[Samba] second samba pdc
John H Terpstra
jht at samba.org
Wed Jun 11 12:58:38 GMT 2008
On Wednesday 11 June 2008 05:56:33 Richard Foltyn wrote:
> On 6/9/08, Sven Buchstaller <ask at quickline.de> wrote:
> > Hello List,
> >
> > I have 2 samba domain on 2 physical Servers but the User Administration
> > is over 1 LDAP Server. At the moment i become some errors on my first PDC
> > box:
>
> I have the same setup, using 2 PDCs and one OpenLDAP server.
>
> However, for this to work you need either two distinct LDAP databases
> or at least two different LDAP BASEDNs, e.g.
>
> dc=domain1,dc=mycompany,dc=net
> dc=domain2,dc=mycompady,dc=net
>
> Otherwise the two domains will store user/machine/group data in the
> same LDAP hierarchy which will of cource cause trouble.
>
> HTH
>
> - Richard
Actually, there are a few sites that run multiple domains in the same DIT. It
does work, though there are a few challenges. Interdomain trusts need to be
set up manually if a single DIT is shared across multiple domains (each
having its own SID of course). The net utility can not be used to create the
trust accounts. Also, the way winbind handles foreign SIDs needs to be
handled carefulyl to avoid conflicts.
The short answer is that it is a very bad practice to use and poor design to
use a single DIT across multiple domains. It is much smarter to design and
implement a separate DIT per domain as shown above.
Cheers,
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256
More information about the samba
mailing list