[Samba] security = user, multiple Sambas, shared LDAP

[Daniel Pocock]

Adam Williams wrote:
> security = domain is for domain member servers, which are servers that 
> are part of the domain but don't authenticate users, handle roaming 
> profiles, etc.  basically you'd use them for print servers, or more 
> file shares.
>
> why don't you just have a PDC and use BDCs?  sure you can have a bunch 
> of domains and PDCs, but if its all for the same company, just go with 
> the PDC and then a BDC on each subnet.  PDCs and BDCs both use 
> security = user

There are two issues:

a) The workstations log on to another domain, managed by AD, and I don't 
want to integrate Samba with that domain

b) I want each Samba server to be able to operate independently, but 
give the users the convenience of a single password for all servers

I'm quite happy to create a Samba PDC, but if I can just make the Samba 
servers operate as standalone servers using a common workgroup name, is 
that more convenient to setup and more fault tolerant?
>
> Daniel Pocock wrote:
>>
>>
>>
>> Consider the following scenario:
>>
>> - a single OpenLDAP server, with a single instance of the object 
>> class sambaDomain and a single SID:
>>
>> dn: sambaDomainName=myserver,ou=samba,dc=example,dc=com
>> objectClass: sambaDomain
>> sambaDomainName: MYGROUP
>> sambaSID: S-1-2-3
>>
>> - multiple Samba servers, each with the following configuration:
>>
>>   security = user
>>   workgroup = MYGROUP
>>
>> Is this a valid configuration?  Or does the SMB protocol require the 
>> domain security to be used (security = domain) when all servers share 
>> a single LDAP backend?
>>
>> Regards,
>>
>> Daniel
>