[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Adam Williams awilliam at mdah.state.ms.us
Fri Aug 1 15:22:29 GMT 2008


sure you can have multiple domains with all the account info in LDAP.  
if you really want it to work together well you'll have a PDC and BDC's 
though.  you may be able to try samba intertrust relationships, but i've 
never used that

Soohoon Lee wrote:
>  
> Thanks all
> This is my smb.conf
> [global]
>         dos charset = UTF-8
>         workgroup = DOMSMB
>         security = user
>         allow trusted domains = No
>         password server = NULL
>         passdb backend = ldapsam:ldap://10.17.124.190/ 
> <http://10.17.124.190/>
>         max log size = 50
>         load printers = No
>         stat cache = No
>         os level = 10
>         dns proxy = No
>         ldap suffix = dc=my-domain,dc=com
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap admin dn = cn=Manager,dc=my-domain,dc=com
>         ldap ssl = no
>
> And I like to make multiple samba servers to share single LDAP server 
> without using domain controller feature.
> I'm getting feeling that pure LDAP server is for single samba server 
> or the LDAP server should have samba DC to serve multiple samba servers?
>  
> Thanks,
> Soohoon.
>  
> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski <lukas at dcs.qmul.ac.uk 
> <mailto:lukas at dcs.qmul.ac.uk>> wrote:
>
>     Lukasz Zalewski wrote:
>
>         Adam Williams wrote:
>
>             are you using security = user or security = domain on your
>             multiple servers?
>             Soohoon Lee wrote:
>
>                 Hi
>                 Is it possible to use single LDAP server and multiple
>                 samba servers?
>                 The problem I'm having now is
>                 Each server thinks their host name is their LDAP
>                 domain name, or
>                 sambaDomainName, and
>                 complain the user's SID is different so can't
>                 authenticate.
>                 How do I make samba servers use one domain name and SID?
>
>                 LDAP domain name is DOMSMB
>
>                 dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>                 sambaSID: S-1-5-21-2479917030-3150298425-213194246
>
>                 And samba server created a new domain after its hostname.
>
>                 dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>                 sambaSID: S-1-5-21-4202146032-850913369-3381557932
>                 And complain user's SID is different from its SID.
>
>                 Thanks,
>                 Soohoon.
>                  
>
>
>
>         We have student domain and staff domain and one LDAP server.
>         We wanted staff members to log onto student domain. So we
>         considered two options:
>         1. Interdomain trust relationship
>         (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html)
>
>         However this option was not good for us as we didn't want to
>         open up the firewall and we wanted staff members to get the
>         proper student experience (i.e. home dirs and profiles on the
>         student server). So that brought us to the second option:
>         2. ldap translucent proxy overlay
>         (http://linux.die.net/man/5/slapo-translucent)
>         In this setting we override sids (i.e. domain sid part of the
>         staff domain is substituted with student domain portion of the
>         sid) for users and groups and point samba to the overlay. Bear
>         in mind that all of the changes make by samba like machine
>         passwords, user passwords, idmap mappings etc will go no
>         further than the proxy so great care must be taken in LDAP
>         setups that use referrals.
>
>
>         Now the most important question is what do you use you two
>         domains for?
>
>         HTH
>
>         Lukasz
>
>
>     Ah sorry I didn't read the Subject line properly you do not want
>     PDC. As Andy pointed out maybe you should have one of the servers
>     as a domain member of the other domain
>
>     Lukasz
>
>


More information about the samba mailing list