[Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS

Charlie medievalist at gmail.com
Wed Jun 18 17:16:11 GMT 2008

On Wed, Jun 18, 2008 at 10:35 AM, Carlos Eduardo Pedroza Santiviago
<carlos at santiviago.com> wrote:
> Humm, so you're not using the same domain for the entire company? In
> my situation, we have 5 remote offices, and all using the same domain,
> and if for some unknown reason our links (yes, we do have redundant
> links) go down, these offices should be able to work with minimal
> interruption (by saying this i mean, users should be able to change
> their passwords, machines also should be able to update their
> accounts, etc).

At each site, we have a separate domain, a samba PDC/WINS server, a
print server, multiple samba file servers, and multiple ethernet
segments.  If four or five WAN links go down simultaneously it's
possible that people at one site will not be able to change their
passwords until connectivity is restored, but everything will still
work fine (including network browsing).  If there was some reason
connectivity could not be restored within 24 hours, the on-site staff
would promote a local LDAP replica (the "site master") and I would
manually merge any changes after the connectivity was restored with a
little shell scripting.

All our POSIX hosts and samba servers implement LDAP failover, so that
I can take LDAP replicas in and out of service temporarily without
worrying about breaking anything.  The giant HP-UX monsters use HP's
ldap-ux, the linux systems use PADL's nss_ldap and pam_ldap.  Samba is
compiled to use the OpenLDAP libraries (we use Red Hat packages as
much as possible, and I build custom RPMs when Red Hat's packages are
insufficient).  I have no kerberos but we have LDAP-integrated RADIUS
in our switches and routers.

We have a lot of WAN links, to our own remote sites, and also to more
than 50 other organizations that we serve.  Our LDAP infrastructure
has been fully functional for a long time (since before syncrepl was
invented) and is pretty mature.  Now that syncrepl seems to be stable
technology, I am thinking about multi-mastering again, but I am not in
a hurry to re-architect everything.  I will probably have to set up
kerberos eventually and I guess I will revisit all aspects of
infrastructure design at that time.

A well-integrated LDAP directory can provide single sign-on to
hundreds of applications at more than 50 sites with HIPAA-compliant
audit traces and access controls.  Samba expands what you can do with
LDAP even more, because samba allows arbitrarily defined actions to be
triggered by network logon and file access events.


More information about the samba mailing list