On 01/29/10 05:59, Thibault Vançon wrote:
Hello,
I need some help to set up a multi-site authentication architecture with
samba.
Our company is composed by 6 sites which are VPN-Linked.
On each, there is Samba 3.0.27 PDC with LDAP backend on Debian Etch (I will
probably upgrade it to lenny with this project, and an upper version of
Samba). We would like to permit an user of one domain to login in other with
the same credentials.
Actually, if a user need to connect to a share of another domain, we have to
create it again in the other LDAP backend. So we have a lot of doubloon,
what is not very good because we store a lot of administrative information
as email, function, etc. , and we need to use LDAP for others application
(Intranet on Apache server, ERP,…).
My boss is not closed with that and want to keep the multi-domain
architecture (I’m actually converting it to free software…). I know that it
would be easier to have only one domain with LDAP replication, but he still
don’t want.
Is there a multi samba domain schema for LDAP ? What about trusted
relationship ? Are they work fine ? Other possibilities (RADIUS, etc.) ?
Thanks a lot for answer, and sorry for my English which is not very well.
Thibault Vançon
---------
System and Network administrator – Alsapan – France
The samba how-to book documentation on www.samba.org does a pretty good
job of explaining inter-domain trusts. Will does allow you to allow
users from one domain to have access to resources in another
domain. The samba domains are trusting each other. The LDAP server
in one domain does not have to talk to the LDAP server in another
domain. You do need to use winbind and setup IDMAP ranges - which can
get a little tricky. So if each site has its own domain, and each
domain has only one PDC, you will not have to worry about LDAP replication.
There are some benefits to a multiple domain approach-
- if you need to designate local administrators in each domain but
not for the entire company
- their is a logical business division between each site (maybe one
site has the Sales people and one site has Engineering people.)
- less problems if your VPN links are unreliable or slow.
If you want to consolidate domains that you may want to make sure that
either your remote site has a Samba BDC (with ldap replication) and a
reliable VPN connection.
Either way you want people to run their login scripts and have their
home directories on a server in their site. You also may want to
consider having a WINS server in each site- depending on the number of
computers.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
