Thanks, now it's crystal clear. One thing I like to ask more is why other servers will be BDC? Not just a workstation or a DC client? Where do they backup or cache account info? Will smb.conf look different from using NT4 PDC? Thanks, Soohoon. On Fri, Aug 1, 2008 at 11:58 AM, Adam Williams <[EMAIL PROTECTED]>wrote:
> yes to share a single set of users/groups in LDAP to multiple samba servers > you will need LDAP and a PDC and the other servers will be BDCs. yes you > will join BDC's with net rpc join -D domain -S pdc_server_name -U > root%password > > read chapter 5.3 of samba 3 by example.pdf > > > Soohoon Lee wrote: > > > Thanks, > 'sharing LDAP server' is to share the same set of users/groups in the LDAP > DB, not separate sets of users/groups for each samba servers. > It looks like PDC ??? maybe what I want is more like NIS. > So IIUC, to share a single set of users/groups in the LDAP server from > multiple samba servers, I need LDAP and samba DC? > And samba servers have to join the samba DC by net rpc join? > > Thanks a lot. > Soohoon. > > On Fri, Aug 1, 2008 at 11:22 AM, Adam Williams <[EMAIL PROTECTED]>wrote: > >> sure you can have multiple domains with all the account info in LDAP. if >> you really want it to work together well you'll have a PDC and BDC's >> though. you may be able to try samba intertrust relationships, but i've >> never used that >> >> Soohoon Lee wrote: >> >> >> Thanks all >> This is my smb.conf >> [global] >> dos charset = UTF-8 >> workgroup = DOMSMB >> security = user >> allow trusted domains = No >> password server = NULL >> passdb backend = ldapsam:ldap://10.17.124.190/ >> max log size = 50 >> load printers = No >> stat cache = No >> os level = 10 >> dns proxy = No >> ldap suffix = dc=my-domain,dc=com >> ldap user suffix = ou=Users >> ldap group suffix = ou=Groups >> ldap admin dn = cn=Manager,dc=my-domain,dc=com >> ldap ssl = no >> >> And I like to make multiple samba servers to share single LDAP server >> without using domain controller feature. >> I'm getting feeling that pure LDAP server is for single samba server or >> the LDAP server should have samba DC to serve multiple samba servers? >> >> Thanks, >> Soohoon. >> >> On Fri, Aug 1, 2008 at 7:02 AM, Lukasz Zalewski <[EMAIL PROTECTED]>wrote: >> >>> Lukasz Zalewski wrote: >>> >>>> Adam Williams wrote: >>>> >>>>> are you using security = user or security = domain on your multiple >>>>> servers? >>>>> Soohoon Lee wrote: >>>>> >>>>>> Hi >>>>>> Is it possible to use single LDAP server and multiple samba servers? >>>>>> The problem I'm having now is >>>>>> Each server thinks their host name is their LDAP domain name, or >>>>>> sambaDomainName, and >>>>>> complain the user's SID is different so can't authenticate. >>>>>> How do I make samba servers use one domain name and SID? >>>>>> >>>>>> LDAP domain name is DOMSMB >>>>>> >>>>>> dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com >>>>>> sambaSID: S-1-5-21-2479917030-3150298425-213194246 >>>>>> >>>>>> And samba server created a new domain after its hostname. >>>>>> >>>>>> dn: sambaDomainName=SRV6,dc=my-domain,dc=com >>>>>> sambaSID: S-1-5-21-4202146032-850913369-3381557932 >>>>>> And complain user's SID is different from its SID. >>>>>> >>>>>> Thanks, >>>>>> Soohoon. >>>>>> >>>>>> >>>>> >>>>> >>>> We have student domain and staff domain and one LDAP server. We wanted >>>> staff members to log onto student domain. So we considered two options: >>>> 1. Interdomain trust relationship ( >>>> http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html) >>>> >>>> However this option was not good for us as we didn't want to open up the >>>> firewall and we wanted staff members to get the proper student experience >>>> (i.e. home dirs and profiles on the student server). So that brought us to >>>> the second option: >>>> 2. ldap translucent proxy overlay ( >>>> http://linux.die.net/man/5/slapo-translucent) >>>> In this setting we override sids (i.e. domain sid part of the staff >>>> domain is substituted with student domain portion of the sid) for users and >>>> groups and point samba to the overlay. Bear in mind that all of the changes >>>> make by samba like machine passwords, user passwords, idmap mappings etc >>>> will go no further than the proxy so great care must be taken in LDAP >>>> setups >>>> that use referrals. >>>> >>>> >>>> Now the most important question is what do you use you two domains for? >>>> >>>> HTH >>>> >>>> Lukasz >>>> >>> >>> Ah sorry I didn't read the Subject line properly you do not want PDC. As >>> Andy pointed out maybe you should have one of the servers as a domain member >>> of the other domain >>> >>> Lukasz >>> >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
