samba - Sep 2004 - Implementing samba3/LDAP system across several schools

Hi All,
    I am looking into the feasability of using Samba/LDAP for domain 
control across several schools in my area, and would be interested to 
hear of anyone who has any experience/thoughts on how this could work.
    The schools share a community learning resource centre, and I am 
looking for ways for all users to be able to log in at their own 
schools, and also at the learning resource centre using the same 
credentials, and be able to see thier documents from both (all connected 
by 2-10M lines at present, which will probably be adequate).
    Each institution needs to be a secure self sufficient entity within 
its own right, allowing access to its list of users (and their work) to 
the resource centre.
    A big problem I see is duplicate user names between schools.

Any hints/tips/comments/feedback would be very welcome.

cheers

Jim Potter
UK

Hi,
yes its no problem, you need slave ldaps and samba bdcs in the other 
locations, read the samba how to,
the other way is to have a own domain at each location with own pdc
and make trusts
What you mean with duplicate usernames?
Regards

Jim Potter schrieb:
> Hi All,
>    I am looking into the feasability of using Samba/LDAP for domain 
> control across several schools in my area, and would be interested to 
> hear of anyone who has any experience/thoughts on how this could work.
>    The schools share a community learning resource centre, and I am 
> looking for ways for all users to be able to log in at their own 
> schools, and also at the learning resource centre using the same 
> credentials, and be able to see thier documents from both (all connected 
> by 2-10M lines at present, which will probably be adequate).
>    Each institution needs to be a secure self sufficient entity within 
> its own right, allowing access to its list of users (and their work) to 
> the resource centre.
>    A big problem I see is duplicate user names between schools.
> 
> Any hints/tips/comments/feedback would be very welcome.
> 
> cheers
> 
> Jim Potter
> UK

I was hoping to do this without trusts - I would like to be able to grow 
this to incorporate more schools, and there becomes a point where trusts 
are not enough... I've played with a setup like this:

2 domains from the same LDAP tree:
 
domain SUBDOMAIN with LDAP info drawn from ou=subdomain,o=domain
        sambaDoimainName=SUBDOMAIN,ou=subdomain,o=domain
        users kept in ou=subdomain,o=domain

domain SUPERDOMAIN with LDAP info drawn from o=domain
      sambaDomainName=SUPERDOMAIN,o=domain
      users kept in o=domain

I've set this up with 2 PDCs, and users in ou=subdomain can log into 
both systems, wheras users in o=domain can only log into SUPERDOMAIN. 
This does work, even if the SambaSIDs of the users do not match the 
domain's SID (which is very useful)
   What is needed is a way of qualifying the username to state which 
part of the tree it is drawn from.
   For example, if a 2 users named 'fredbloggs' existed, one in 
ou=subdomain,o=domain, and one in o=domain, then there would be 
confusion, and only one would work (cn=fredbloggs,o=domain, I assume). I 
have Netware roots, and in an NDS system with a similar setup, you could 
log into a system with the context set to o=domain as 'fredbloggs' to 
log in as cn=fredbloggs,o=domain, or you couyld log in as 
'fredbloggs.subdomain' to log in as cn=fredbloggs,ou=subdomain,o=domain.
   What would be nice in my situation is to be able to log in on a 
workstation in my school as 'jim', and get onto the system at the 
community learning centre as 'jim.myschool' or something similar. 
(MYSCHOOL\jim ??)

I hope this makes sense and doesn't sound too much like me brainstorming

Has anyone tried anything like this?

cheers

Jim Potter
UK

rruegner wrote:
> Hi,
> yes its no problem, you need slave ldaps and samba bdcs in the other 
> locations, read the samba how to,
> the other way is to have a own domain at each location with own pdc
> and make trusts
> What you mean with duplicate usernames?
> Regards
>
> Jim Potter schrieb:
>
>> Hi All,
>>    I am looking into the feasability of using Samba/LDAP for domain 
>> control across several schools in my area, and would be interested to 
>> hear of anyone who has any experience/thoughts on how this could work.
>>    The schools share a community learning resource centre, and I am 
>> looking for ways for all users to be able to log in at their own 
>> schools, and also at the learning resource centre using the same 
>> credentials, and be able to see thier documents from both (all 
>> connected by 2-10M lines at present, which will probably be adequate).
>>    Each institution needs to be a secure self sufficient entity 
>> within its own right, allowing access to its list of users (and their 
>> work) to the resource centre.
>>    A big problem I see is duplicate user names between schools.
>>
>> Any hints/tips/comments/feedback would be very welcome.
>>
>> cheers
>>
>> Jim Potter
>> UK
>
>

Hi All,

After vampiring 1500 users accounts and 580 machine accounts on an Win NT4
every time I run "net rpc trustdom list" I?ve got the following error:

server-smb:~# net rpc trustdom list
Password: (WHAT PASSWORD SHOULD I PUT HERE?, anything seems to goive the
same output.)

Trusted domains list:

OTHER-DOM         S-1-5-21-136393487-307246644-928725530

Trusting domains list:

[2004/09/27 14:32:13, 0] utils/net_rpc.c:rpc_trustdom_list(3430)
  Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED

How can I solve this ACESS_DENIED error? I removed all machine accounts and
still get the same problem.

Thank?s any help.

Gustavo