[Samba] Samba BDC at company branch in different subnet?

[Karel Lang AFD]

Hello guys,
i just wanted to ask about an idea, if it is feasible (or not).

The company i work for (350 users) has 2 branches, that are 
interconnected with HQ via L2TP (encapsulated in IPsec) tunnels, that 
are setup in between Mikrotik routers.

current setup:

		 300 users	
            | HQ 192.168.2.0/23 |
	   | Samba PDC + LDAP  |
	   | (389 DS) backend  |
		|	|
		|	|
		/	\
      30 users  / 	 \    20 users	
|   1st branch  |	  |  2nd branch  |
| 192.168.4.0/24|         |192.168.6.0/24|
| Samba PDC with|         |Samba PDC with|
| tdbsam backend|	  |tdbsam backend|


So far, it was OK, but thing is, users started to (due to new projects) 
rotate/migrate in between branches and HQ.
So to maintain users passwords and credentials became difficult and 
generally pain.

Questions:

1. theoretically speaking - is it possible to redo/change the 2 PDC 
located at 2 company branches to BDC and slave them to HQ PDC and also 
to make them to authenticate users against HQ LDAP server?

2. can BDC propagate local storage filesystems - meaning, BDC to 
propagate different filesystems than the PDC?
I dont think i can safely propagate the storage from HQ via SMB running 
through L2TP ..


Any insights, advice highly appreciated.

Thank You

PS.
To answer q. some might ask:

1. We still run Samba 3.6, our Linux servers are RHEL6.6 whic means no 
Samba AD is available for us so far. Red Hat still doesn't support Samba 
AD at their official packages.

2. I plan on to switch to Samba 4 (to get access to newest SMB 2 and 3 
protocols), but keep the PDC <-> BDC Style, untill Red Hat will support 
it in their own packages.



-- 
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz