[Samba] SMB Network design guidelines

Robert Schetterer robert at schetterer.org
Tue Jul 26 11:49:54 GMT 2005 

Hi, so my answers are filled in

Carlos Vidal schrieb:

>Hi:
>
>Can anybody point me to some guidelines about SMB network design or
>give some advice? Samba HOWTOs are very detailed recipes, but I need
>some general tips, like if we are serving fish or pasta tonight :-)
>
>This is the situation: a WAN with 20 offices with 2 to 30 people in
>each, plus a headquarter with 50 people, plus the databases and
>central file servers. The organization grew up on a NT4 infrastructure
>using trust relationships and per office domains. The total network
>size is about 300 clients.
>
>As the servers were ageing, in the first half of 2005 we replaced most
>of them with Linux FC3 + Samba (upgraded now to 3.0.14a) and kept the
>old NT4 as logon servers and PDCs. Three months ago we replaced the
>central PDC at the HQ with Linuxe+LDAP+Samba3.
>
>So now that we have the confidence of our customer, we want to move on
>and replace the remaining NT4 logon servers. We have the opportunity
>to change the current architecture to get a better infrastructure.
>These are the requirements:
>
>Must have:
>- People need to access shares in the HQ servers.
>  
>
no problem

>- People need to access shares in their local servers.
>  
>
no problem

>- If the WAN is down, people can still work with their local servers.
>  
>
no problem with caching the profiles on the win clients and/or use 
offline file folders

>Nice to have:
>- A single account per user, not one per user and domain
>  
>
??? if you use domain style you have accounts like this domain\username 
( use nt group-features for more  )
i think the questions goes give every office their  own  domain and use 
trusts or use one big one

>- No profile transmitions over the WAN
>  
>
if you have a short time guest from another office his profile will be 
catched over the wan/vpn
setup up a policy for what time distance a users profile should move to 
the bdcs.
There are many more possible layouts of this ( using  profile syncs, 
shared  filesystems over wan etc but i wouldnt recommend them  )

>- Should be simple to move a user accounts from one office to another
>  
>
it is simple , just copy them ( be aware all file acl etc are kept )
 

>- Scalability, the company is growing well.
>  
>
using slave ldaps one the bdcs will give you no problem

>- Keep the backbone in Linux
>  
>
whatever

>What follows are the alternatives I'm considering, but I have
>difficulties foreseeing the tradeoffs:
>
>A) A single domain with a PDC in the HQ and BDCs in each remote
>office. A master LDAP server in the HQ and a slave LDAP in each remote
>office.
>*Pros: Simple to implement and use
>*Cons: How scalable is it? What if we have 500 clients and 35 offices
>in 2 years?
>  
>
i would prefer one domain with pdc samba (master ldap ) and bdcs ( slave 
ldaps ) in the vpn offices 500 cleints and 35 offices
may confuse you at the network layout but are no problem to performance 
depending to the network vpn/wan speed
do a well internal name serving as fallback to wins

>B) A domain per remote office (as today), plus trust relationships to
>access the HQ files. A single LDAP backbone with branches for each
>domain, a master LDAP in HQ and slave LDAPs in the remote offices.
>*Pros: Domains follow the physical reality. Users and sysadm are used
>to this scheme.
>*Cons: Administrative burden to move people around.
>  
>
trust may have failures with wins timeouts over wans,
for delegating domain work use privileges in samba

>C) Modify Samba LDAP schema so that the same UID can belong to several
>domains at the same time (see
>http://lists.samba.org/archive/samba-technical/2004-February/034203.html).
>*Pros: People can have different profiles in each office and still use
>the same login/password without too much administrative burden. No
>trust relationships needed.
>*Cons: We move away from the "standard" Samba+LDAP config
>  
>
never done this , and i see no real win about this

>Are there other options? Which are the tradeoffs? What are people with
>similar networks using?
>
>Thanks in advance!
>
>  
>
done this setups with vpn 4 offices and 100 users , no problem
mostly networking questions.
the more dicussed question was using outlook/exchange ( or linux 
dervirat ) and pst files et, since the users wanted to have groupware 
features like outlook.
Your questions are more related to the gerneral nt domain and network 
layout, not special to samba.
a last tip only use one version of windows in the whole company ( 
recommend win xp, cause win200 will get outdated soon )
this will help you using profiles and policies, laptop moving users and 
so called roadwarriors may give the most pain as they need vpn
setups and other policies

>Carlos
>  
>
i dont know when samba 4 gets released , if you got time this will make 
your life more easy in such setups,
perhaps the Gurus know more on release and features about samba 4
Regards

More information about the samba mailing list