Bradley W. Langhorst
brad at langhorst.com
Tue Apr 30 07:09:04 GMT 2002
On Mon, 2002-04-29 at 22:26, Philip Burrow wrote:
> I'm after some clarification on a concept I'm toying with, the big question
> being is it feasible to do this, and are there any things I ought to
> consider. What I'm after is domain authentication across a multi-subnet VPN.
> I figured there are three ways of doing this, based on my limited knowledge
> of Samba (version 2.2.3a):
> 1. Have a single Samba PDC to control the entire VPN (up to 10 remote sites)
> using a single LDAP server to authenticate users.
this will mean that all profiles and authentication goes over the vpn
probably not a good idea (as you say below)
> 2. Have a Samba server at each site as some sort of pseudo-BDC, all
> authenticating with a single LDAP server.
again - all authentication goes over the wan
> 3. Have a Samba PDC at each site controlling a domain of its own, but all
> using the same LDAP server.
still the same problem
I think you should modify idea 3 by setting up replicated LDAP on the
PDC (or another machine) at each site. That way everybody can log in
even if the lan is down (though the distributed ldap dbs might diverge
if your wan is down for a long time.
More information about the samba