[Samba] multiples domains or PDCs in samba

Nicolás nicoguerrarocha at gmail.com
Tue Jul 1 06:32:34 MDT 2014

I'm Nicolás from Uruguay, I work in ASSE (public health services), the 
enterprise has lots of buildings all over my country, more than 100, 
with thousands of employees and PCs. Until now there is no "network 
configuration" in PCs (no network users, etc) and I'm trying to solve 
that out. I started working with samba about one year ago (I've been 
learning a lot), I started working in one building and now I have a 
samba PDC with an openLDAP backend. I have to make my way into a higly 
escalable configuration (because of the amount of users and PCs) and I 
want to make it right thats the reason I'm asking you for help.

I have a master openLDAP server thats store all authentication, groups, 
SUDOers, automount, other applications roles data, etc. I have a 
replicated openLDAP server thats replicate some objects from the master.

I have a samba PDC authenticating against the replicated openLDAP server 
(that the way I can control users from one building not loggin in PC of 
other buildings I replicate some users accounts and some PC accounts), 
and I've joined WindowsXP, Windows7, Windows 8 into the domain and I'm 
working also with Ubuntu 10.4 (until the newest one), and OpenSuSE 12.1 
(until the newest one) mounting users home using nfs, and using 
replicated openLDAP for autentication and file system permissions. Until 
now It's all ok, it works like a charm ;-)

 From now I'll call 'A' to the building I've configured first and its 
working nice, and I'll call 'B' and 'C' to the next buildings I need to 

well, in my first aproach to configurating others PDC in buildings 'B' 
and 'C' I thought configuring individuals domains for 'A' 'B' 'C' would 
be the correct way to go. Then googling and reading I read this


it is suggested not running diferents domains for the same organization 
so I have no "clean idea" of what I need.

So, in a higly scalable configuration:

1) should I configure one domain and replicate it to all buldings?
I can restrict users loggin replicating some users of master openLDAP to 
every building (I don't want all users of 'A' can loggin in 'B' or 'C' 
computers, I don't want to users loogin freely in everywere)

2) should I configure lots of domains with the same sambaSID and have 
lots of Domains entries with different names  in LDAP? (is there a 
diference betwen this and having just one domain?)
That would allow me to use the same groups in lots of buildings, and for 
example, "Domain Admins" would be the same in every domain, and again I 
don't want to everybody loggin in everywere, so I use replication to 
separate users.

3) should I configure lots of domains totaly separated in master 
openLDAP tree?
And in the master LDAP I'll have one subtree for each domain, but what 
will happen with uids and gids?

4) what happen if different domains have diferent sambaSID? users with 
one sambaSID could use other domains PC?
It would be really nice to control who can loggin in each domain, and 
changing dinamicaly if it's needed, for example, someone could need to 
work half day in one building and the other half in other, I need to 
consider that too :-S

I think that is enough, just for now :-)
any help will be wellcome,
thank you,


More information about the samba mailing list