[Samba] SSO across multiple physical subnets

Carlos Rivera-Jones carlos at sinu.com
Mon Jul 30 12:32:08 GMT 2007

I assume the remote VPNs are full tunnels, and that you can ping any of the computers in any of the networks from any of the networks.

You should create trust relationships among all of the domains, along with permissions that allow logons and file access cross-domain - an important omission in the documentation. Search google with - "trust relationship" site:samba.org -.

You will also want wins running on all servers, and that each server calls the others and allows calls from the servers. This is also documented.

The key with the laptop users is to logon first to the home domain. This caches the profile password, and as long as the password is not changed (in either side) while the home server is unavailable, everything will be OK. Assuming 2000, XP, and/or Vista clients, of course.

(You might also want to consider an LDAP backend with master/slave relationships among them, but this is highly complex and error prone if you are not an LDAP expert.)

I run similar complex setups without a problem, the key is to make sure the smb.conf has the wins and subneting info in place, that the trust relationships work, and that permissions are set correctly.

It does require some planning, an quite an amount of rote work, but all the documentation is right there in samba.org.

This is done pretty much in the same way it was done in NT4, so any docus/flowcharts you find for NT4 apply to samba.

Samba howto/docs + NT4 charts = easiest way



-----Original Message-----
From: samba-bounces+carlos=sinu.com at lists.samba.org on behalf of Thomas Smith
Sent: Sun 7/29/2007 9:22 PM
To: samba at lists.samba.org
Subject: [Samba] SSO across multiple physical subnets

I¹ve been reading up on SSO-based logins for the last couple of weeks. I¹ve
found a lot of information about it, but nothing that matches my situation.
Here¹s the gist of my situation...

- I have a Samba 3 PDC in our corporate office as well as three remote

- Each remote office is in a different physical building and connected to
the Corporate office either via Point-to-Point T-1 or a Cisco PIX on-demand
VPN tunnel. Each office resides in a separate IP subnet.

- Each office is a separate domain. Each server has it's own domain user and
group accounts.

- I have laptop users who travel between the various offices on a regular
basis. I also have some desktop users who travel to remote offices to
provide training and such.

What I'd like to do is make this a fault tolerant, SSO environment. Fault
tolerance is very important for us in case one of the VPN tunnels or T-1s
goes down--each office would still need to be able to log in to their
server(s) and work.

Another challenge has been laptop users--if they're configured for the
Corporate office domain, they cannot access the domains of remote offices
while on-site at those locations. This has always been a manual workaround
for them to get access to printers and network shares.

Can anyone suggest a direction to go in here? I know this is a lot, I'm not
looking for someone to do the work. I just need some help locating the
appropriate technology or how-tos for configuring something of this scale.

Thanks, in advance, for your help!

~ Tom

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list