On Wed, Jun 18, 2008 at 2:21 AM, Volker Lendecke <[EMAIL PROTECTED]> wrote: > > If I understood you correctly then you have users in LDAP > that are to be authenticated in more than one domain.
Correct. This is a highly desirable configuration that offers tremendous competitive advantages to commercial enterprises and increased efficiency for non-profits such as hospitals and research foundations. I believe many organizations use samba in this way, because it makes MS-Windows desktops more powerful than a pure Microsoft server architecture does. > Assuming that is right then yes, this is a not supported > configuration and never has been. It might have worked at > some point, but we deliberately moved to a much more > predictable SID-based model for almost everything > internally. On that way we very likely broke what you > described. The current model does not preclude this configuration, although the software makes it very hard to do. In my previous email I made some suggestions about how the code could be tweaked to support it. (Since I'm not contributing code at this time, I am certainly willing to pay for others to do so.) > The only way a central LDAP can work is using completely > independent OUs per domain in a way that no objects from one > domain are seen by another domain. Yes and No. Yes, machine trust accounts and idmaps have to be restricted from appearing in more than one domain. No, user accounts can still be published to all domains. Samba PDCs (running v3.0.11 or greater) that are netlogon servers behave in ways I still don't fully understand. My end-users in the past simply logged on in whichever domain they happened to be visiting, and a user SID was composed with a consistent algorithmically generated RID attached to the local server SID. Samba hosts that are not PDCs or netlogon servers still work great with multiple domains on a single authentication backend. We have been using this capability for more than a decade to great advantage. There are thousands of sites running RHEL3 that do the same thing - if you have an application host that runs samba, you can have thousands of users from different domains using it without incurring the high licensing and hardware costs of a MS-Windows server on the back end. > One thing that I could imagine though is to centralize ID > mapping in this scenario, winbind from domain A could > (read-only) look at the LDAP objects of domain B to get a > unified uid space. Yes, that's essentially what we're doing. We have domain-specific container objects for trusts that are restricted by OpenLDAP ACLs, but we have a single ou=People object and a single ou=Group object. I can supply more configuration information if you wish, but this email is already very long! > I know that it is hard or impossible to change your existing > LDAP tree, but one account in multiple domains is just way > too error-prone, fragile and confusing if not used VERY, > VERY carefully. I personally am comfortable with rewriting the entire LDAP tree if necessary - I did it three times when we converted from 3.0.10 to 3.0.25 and then to 3.0.28. I generally dump the database to LDIF and rewrite it with gnu awk, then reload it and sync it out to the replicas (we have dozens). If I am forced to do major modifications with systems running - something I try to avoid - I write a bash script incorporating ldapsearch and ldapmodify from the OpenLDAP toolset. I cannot recommend this to others, because it's too easy to destroy your enterprise infrastructure with a typographical error. In a modern, directory based work environment, people are not limited to single desks, or even single countries or states. A person in England may be signing on to systems in Baluchistan tomorrow, and everything is expected to work seamlessly as though that person were still in England. A site is expected to continue functioning even if half the WAN links to that site break unexpectedly. We have achieved this with samba, linux, and Windows versions 3.11 through XP. It's getting harder to do, though, and the advantages of running linux are eroding as software like MS-Windows gets more complex and difficult to integrate with standards-based architectures. > > Volker Thank you, Volker, for taking the time to discuss this with me! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
