[Samba] Multi samba domain in one LDAP Backend with multi-site authentication

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jan 29 08:50:18 MST 2010

On 01/29/10 05:59, Thibault Vançon wrote:
> Hello,
> I need some help to set up a multi-site authentication architecture with
> samba.
> Our company is composed by 6 sites which are VPN-Linked.
> On each, there is Samba 3.0.27 PDC with LDAP backend on Debian Etch (I will
> probably upgrade it to lenny with this project, and an upper version of
> Samba). We would like to permit an user of one domain to login in other with
> the same credentials.
> Actually, if a user need to connect to a share of another domain, we have to
> create it again in the other LDAP backend. So we have a lot of doubloon,
> what is not very good because we store a lot of administrative information
> as email, function, etc. , and we need to use LDAP for others application
> (Intranet on Apache server, ERP,…).
> My boss is not closed with that and want to keep the multi-domain
> architecture (I’m actually converting it to free software…). I know that it
> would be easier to have only one domain with LDAP replication, but he still
> don’t want.
> Is there a multi samba domain schema for LDAP ? What about trusted
> relationship ? Are they work fine ? Other possibilities (RADIUS, etc.) ?
> Thanks a lot for answer, and sorry for my English which is not very well.
> Thibault Vançon
> ---------
> System and Network administrator – Alsapan – France

The samba how-to book documentation on www.samba.org does a pretty good 
job of explaining inter-domain trusts.  Will does allow you to allow 
users from one domain to have access to resources in another 
domain.      The samba domains are trusting each other.  The LDAP server 
in one domain does not have to talk to the LDAP server in another 
domain.   You do need to use winbind and setup IDMAP ranges - which can 
get a little tricky.    So if each site has its own domain, and each 
domain has only one PDC, you will not have to worry about LDAP replication.

There are some benefits to a multiple domain approach-
    -  if you need to designate local administrators in each domain  but 
not for the entire company
    - their is a logical business division between each site (maybe one 
site has the Sales people and one site has Engineering people.)
    -  less problems if your VPN links are unreliable or slow.

If you want to consolidate domains  that you may want to make sure that 
either your remote site has a Samba BDC (with ldap replication) and a 
reliable VPN connection.

Either way you want people to run their login scripts and have their 
home directories on a server in their site.  You also may want to 
consider having a WINS server in each site-  depending on the number of 

More information about the samba mailing list