname.
>>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>>> sambaSID: S-1-5-21-4202146032-850913369-3381557932
>>> And complain user's SID is different from its SID.
>>> Thanks,
>>> Soohoon.
> We have student domain and staff domain and one LDAP server. We wanted 
> staff members to log onto student domain. So we considered two options:
> 1. Interdomain trust relationship 
> (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html) 
> However this option was not good for us as we didn't want to open up the 
> firewall and we wanted staff members to get the proper student 
> experience (i.e. home dirs and profiles on the student server). So that 
> brought us to the second option:
> 2. ldap translucent proxy overlay 
> (http://linux.die.net/man/5/slapo-translucent)
> In this setting we override sids (i.e. domain sid part of the staff 
> domain is substituted with student domain portion of the sid) for users 
> and groups and point samba to the overlay. Bear in mind that all of the 
> changes make by samba like machine passwords, user passwords, idmap 
> mappings etc will go no further than the proxy so great care must be 
> taken in LDAP setups that use referrals.
> Now the most important question is what do you use you two domains for?
> Lukasz

Ah sorry I didn't read the Subject line properly you do not want PDC. As 
Andy pointed out maybe you should have one of the servers as a domain 
member of the other domain


More information about the samba mailing list