[Samba] Re: Reg: net rpc rights grant command is not working on
samba-3.0.10
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Jun 18 06:21:48 GMT 2008
On Tue, Jun 17, 2008 at 07:14:28PM -0400, Charlie wrote:
> If I have explained this poorly, I apologize - interpersonal
> communications skills are not my area of speciality.
If I understood you correctly then you have users in LDAP
that are to be authenticated in more than one domain.
Assuming that is right then yes, this is a not supported
configuration and never has been. It might have worked at
some point, but we deliberately moved to a much more
predictable SID-based model for almost everything
internally. On that way we very likely broke what you
described.
The only way a central LDAP can work is using completely
independent OUs per domain in a way that no objects from one
domain are seen by another domain.
One thing that I could imagine though is to centralize ID
mapping in this scenario, winbind from domain A could
(read-only) look at the LDAP objects of domain B to get a
unified uid space.
I know that it is hard or impossible to change your existing
LDAP tree, but one account in multiple domains is just way
too error-prone, fragile and confusing if not used VERY,
VERY carefully.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20080618/29bdd04a/attachment.bin
More information about the samba
mailing list