[Samba] Multi samba domain in one LDAP Backend with multi-site authentication
gaiseric.vandal at gmail.com
Fri Jan 29 08:50:18 MST 2010
On 01/29/10 05:59, Thibault Vançon wrote:
> I need some help to set up a multi-site authentication architecture with
> Our company is composed by 6 sites which are VPN-Linked.
> On each, there is Samba 3.0.27 PDC with LDAP backend on Debian Etch (I will
> probably upgrade it to lenny with this project, and an upper version of
> Samba). We would like to permit an user of one domain to login in other with
> the same credentials.
> Actually, if a user need to connect to a share of another domain, we have to
> create it again in the other LDAP backend. So we have a lot of doubloon,
> what is not very good because we store a lot of administrative information
> as email, function, etc. , and we need to use LDAP for others application
> (Intranet on Apache server, ERP,…).
> My boss is not closed with that and want to keep the multi-domain
> architecture (I’m actually converting it to free software…). I know that it
> would be easier to have only one domain with LDAP replication, but he still
> don’t want.
> Is there a multi samba domain schema for LDAP ? What about trusted
> relationship ? Are they work fine ? Other possibilities (RADIUS, etc.) ?
> Thanks a lot for answer, and sorry for my English which is not very well.
> Thibault Vançon
> System and Network administrator – Alsapan – France
The samba how-to book documentation on www.samba.org does a pretty good
job of explaining inter-domain trusts. Will does allow you to allow
users from one domain to have access to resources in another
domain. The samba domains are trusting each other. The LDAP server
in one domain does not have to talk to the LDAP server in another
domain. You do need to use winbind and setup IDMAP ranges - which can
get a little tricky. So if each site has its own domain, and each
domain has only one PDC, you will not have to worry about LDAP replication.
There are some benefits to a multiple domain approach-
- if you need to designate local administrators in each domain but
not for the entire company
- their is a logical business division between each site (maybe one
site has the Sales people and one site has Engineering people.)
- less problems if your VPN links are unreliable or slow.
If you want to consolidate domains that you may want to make sure that
either your remote site has a Samba BDC (with ldap replication) and a
reliable VPN connection.
Either way you want people to run their login scripts and have their
home directories on a server in their site. You also may want to
consider having a WINS server in each site- depending on the number of
More information about the samba