[Samba] multiples domains or PDCs in samba
gaiseric.vandal at gmail.com
Tue Jul 1 08:39:19 MDT 2014
Domains are generally an functional or administrative division. In
general, you define a domain for a group of users, workstations and
servers that logically or functionally belong together. If you have
a small organization in one location you can often have one domain.
An example of where you might have multiple domains are if you have
Manufacturing domain (for a factory environment) and a Corporate
domain, where you might have separate administrators and the users in
one domain never need to access resources in the other domain.
The domain design decisions will be partly technical and partly business
driver. In my company we have separate domains or "Research" and a
domain for "Finance." The Finance people do sometimes need access to
files on the Research servers so I had to set up domain trusts. I have
found this unreliable in Samba. (I am running Samba 3.x) As the IT
admin, I wanted a single domain. However, the company decide it was
very important to be have an extra wall around any finance data.
So the questions are:
1. Are the people in the separate buildings in separate business decisions?
2. Are the buildings connected by Ethernet or something fast enough for
file sharing or at least account replication
3. Do people in one building need access to resources in other buildings?
Are you using samba 3.x or 4.x. I have worked with Samba 3.x so I
am not as familiar with domain trusts in Samba 4.x
If you have one domain for 2 or more buildings (sites) with a good
connection you should still have a separate Samba server in each site to
function as a DC and file server. This way users will have fast logins
and fast access to the files in their site, and can still access files
in other sites if need be. And they still have functionality even if
your site link goes down. You MAY want to configure a separate TCP/IP
subnet and DHCP server for each site in case your connection between
sites goes down.
Having separate domains for each building will increase the overall
management you may have to do. But having a single domain for many
sites increases the risk that multiple sites may have downtime at once.
On 07/01/14 08:32, Nicolás wrote:
> I'm Nicolás from Uruguay, I work in ASSE (public health services), the
> enterprise has lots of buildings all over my country, more than 100,
> with thousands of employees and PCs. Until now there is no "network
> configuration" in PCs (no network users, etc) and I'm trying to solve
> that out. I started working with samba about one year ago (I've been
> learning a lot), I started working in one building and now I have a
> samba PDC with an openLDAP backend. I have to make my way into a higly
> escalable configuration (because of the amount of users and PCs) and I
> want to make it right thats the reason I'm asking you for help.
> I have a master openLDAP server thats store all authentication,
> groups, SUDOers, automount, other applications roles data, etc. I have
> a replicated openLDAP server thats replicate some objects from the
> I have a samba PDC authenticating against the replicated openLDAP
> server (that the way I can control users from one building not loggin
> in PC of other buildings I replicate some users accounts and some PC
> accounts), and I've joined WindowsXP, Windows7, Windows 8 into the
> domain and I'm working also with Ubuntu 10.4 (until the newest one),
> and OpenSuSE 12.1 (until the newest one) mounting users home using
> nfs, and using replicated openLDAP for autentication and file system
> permissions. Until now It's all ok, it works like a charm ;-)
> From now I'll call 'A' to the building I've configured first and its
> working nice, and I'll call 'B' and 'C' to the next buildings I need
> to configure.
> well, in my first aproach to configurating others PDC in buildings 'B'
> and 'C' I thought configuring individuals domains for 'A' 'B' 'C'
> would be the correct way to go. Then googling and reading I read this
> it is suggested not running diferents domains for the same
> organization so I have no "clean idea" of what I need.
> So, in a higly scalable configuration:
> 1) should I configure one domain and replicate it to all buldings?
> I can restrict users loggin replicating some users of master openLDAP
> to every building (I don't want all users of 'A' can loggin in 'B' or
> 'C' computers, I don't want to users loogin freely in everywere)
> 2) should I configure lots of domains with the same sambaSID and have
> lots of Domains entries with different names in LDAP? (is there a
> diference betwen this and having just one domain?)
> That would allow me to use the same groups in lots of buildings, and
> for example, "Domain Admins" would be the same in every domain, and
> again I don't want to everybody loggin in everywere, so I use
> replication to separate users.
> 3) should I configure lots of domains totaly separated in master
> openLDAP tree?
> And in the master LDAP I'll have one subtree for each domain, but what
> will happen with uids and gids?
> 4) what happen if different domains have diferent sambaSID? users with
> one sambaSID could use other domains PC?
> It would be really nice to control who can loggin in each domain, and
> changing dinamicaly if it's needed, for example, someone could need to
> work half day in one building and the other half in other, I need to
> consider that too :-S
> I think that is enough, just for now :-)
> any help will be wellcome,
> thank you,
More information about the samba