[Samba] Multi samba domain in one LDAP Backend with multi-site authentication

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Feb 1 10:45:11 MST 2010

You should be able to have separate OU's in LDAP for each domain.   From 
the point-of-view of samba, each samba PDC would only know about its own 
section of the LDAP tree-  and in effect would be the same as separate 
LDAP servers.

You would want to make sure that the underlying unix authentication on 
that server would also only used the domain-specific section of LDAP for 
user authentication.

You would still want to use idmap.   Do you need all domains trusting 
each other-  or is it a series of trusts between each remote office and 
the central office.    A full mesh could get really messy, although I 
haven't tried this yet.     If you have six domains, potentially each 
domain OU is could contain 5 ou's for idmap entries.       I think you 
could have one, enterprise-wide idmap ldap section, with a ou underneath 
for each domain.    You might even want to make them read-only for most 
domains so that the entries stay consistent.

By default, winbind allocates uid and gid's from a dynamic range that 
does NOT overlap the uid and gid ranges for "local" users.    I 
personally would either modify entries as they are created, or actually 
prepopulate entries,  so that the uid/gid entries in the idmap are the 
same as the real uid/gid values for the actual unix account.    I used 
to do this when using idmap with member servers with in the domain to 
make sure that when a windows user created or modified a file on an NFS 
shared, a consistent unix uid was used between windows and nfs on all 

So your LDAP structure would be similar to

I don't know if OpenLDAP handles multi-master replication (I am using 
Sun Directory Server.)       Assuming it did, each site could have its 
own LDAP server but in the same LDAP tree.

the other approach would be to have a separate LDAP server and structure 
for each site BUT configure referrals between each LDAP server (i.e. on 
ServerA, ou=DomainB points to ou=DomainB on ServerB) to create the 
appearance of a single LDAP tree.

On 02/01/10 04:02, Thibault Vançon wrote:
> Thanks Gaiseric for your answer,
> I know this things about trust relashionship even if i still don't
> have setup one, but we need to have only one LDAP backend, to allow
> others applications to authenticate user with LDAP. We can't specifie
> more than one backend in our application.
> I've thought that i could create different OU with each domain, and
> configure smbldap-tools and pam to work with this OU, with a base like
> : dc=DOMAIN, dc=company, dc=com , and replicate this LDAP on other
> site.
> But is it possible to use trust relationship with this kind of LDAP
> structure ? will i need IDMAP ?
> Thanks,
> Thibault

More information about the samba mailing list