[Samba] Architecture VPN and Samba with ADS 2003 help needed

Henrik Zagerholm henke at mac.se
Thu Oct 12 09:13:14 GMT 2006 

Well, I can't recall I've seen that ADS is unstable.
If you have a Win 2003 PDC which is using kerberos (it uses kerberos  
per default so if you havn't changed it you are using kerberos)
then you can make your samba servers members of the domain using ADS  
and kerberos to get Single Sign ON through the kerberos tickets.

Of course it won't solve your problem with the W2003 server going down.

Regarding winbind offline mode as I understand it, it should be  
possible for a computer which is using cached credentials to access  
the shares.

I would check with the samba developers as there is very little info  
regarding this in the docs.

cheers
12 okt 2006 kl. 09:31 skrev Guillaume Riviere:

> Henrik Zagerholm wrote:
>> As I remember the winbind offline is something different  and  
>> won't be a substitute for a member server.
>> I really haven't had the time yet to look into this new mode but  
>> would be interested in any findings you make.
>>
>> You are already using kerberos correct?
>> What is your security setting in smb.conf?
>
> Dear Henrik,
> I did not use Kerberos yet, my configuration is very simple.
>
> Do you think I should use it ?
> What is windbind offline mode ? If I understand well  is more a  
> client feature
> than a server feature, right ?
>
> I join the domain with:
> #> net rpc join -S myserver.mydomain -U Administrator%password
>
> and my smb.conf is:
>
> [global]
>        workgroup = MYDOMAIN
>        server string = File server for Office 2
>        encrypt passwords = true
>        password server = myserver.mydomain
>        netbios name = office2_fs
>        security = DOMAIN
>        show add printer wizard = No
>        idmap uid = 15000-20000
>        idmap gid = 15000-20000
>        winbind separator = +
>        winbind use default domain = Yes
>        winbind cache time = 3600
>        use sendfile = Yes
>        printing = cups
>        printcap name = cups
>        enhanced browsing = No
>        client schannel = no
>        local master = No
>        domain master = No
>        load printers = yes
>
>
>
>>
>> Cheers
>>
>> 12 okt 2006 kl. 07:01 skrev Guillaume Riviere:
>>
>>> Henrik Zagerholm wrote:
>>>>
>>>> 11 okt 2006 kl. 07:03 skrev Guillaume Riviere:
>>>>
>>>>> Dear all Samba list,
>>>>>
>>>>> I'm currently facing some little problem with samba, I search  
>>>>> for advices on
>>>>> our offices architecture. This is what we have:
>>>>>
>>>>> - We got 2 offices with "unstable" ADSL connection (sometime  
>>>>> more that 5 connections shutdown a day)
>>>>> - We use a  VPN and our 2 offices are on the following internal  
>>>>> subnets:
>>>>>    Office 1: 10.0.0.0/24
>>>>>    Office 2: 10.0.1.0/24
>>>>> There is no firewall restrictions between the 2 offices with  
>>>>> the VPN.
>>>>>
>>>>> - The Office 1 got a ADS Server 2003 (ads_office1) and a  
>>>>> Debian/ Sarge with Samba 3.0.23C file server (fs_office1), all  
>>>>> is ok, working very well
>>>>> - The Office 2 got only a Debian/Sarge Samba 3.0.23c file  
>>>>> server (call it fs_office2) connected to the remote VPN ADS  
>>>>> 2003. This server
>>>>> is in a DOMAIN security mode (because I read that the ADS  
>>>>> security mode is currently not so stable)
>>>>
>>>> Where did you read that? :)
>>>>>
>>>>> All my users (Windows XP SP2 only)  must be in the same ADS  
>>>>> network (Exchange service, sharing of file, internet access  
>>>>> control)
>>>>> We face multiple problems is with the second office, each time  
>>>>> we got a disconnection, we have to re-join the domain, restart
>>>>> samba and winbind, also this Office 2 cannot access to the file  
>>>>> server  in a disconnected mode (some time no internet in this
>>>>> office for a whole day)
>>>>>
>>>>> So, I would like your advice on the following questions:
>>>>>
>>>>> - Do we have to change the server fs_office2  to a Microsoft  
>>>>> 2003 server, is this the best solution ?
>>>>> - Do Samba can configure itself to use a cache system or a  
>>>>> domain duplication or a domain master in ADS 2003?
>>>>> is there solution to make samba deliver locally the credential   
>>>>> in case of networks
>>>>> disconnection ?  is it stable to go on this solution ?
>>>> Pure ADS member with AD replication is not available inte the  
>>>> SAMBA 3 branch yet. SAMBA 4 is supposed to handle this but is  
>>>> currently only in TP4 pre alpha stage and should only be used in  
>>>> testing purposes.
>>>>
>>>>>
>>>>> If yes (I hope), how to do this, what is the est architecture,  
>>>>> the best samba configuration ?
>>>> Unfortunately I think that the best solution is to have a W2003  
>>>> at the second office also until SAMBA 4 is stable but hopefully  
>>>> some more experienced samba users have another idea. :)
>>>>>
>>>>> Thanks in advance,
>>>>> Regards,
>>>>> Guillaume
>>>>
>>>> Cheers,
>>>> henrik
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>> Dear Henrik, Dear All,
>>>
>>> What about the new offline mode in winbind (in 3.0.23) ? can it  
>>> solve the problem ?
>>> do I need to install pam and kerberos for this ?
>>>
>>>
>>> Regards,
>>> Guillaume
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>
>
> -- 
>
> *   Guillaume RIVIERE*
>   IT Projects Manager 	*www.vsl.com* <http://www.vsl.com>    	 
> Phone: +84 8 8 10 68 17
> Mobile: +84 90 95 38 9 00
> Fax:     +84 8 8 10 68 18
> Email: guillaume.riviere at vslitc.com  
> <Mailto:guillaume.riviere at vslitc.com> 	
>
>
> 	*VSL IT Center*
> R-212, E-town building, 364 Cong Hoa Street, Ward 13, Tan Binh  
> District
>  Hochiminh City - Vietnam 	  	
> 	
> --------------------
> Any data and information contained in this electronic mail are  
> personal, confidential and secret. Any total or partial  
> publication, use or distribution must be authorized.
> If you are not the good addressee, we ask you not to read, copy,  
> use or disclose this communication. Please notify this error to the  
> sender and erase at once this communication from your system.
> All views or opinions expressed in this electronic message are  
> those of the sender and do not necessarily reflect the views of VSL  
> International Ltd or its subsidiaries.
> --------------------
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list