Novell Cool Solutions

Samba: Sharing Resources with Mulitple Domains


April 2, 2010 11:58 am






I had a task to share Unix resources between 2 Active Directory domains simultaneously.

Samba does not support multiple domains but why should it? Windows systems belong to one domain at a time. However it’s technically possible to share Unix resources between multiple domains.

This guide is designed for experienced users and requires solid Samba and Linux skills.

LDAP/Kerberos or WINBIND Integration

If you are using centralised user management on the Linux host via standard LDAP/Kerberos or WINBIND integration you only need 2 way trust between the domains. No configuration change should be needed on the Linux side although I cannot confirm this as I don’t have access to such a system.

Mapped Local Users

If you use local users on Linux and map them to certain AD users, beside 2 way trust you need special care. This is very popular and makes file sharing very easy amongst many users.

Your samba mapping file generally should look like this:

!user1 = MYDOMAIN\FirstName.LastName       MYDOMAIN.COM\FirstName.LastName
!user2 = MYDOMAIN\FirstName.LastName       MYDOMAIN.COM\FirstName.LastName

Each line of the map file may be up to 1023 characters long so we can simply add
the other DOMAIN user to the same user mapping line in the following fashion:

!user1 = OLDOMAIN\FirstName.LastName    OLDOMAIN.COM\FirstName.LastName    NEWDOMAIN\FirstName.LastName    NEWDOMAIN.COM\FirstName.LastName
!user2 = OLDOMAIN\FirstName.LastName    OLDOMAIN.COM\FirstName.LastName    NEWDOMAIN\FirstName.LastName    NEWDOMAIN.COM\FirstName.LastName

  • 2 way trust between the domains is required here too
  • the mapping file is processed line by line
  • ! instructs samba to stop processing the file if the mapping was done
  • modifying the mapping file doesn’t require samba service restart

This is one way of doing it, I found this to be the cleaner than having various mappings for the same user.


I have seen many guides on the Internet where users hardcode the AD server their Samba is supposed to connect to. This is wrong and if that server becomes unavailable you will be in trouble.

Adding * at the end of the line will give different meaning to the line. The specified server will be a preference only and if it cannot be reached Samba will do a DNS lookup to find AD controllers just as Windows systems do.

root@geeko~ # vi /etc/samba/smb.conf
password server = *

You can find your AD controllers by DNS lookup too, one way of doing it:

root@geeko~ # host -t srv _kerberos._tcp.MYDOMAIN.COM
_kerberos._tcp.MYDOMAIN.COM has SRV record 0 100 88 SERVER1.MYDOMAIN.COM.
_kerberos._tcp.MYDOMAIN.COM has SRV record 0 100 88 SERVER2.MYDOMAIN.COM.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Uncategorized


Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.