[Samba] Re: Reg: net rpc rights grant command is not working on samba-3.0.10

Charlie medievalist at gmail.com
Wed Jun 18 16:08:41 GMT 2008

On Wed, Jun 18, 2008 at 2:21 AM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> If I understood you correctly then you have users in LDAP
> that are to be authenticated in more than one domain.

Correct.  This is a highly desirable configuration that offers
tremendous competitive advantages to commercial enterprises and
increased efficiency for non-profits such as hospitals and research
foundations.  I believe many organizations use samba in this way,
because it makes MS-Windows desktops more powerful than a pure
Microsoft server architecture does.

> Assuming that is right then yes, this is a not supported
> configuration and never has been. It might have worked at
> some point, but we deliberately moved to a much more
> predictable SID-based model for almost everything
> internally. On that way we very likely broke what you
> described.

The current model does not preclude this configuration, although the
software makes it very hard to do.  In my previous email I made some
suggestions about how the code could be tweaked to support it.  (Since
I'm not contributing code at this time, I am certainly willing to pay
for others to do so.)

> The only way a central LDAP can work is using completely
> independent OUs per domain in a way that no objects from one
> domain are seen by another domain.

Yes and No.  Yes, machine trust accounts and idmaps have to be
restricted from appearing in more than one domain.  No, user accounts
can still be published to all domains.

Samba PDCs (running v3.0.11 or greater) that are netlogon servers
behave in ways I still don't fully understand.  My end-users in the
past simply logged on in whichever domain they happened to be
visiting, and a user SID was composed with a consistent
algorithmically generated RID attached to the local server SID.

Samba hosts that are not PDCs or netlogon servers still work great
with multiple domains on a single authentication backend.  We have
been using this capability for more than a decade to great advantage.
There are thousands of sites running RHEL3 that do the same thing - if
you have an application host that runs samba, you can have thousands
of users from different domains using it without incurring the high
licensing and hardware costs of a MS-Windows server on the back end.

> One thing that I could imagine though is to centralize ID
> mapping in this scenario, winbind from domain A could
> (read-only) look at the LDAP objects of domain B to get a
> unified uid space.

Yes, that's essentially what we're doing.  We have domain-specific
container objects for trusts that are restricted by OpenLDAP ACLs, but
we have a single ou=People object and a single ou=Group object.  I can
supply more configuration information if you wish, but this email is
already very long!

> I know that it is hard or impossible to change your existing
> LDAP tree, but one account in multiple domains is just way
> too error-prone, fragile and confusing if not used VERY,
> VERY carefully.

I personally am comfortable with rewriting the entire LDAP tree if
necessary - I did it three times when we converted from 3.0.10 to
3.0.25 and then to 3.0.28.  I generally dump the database to LDIF and
rewrite it with gnu awk, then reload it and sync it out to the
replicas (we have dozens).  If I am forced to do major modifications
with systems running - something I try to avoid - I write a bash
script incorporating ldapsearch and ldapmodify from the OpenLDAP
toolset.  I cannot recommend this to others, because it's too easy to
destroy your enterprise infrastructure with a typographical error.

In a modern, directory based work environment, people are not limited
to single desks, or even single countries or states.  A person in
England may be signing on to systems in Baluchistan tomorrow, and
everything is expected to work seamlessly as though that person were
still in England.  A site is expected to continue functioning even if
half the WAN links to that site break unexpectedly.  We have  achieved
this with samba, linux, and Windows versions 3.11 through XP.  It's
getting harder to do, though, and the advantages of running linux are
eroding as software like MS-Windows gets more complex and difficult to
integrate with standards-based architectures.

> Volker

Thank you, Volker, for taking the time to discuss this with me!

More information about the samba mailing list