[Samba] second samba pdc

John H Terpstra jht at samba.org
Wed Jun 11 12:58:38 GMT 2008

On Wednesday 11 June 2008 05:56:33 Richard Foltyn wrote:
> On 6/9/08, Sven Buchstaller <ask at quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first PDC
> > box:
> I have the same setup, using 2 PDCs and one OpenLDAP server.
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
> - Richard

Actually, there are a few sites that run multiple domains in the same DIT. It 
does work, though there are a few challenges.  Interdomain trusts need to be 
set up manually if a single DIT is shared across multiple domains (each 
having its own SID of course).  The net utility can not be used to create the 
trust accounts.  Also, the way winbind handles foreign SIDs needs to be 
handled carefulyl to avoid conflicts.

The short answer is that it is a very bad practice to use and poor design to 
use a single DIT across multiple domains.  It is much smarter to design and 
implement a separate DIT per domain as shown above.

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256

More information about the samba mailing list