[Samba] Domains: Pros and Cons?

Gary Algier gaa at ulticom.com
Wed Jul 7 13:52:09 GMT 2004 

I have Samba running without a PDC and I have some questions
about the advantages for implementing one with Samba vs. the
problems and disadvantages.  Perhaps some kind souls can
help me determine whether I should do this or not.

We have three offices connected by a Checkpoint VPN, plus
people "on the road" using their SecureClient tool.  We
want everyone to be able to get to all the Samba servers
from wherever they are.

Here's a sample topology:
     MtLaurel (NJ,US)
         172.25.0.0/16
             corp -- a samba server running on our large Sun file server
             print -- a samba server running on a linux box with CUPS for
                 printing
     Dallas (TX,US)
         172.27.0.0/16
             derby -- a samba server on Sun for local storage and printing
     Sophia (-Antipolis,FR)
         172.26.0.0/16
             tank -- a samba server on Sun for local storage and printing

Right now each location is running in its own workgroup, no PDCs.

If we go with a PDC I see the following advantages and disadvantages:

1) Single sign-on, consistent login -- advantage
    It would all be backed by our current LDAP SAM.
2) Anyone can log into any PC -- disadvantage
    People have become used to not worrying about security on
    their own PCs as nobody else could login.  Once "domained"
    anyone can login.
3) Complexity
    I am concerned about keeping this whole house of cards working with
    a PDC in MtLaurel and "slave" PDCs in the other locations.   Our
    people travel a lot and they need to use resources while in non-home
    offices.  How do they join the MtLaurel PDC and then move to the Sophia
    one?  How do they use one inside the corporate network from outside?
4) Password change -- this is the thing driving (forcing) the issue.
    With a PDC, the user logs in at the windows client with the same password
    as is used for all the other network resources.  It can be setup to
    expire passwords and the user can change their password from the login
    dialog (or with ctl-alt-del...) and it will take effect for everything.
    Is there any way to get just this capability without all the issues
    associated with a PDC?


-- 
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
     People don't read documentation voluntarily.

More information about the samba mailing list