[Samba] Re: Reg: net rpc rights grant command is not working on samba-3.0.10

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Jun 18 06:21:48 GMT 2008

On Tue, Jun 17, 2008 at 07:14:28PM -0400, Charlie wrote:
> If I have explained this poorly, I apologize - interpersonal
> communications skills are not my area of speciality.

If I understood you correctly then you have users in LDAP
that are to be authenticated in more than one domain.
Assuming that is right then yes, this is a not supported
configuration and never has been. It might have worked at
some point, but we deliberately moved to a much more
predictable SID-based model for almost everything
internally. On that way we very likely broke what you

The only way a central LDAP can work is using completely
independent OUs per domain in a way that no objects from one
domain are seen by another domain.

One thing that I could imagine though is to centralize ID
mapping in this scenario, winbind from domain A could
(read-only) look at the LDAP objects of domain B to get a
unified uid space.

I know that it is hard or impossible to change your existing
LDAP tree, but one account in multiple domains is just way
too error-prone, fragile and confusing if not used VERY,
VERY carefully.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20080618/29bdd04a/attachment.bin

More information about the samba mailing list