[Samba] multiples domains or PDCs in samba

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Jul 1 08:39:19 MDT 2014

Domains are generally an functional or administrative division.   In 
general, you define a domain  for a group of users, workstations  and 
servers that logically  or functionally belong together.     If you have 
a small organization in one location you can often have one domain.

An example of where you might have multiple domains are if you have 
Manufacturing domain (for  a factory environment)  and a Corporate 
domain, where you might have separate administrators and the users in 
one domain never need to access resources in the other domain.

The domain design decisions will be partly technical and partly business 
driver.  In my company we have separate domains or "Research" and a 
domain for "Finance."     The Finance people do sometimes need access to 
files on the Research servers so I had to set up domain trusts.  I have 
found this unreliable in Samba.  (I am running Samba 3.x)     As the IT 
admin, I wanted a single domain.    However, the company decide it was 
very important to be have an extra wall around any finance data.

So the questions are:
1. Are the people in the separate buildings in separate business decisions?
2.  Are the buildings connected by Ethernet or something fast enough for 
file sharing or at least account  replication
3. Do people in one building need access to resources in other buildings?

Are you using samba 3.x or 4.x.       I have worked with Samba 3.x so I 
am not as familiar with domain trusts in Samba 4.x

If you have one domain for 2 or more buildings  (sites)  with a good 
connection you should still have a separate Samba server in each site to 
function as a DC and file server.  This way users will have fast logins 
and fast access to the files in their site, and can still access files 
in other sites if need be.   And they still have functionality even if 
your site link goes down.   You MAY want to configure a separate TCP/IP 
subnet and DHCP server for each site in case your connection between 
sites goes down.

Having separate domains for each building will increase the overall 
management you may have to do.  But having a single domain for many 
sites increases the risk that multiple sites may have downtime at once.

On 07/01/14 08:32, Nicolás wrote:
> Hello,
> I'm Nicolás from Uruguay, I work in ASSE (public health services), the 
> enterprise has lots of buildings all over my country, more than 100, 
> with thousands of employees and PCs. Until now there is no "network 
> configuration" in PCs (no network users, etc) and I'm trying to solve 
> that out. I started working with samba about one year ago (I've been 
> learning a lot), I started working in one building and now I have a 
> samba PDC with an openLDAP backend. I have to make my way into a higly 
> escalable configuration (because of the amount of users and PCs) and I 
> want to make it right thats the reason I'm asking you for help.
> I have a master openLDAP server thats store all authentication, 
> groups, SUDOers, automount, other applications roles data, etc. I have 
> a replicated openLDAP server thats replicate some objects from the 
> master.
> I have a samba PDC authenticating against the replicated openLDAP 
> server (that the way I can control users from one building not loggin 
> in PC of other buildings I replicate some users accounts and some PC 
> accounts), and I've joined WindowsXP, Windows7, Windows 8 into the 
> domain and I'm working also with Ubuntu 10.4 (until the newest one), 
> and OpenSuSE 12.1 (until the newest one) mounting users home using 
> nfs, and using replicated openLDAP for autentication and file system 
> permissions. Until now It's all ok, it works like a charm ;-)
> From now I'll call 'A' to the building I've configured first and its 
> working nice, and I'll call 'B' and 'C' to the next buildings I need 
> to configure.
> well, in my first aproach to configurating others PDC in buildings 'B' 
> and 'C' I thought configuring individuals domains for 'A' 'B' 'C' 
> would be the correct way to go. Then googling and reading I read this
> http://samba.2283325.n4.nabble.com/one-ldap-server-and-multiple-samba-PDC-domains-td2447669.html 
> it is suggested not running diferents domains for the same 
> organization so I have no "clean idea" of what I need.
> So, in a higly scalable configuration:
> 1) should I configure one domain and replicate it to all buldings?
> I can restrict users loggin replicating some users of master openLDAP 
> to every building (I don't want all users of 'A' can loggin in 'B' or 
> 'C' computers, I don't want to users loogin freely in everywere)
> 2) should I configure lots of domains with the same sambaSID and have 
> lots of Domains entries with different names  in LDAP? (is there a 
> diference betwen this and having just one domain?)
> That would allow me to use the same groups in lots of buildings, and 
> for example, "Domain Admins" would be the same in every domain, and 
> again I don't want to everybody loggin in everywere, so I use 
> replication to separate users.
> 3) should I configure lots of domains totaly separated in master 
> openLDAP tree?
> And in the master LDAP I'll have one subtree for each domain, but what 
> will happen with uids and gids?
> 4) what happen if different domains have diferent sambaSID? users with 
> one sambaSID could use other domains PC?
> It would be really nice to control who can loggin in each domain, and 
> changing dinamicaly if it's needed, for example, someone could need to 
> work half day in one building and the other half in other, I need to 
> consider that too :-S
> I think that is enough, just for now :-)
> any help will be wellcome,
> thank you,
> Saludos,
> Nicolás.

More information about the samba mailing list