David B Harris
2006-Feb-27 19:48 UTC
[Samba] Multiple domains served by a single LDAP tree
Good {morning,afternoon,evening} everybody, A while ago I wrote to the list asking about whether the uidNumber/gidNumber of the "commonly-known SIDs" had to match the RID of the SID; the answer was "no". I asked because I intended to implement multiple NT4/Samba domains using a single LDAP tree; each Samba PDC/BDC instance would only use the relevant subset of the tree. Unix/Linux hosts would use the full LDAP tree to resolve every possible UID/GID, but Windows hosts would use DOMAIN\group and/or DOMAIN\user stuff. I've read the documentation more, in particular those bits corresponding to inter-Samba domain trusts, and the documentation quite clearly states that this isn't particularly recommended given the fragility of SMB trusts, and the availability of such scalable backends as LDAP. My question, then, is do people here put together multiple NT4/Samba domains using a single LDAP backend? I'm betting not. Assuming that's the case, from Windows, how does one assign permissions and whatnot? From a single large flatspace containing every user and group? If not, how are they separated? Part of this is a user-acceptance issue; I'd like it to be very clear that a particular user belongs to a particular business group (ie: DEVEL, EXEC, FINANCE). I guess the crux of the question is, "is there any way to have multiple NT4/Samba domains served from a single multi-branch LDAP backend without inter-domain trusts, or is there some better way to go about what I'm trying to accomplish?" Thanks very much in advance. -- Arguing with an engineer is like wrestling with a pig in mud. After a while, you realise the pig is enjoying it. OpenPGP v4 key ID: 4096R/59DDCB9F Fingerprint: CC53 F124 35C0 7BC2 58FE 7A3C 157D DFD9 59DD CB9F Retrieve from subkeys.pgp.net
Abdul-Wahid Paterson
2006-Feb-28 11:11 UTC
[Samba] Multiple domains served by a single LDAP tree
Hi, I have a very similar question to this. Are there any Samba/LDAP howto's or documentation on this issue. In my situation the users are split over two subnets but many users need the same access to coroporate resources. However, they should be using local file server and samba authentication servers. Any hints or tips are welcome. Regards, Abdul-Wahid On 2/27/06, David B Harris <dbharris@eelf.ddts.net> wrote:> Good {morning,afternoon,evening} everybody, > > A while ago I wrote to the list asking about whether the > uidNumber/gidNumber of the "commonly-known SIDs" had to match the RID of > the SID; the answer was "no". > > I asked because I intended to implement multiple NT4/Samba domains using > a single LDAP tree; each Samba PDC/BDC instance would only use the > relevant subset of the tree. Unix/Linux hosts would use the full LDAP > tree to resolve every possible UID/GID, but Windows hosts would use > DOMAIN\group and/or DOMAIN\user stuff. > > I've read the documentation more, in particular those bits corresponding > to inter-Samba domain trusts, and the documentation quite clearly states > that this isn't particularly recommended given the fragility of SMB > trusts, and the availability of such scalable backends as LDAP. > > My question, then, is do people here put together multiple NT4/Samba > domains using a single LDAP backend? I'm betting not. Assuming that's > the case, from Windows, how does one assign permissions and whatnot? > From a single large flatspace containing every user and group? If not, > how are they separated? > > Part of this is a user-acceptance issue; I'd like it to be very clear > that a particular user belongs to a particular business group (ie: > DEVEL, EXEC, FINANCE). > > I guess the crux of the question is, "is there any way to have multiple > NT4/Samba domains served from a single multi-branch LDAP backend without > inter-domain trusts, or is there some better way to go about what I'm > trying to accomplish?" > > Thanks very much in advance. > > -- > Arguing with an engineer is like wrestling with a pig in mud. > After a while, you realise the pig is enjoying it. > > OpenPGP v4 key ID: 4096R/59DDCB9F > Fingerprint: CC53 F124 35C0 7BC2 58FE 7A3C 157D DFD9 59DD CB9F > Retrieve from subkeys.pgp.net > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >