On Monday 21 November 2005 19:32, David B Harris wrote:> Hey all,
>
> I'm looking to merge multiple NT4 domains into a single infrastructure
> based on Samba3 and OpenLDAP on Linux of the Debian Sarge flavour (and,
> Bob willing, Samba4 before long).
Bob is willing, but what does he have to do with Samba4?
> In order to allow some resources to be shared from a single Linux
> instance, I'm rather hoping that I can put every domain's
information
> into a single LDAP DIT. The Samba PDCs will use only portions of the
> DIT, in order to give the appearance (to users) of multiple domains.
> It'll also hopefully allow some degree of privilege delegation.
OK - that should work so long as you do not expect domain user accounts to
function within mulitple domains. You will be able to use interdomain trusts
to affect cross-domain user access capabilities.
> *nix boxes would use the entire tree to resolve every UID/GID (though
> logins would only be allowed based on some attribute values).
>
> Everything would be fine, except I'm a bit worried about the Well-known
> Windows RIDs (512, 513, 514, 550, 551, 552). Obviously the RID must be
> those particular numbers, but do the gidNumbers need to match? (Is this
> required even generally, that gid/uidNumbers match the RID?)
The well known RIDs are important, but the UID/GID can be any valid value.
> Note that winbind isn't involved. I haven't found anything in the
> documentation, which while I've read through entirely, I haven't
read
> from front-to-back, so my memory may be failing me. Documentation
> pointers very welcome.
- John T.