[Samba] multiples domains or PDCs in samba
nicoguerrarocha at gmail.com
Tue Jul 1 06:32:34 MDT 2014
I'm Nicolás from Uruguay, I work in ASSE (public health services), the
enterprise has lots of buildings all over my country, more than 100,
with thousands of employees and PCs. Until now there is no "network
configuration" in PCs (no network users, etc) and I'm trying to solve
that out. I started working with samba about one year ago (I've been
learning a lot), I started working in one building and now I have a
samba PDC with an openLDAP backend. I have to make my way into a higly
escalable configuration (because of the amount of users and PCs) and I
want to make it right thats the reason I'm asking you for help.
I have a master openLDAP server thats store all authentication, groups,
SUDOers, automount, other applications roles data, etc. I have a
replicated openLDAP server thats replicate some objects from the master.
I have a samba PDC authenticating against the replicated openLDAP server
(that the way I can control users from one building not loggin in PC of
other buildings I replicate some users accounts and some PC accounts),
and I've joined WindowsXP, Windows7, Windows 8 into the domain and I'm
working also with Ubuntu 10.4 (until the newest one), and OpenSuSE 12.1
(until the newest one) mounting users home using nfs, and using
replicated openLDAP for autentication and file system permissions. Until
now It's all ok, it works like a charm ;-)
From now I'll call 'A' to the building I've configured first and its
working nice, and I'll call 'B' and 'C' to the next buildings I need to
well, in my first aproach to configurating others PDC in buildings 'B'
and 'C' I thought configuring individuals domains for 'A' 'B' 'C' would
be the correct way to go. Then googling and reading I read this
it is suggested not running diferents domains for the same organization
so I have no "clean idea" of what I need.
So, in a higly scalable configuration:
1) should I configure one domain and replicate it to all buldings?
I can restrict users loggin replicating some users of master openLDAP to
every building (I don't want all users of 'A' can loggin in 'B' or 'C'
computers, I don't want to users loogin freely in everywere)
2) should I configure lots of domains with the same sambaSID and have
lots of Domains entries with different names in LDAP? (is there a
diference betwen this and having just one domain?)
That would allow me to use the same groups in lots of buildings, and for
example, "Domain Admins" would be the same in every domain, and again I
don't want to everybody loggin in everywere, so I use replication to
3) should I configure lots of domains totaly separated in master
And in the master LDAP I'll have one subtree for each domain, but what
will happen with uids and gids?
4) what happen if different domains have diferent sambaSID? users with
one sambaSID could use other domains PC?
It would be really nice to control who can loggin in each domain, and
changing dinamicaly if it's needed, for example, someone could need to
work half day in one building and the other half in other, I need to
consider that too :-S
I think that is enough, just for now :-)
any help will be wellcome,
More information about the samba