[Samba] Two Samba 4 AD DC forest trust

Rowland Penny rpenny at samba.org
Fri Apr 6 15:44:11 UTC 2018


On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
Lea Massiot via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> My post is about having two Samba 4 AD DC at two different
> geographical places and access resources bidirectionnaly through a
> VPN as summarized in the schema below.
> 
> -------------------------
> Geographical site 1
> -------------------------
> - AD DC: Samba 4.1.4
> - LAN_1 IPs: 192.168.1.0/24
> - Machines DNS names: <hostname>.company.lan
> - Some machines do not move from this site.
> - Some machines are nomads (they can move to Geographical site 2).
> - We can access some resources that are on LAN_2 machines through the
> VPN. For example, NASs get synchronized throught the VPN.
> -------------------------
> |
> |
> |
> |
> VPN
> |
> |
> |
> |
> -------------------------
> Geographical site 2
> -------------------------
> - AD DC: Samba 4.8.0
> - LAN_2 IPs: 192.168.2.0/24
> - Machines DNS names: <hostname>.company.lan2
> - Some machines do not move from this site.
> - Some machines are nomads (they can move to Geographical site 1).
> - We can access some resources that are on LAN_1 machines through the
> VPN. For example, NASs get synchronized throught the VPN.
> -------------------------
> 
> On Geographical site 2, I am about to (*):
> 
> /"Select a DNS domain for your AD forest. 
> The name will also be used as the AD Kerberos realm.
> WARNING | Make sure that you provision the AD using a DNS domain that
> will not need to be changed. 
> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
> realm."
> /
> 
> I am wondering which is the good way to go as far as these domain
> names are concerned.
> Also, I have read about AD forests but I couldn't find literature
> explaining how to set up such a system with two Samba 4 AD DC.
> 
> In
> https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
> dating back to 2013, one can read:
> /"Support for cross-forest trusts and multiple domain controllers is
> still to come. "/
> 
> Can you help me?
> Best regards.
> 
> (*)
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> 
> 
> --
> Sent from:
> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> 

As far as I am aware, trusts still do not fully work yet. This isn't
really a problem, mainly because you will probably be better off
setting up a one domain forest and using subnets and sites. Do an
internet search on 'active directory sites and services' for more info.

Rowland
 



More information about the samba mailing list