[Samba] Multiple Standalone Servers With Single LDAP Server

Gordan Bobic gordan at bobich.net
Wed Aug 6 03:31:48 MDT 2014

On 2014-08-06 10:05, Rowland Penny wrote:
> On 04/08/14 16:45, Gordan Bobic wrote:
>> Hi,
>> I'm trying to set up multiple standalone Samba servers that use the 
>> same OpenLDAP back-end database for authentication, but on any servers 
>> beyond the first one I cannot seem to get past the error like the 
>> following:
>> "The primary group domain sid($SecondaryServerSID) does not match the 
>> domain sid($PrimaryServerSID) for $UserName($UserSID)"
>> It seems nuts to have to set up a domain controller just to have 
>> multiple standalone servers within the same workgroup.
>> If I configure the secondary server to use a local user password 
>> database for authentication, everything works fine, but that means 
>> having to maintain the database in multiple locations.
>> Is there a way to completely neuter all the domain functionality and 
>> use LDAP _only_ for username/password authentication from multiple 
>> standalone servers within the same workgroup?
>> Gordan
> Short answer, NO
> Long answer, in this instance, samba is working just like a windows
> workgroup, you can have lots of windows machines in the same
> workgroup, but you have to create any users & groups that you want to
> connect to a machine on that machine AND any others that you want the
> users or groups to connect to. Once you get past 10 or 12 machines
> this gets complicated and hard to keep track of, this is why domains
> were created. Now that you know this, can you see why what you are
> trying to do with samba will not work.

Now that I know this I still absolutely DO NOT see why what I am
trying to do with samba will not work. If it is capable of using
a local user authentication database, I see no reason why the
authentication mechanism cannot use some kind of a centralised
username/password verification database.

Setting up a domain on top seems like an entirely needless complication.

If LDAP can be used to authenticate to a single Samba server
in a workgroup, I see no reason at all why this would necessitate
existence of a domain to perform the same authentication to additional
Samba servers in the same workgroup.


More information about the samba mailing list