[Samba] Can one user use the same credentials to log into multiple domains, and how do I do it?
johnathan.bell at baker.edu
Thu Feb 18 08:15:06 MST 2010
First, our current setup.
I'm setting up a Samba 3.4 environment to replace our old Samba 3.0.x setup and make ready for Windows 7. There are several different campus locations, and each has it's own Samba PDC. Due to some (possibly poor) decisions made early in the development of the system, instead of giving each campus its own domain name, we used the algorithmic rid base parameter in smb.conf to manually beat on the numbers to make it work.
I believe this is what would fix the problem, but Anyway, here's my problem. I have the new Samba server set up with a different domain name and it appears to be working, but now users from the old domain setup can't log in. It looks like it's an SID problem, as the log messages are similar to:
[2010/02/18 09:53:46, 1] rpc_client/init_netlogon.c:237(serverinfo_to_SamInfo3)
_netr_LogonSamLogon: user DOMAINNAME\username has user sid S-*-*-**-**********-*********-**********-*****
but group sid S-*-*-**-**********-*********-**********-*****.
The conflicting domain portions are not supported for NETLOGON calls
Sure enough, the *'d out SID's are different, the first is the SID for the old domain, and the second is for the new domain. Now, I could just go and change the user's SID but there are a couple of problems with that. One, that's problematic for a system with several thousand users. Two, even if I were to do that, we have several users who move between campuses and would need to log in to several different domains, and changing SID's when they move would also be problematic. Maybe this is what a "roaming profile" or "trusted domain" is, but I'm not sure.
So here's my question: How can I set Samba up to accept logins on one domain with credentials from another, or is this even what I would need to get this working?
Internet System Administrator, Baker College
More information about the samba