[Samba] SMB Network design guidelines

Carlos Vidal yorugua at gmail.com
Tue Jul 26 09:45:11 GMT 2005 

Hi:

Can anybody point me to some guidelines about SMB network design or
give some advice? Samba HOWTOs are very detailed recipes, but I need
some general tips, like if we are serving fish or pasta tonight :-)

This is the situation: a WAN with 20 offices with 2 to 30 people in
each, plus a headquarter with 50 people, plus the databases and
central file servers. The organization grew up on a NT4 infrastructure
using trust relationships and per office domains. The total network
size is about 300 clients.

As the servers were ageing, in the first half of 2005 we replaced most
of them with Linux FC3 + Samba (upgraded now to 3.0.14a) and kept the
old NT4 as logon servers and PDCs. Three months ago we replaced the
central PDC at the HQ with Linuxe+LDAP+Samba3.

So now that we have the confidence of our customer, we want to move on
and replace the remaining NT4 logon servers. We have the opportunity
to change the current architecture to get a better infrastructure.
These are the requirements:

Must have:
- People need to access shares in the HQ servers.
- People need to access shares in their local servers.
- If the WAN is down, people can still work with their local servers.

Nice to have:
- A single account per user, not one per user and domain
- No profile transmitions over the WAN
- Should be simple to move a user accounts from one office to another
- Scalability, the company is growing well.
- Keep the backbone in Linux

What follows are the alternatives I'm considering, but I have
difficulties foreseeing the tradeoffs:

A) A single domain with a PDC in the HQ and BDCs in each remote
office. A master LDAP server in the HQ and a slave LDAP in each remote
office.
*Pros: Simple to implement and use
*Cons: How scalable is it? What if we have 500 clients and 35 offices
in 2 years?

B) A domain per remote office (as today), plus trust relationships to
access the HQ files. A single LDAP backbone with branches for each
domain, a master LDAP in HQ and slave LDAPs in the remote offices.
*Pros: Domains follow the physical reality. Users and sysadm are used
to this scheme.
*Cons: Administrative burden to move people around.

C) Modify Samba LDAP schema so that the same UID can belong to several
domains at the same time (see
http://lists.samba.org/archive/samba-technical/2004-February/034203.html).
*Pros: People can have different profiles in each office and still use
the same login/password without too much administrative burden. No
trust relationships needed.
*Cons: We move away from the "standard" Samba+LDAP config

Are there other options? Which are the tradeoffs? What are people with
similar networks using?

Thanks in advance!

Carlos

More information about the samba mailing list