On Tue, Jun 17, 2008 at 07:14:28PM -0400, Charlie wrote: > If I have explained this poorly, I apologize - interpersonal > communications skills are not my area of speciality.
If I understood you correctly then you have users in LDAP that are to be authenticated in more than one domain. Assuming that is right then yes, this is a not supported configuration and never has been. It might have worked at some point, but we deliberately moved to a much more predictable SID-based model for almost everything internally. On that way we very likely broke what you described. The only way a central LDAP can work is using completely independent OUs per domain in a way that no objects from one domain are seen by another domain. One thing that I could imagine though is to centralize ID mapping in this scenario, winbind from domain A could (read-only) look at the LDAP objects of domain B to get a unified uid space. I know that it is hard or impossible to change your existing LDAP tree, but one account in multiple domains is just way too error-prone, fragile and confusing if not used VERY, VERY carefully. Volker
pgp1AW4xZLP4P.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
