[Samba] Using LDAP, no PDC/BDC, for multiple samba servers

Soohoon Lee soohoon at gmail.com
Fri Aug 1 16:17:20 GMT 2008

Thanks, now it's crystal clear.
One thing I like to ask more is why other servers will be BDC?
Not just a workstation or a DC client? Where do they backup or cache account
Will smb.conf look different from using NT4 PDC?
On Fri, Aug 1, 2008 at 11:58 AM, Adam Williams <awilliam at mdah.state.ms.us>wrote:

> yes to share a single set of users/groups in LDAP to multiple samba servers
> you will need LDAP and a PDC and the other servers will be BDCs.  yes you
> will join BDC's with net rpc join -D domain -S pdc_server_name -U
> root%password
> read chapter 5.3 of samba 3 by example.pdf
> Soohoon Lee wrote:
> Thanks,
> 'sharing LDAP server' is to share the same set of users/groups in the LDAP
> DB, not separate sets of users/groups for each samba servers.
> It looks like PDC ??? maybe what I want is more like NIS.
> So IIUC, to share a single set of users/groups in the LDAP server from
> multiple samba servers, I need LDAP and samba DC?
> And samba servers have to join the samba DC by net rpc join?
> Thanks a lot.
> Soohoon.
> On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams <awilliam at mdah.state.ms.us>wrote:
>> sure you can have multiple domains with all the account info in LDAP.  if
>> you really want it to work together well you'll have a PDC and BDC's
>> though.  you may be able to try samba intertrust relationships, but i've
>> never used that
>> Soohoon Lee wrote:
>> Thanks all
>> This is my smb.conf
>> [global]
>>         dos charset = UTF-8
>>         workgroup = DOMSMB
>>         security = user
>>         allow trusted domains = No
>>         password server = NULL
>>         passdb backend = ldapsam:ldap://
>>         max log size = 50
>>         load printers = No
>>         stat cache = No
>>         os level = 10
>>         dns proxy = No
>>         ldap suffix = dc=my-domain,dc=com
>>         ldap user suffix = ou=Users
>>         ldap group suffix = ou=Groups
>>         ldap admin dn = cn=Manager,dc=my-domain,dc=com
>>         ldap ssl = no
>> And I like to make multiple samba servers to share single LDAP server
>> without using domain controller feature.
>> I'm getting feeling that pure LDAP server is for single samba server or
>> the LDAP server should have samba DC to serve multiple samba servers?
>> Thanks,
>> Soohoon.
>> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski <lukas at dcs.qmul.ac.uk>wrote:
>>>  Lukasz Zalewski wrote:
>>>> Adam Williams wrote:
>>>>> are you using security = user or security = domain on your multiple
>>>>> servers?
>>>>> Soohoon Lee wrote:
>>>>>> Hi
>>>>>> Is it possible to use single LDAP server and multiple samba servers?
>>>>>> The problem I'm having now is
>>>>>> Each server thinks their host name is their LDAP domain name, or
>>>>>> sambaDomainName, and
>>>>>> complain the user's SID is different so can't authenticate.
>>>>>> How do I make samba servers use one domain name and SID?
>>>>>> LDAP domain name is DOMSMB
>>>>>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com
>>>>>> sambaSID: S-1-5-21-2479917030-3150298425-213194246
>>>>>> And samba server created a new domain after its hostname.
>>>>>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com
>>>>>> sambaSID: S-1-5-21-4202146032-850913369-3381557932
>>>>>> And complain user's SID is different from its SID.
>>>>>> Thanks,
>>>>>> Soohoon.
>>>> We have student domain and staff domain and one LDAP server. We wanted
>>>> staff members to log onto student domain. So we considered two options:
>>>> 1. Interdomain trust relationship (
>>>> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html)
>>>> However this option was not good for us as we didn't want to open up the
>>>> firewall and we wanted staff members to get the proper student experience
>>>> (i.e. home dirs and profiles on the student server). So that brought us to
>>>> the second option:
>>>> 2. ldap translucent proxy overlay (
>>>> http://linux.die.net/man/5/slapo-translucent)
>>>> In this setting we override sids (i.e. domain sid part of the staff
>>>> domain is substituted with student domain portion of the sid) for users and
>>>> groups and point samba to the overlay. Bear in mind that all of the changes
>>>> make by samba like machine passwords, user passwords, idmap mappings etc
>>>> will go no further than the proxy so great care must be taken in LDAP setups
>>>> that use referrals.
>>>> Now the most important question is what do you use you two domains for?
>>>> HTH
>>>> Lukasz
>>> Ah sorry I didn't read the Subject line properly you do not want PDC. As
>>> Andy pointed out maybe you should have one of the servers as a domain member
>>> of the other domain
>>> Lukasz

More information about the samba mailing list