[Samba] Two Samba 4 AD DC, a VPN

Lea Massiot lmloge at orange.fr
Thu Apr 12 08:30:31 UTC 2018 

Hello, hello Rowland,

So the physical configuration is something like below :

+-------------------------------+
server_a
  Samba AD DC
  Domain: mycompany.net
  Subnet: 192.168.1.0/24
  IP    : 192.168.1.2
+-------------------------------+

+-------------------------------+
pc_a_1
  FQDN: pc_a_1.mycompany.net.
  IP:   192.168.1.33
+-------------------------------+

+-------------------------------+
pc_a_2
  FQDN: pc_a_2.mycompany.net.
  IP:   192.168.1.35
+-------------------------------+

Internet, WAN // VPN tunnel

+-------------------------------+
server_b
  Samba AD DC
  Domain: mycompany.net
  Subnet: 192.168.2.0/24
  IP    : 192.168.2.2
+-------------------------------+

+-------------------------------+
pc_b_1
FQDN: pc_b_1.mycompany.net.
IP:   192.168.2.33
+-------------------------------+

+-------------------------------+
pc_b_2
FQDN: pc_b_2.mycompany.net.
IP:   192.168.2.35
+-------------------------------+

rowland> you will probably be better off setting up a one domain forest and
using subnets and sites.

This is indeed what I would like to do.
- one forest
- one domain "mycompany.net"
- one site
- two subnets 192.168.1.0/24 and 192.168.2.0/24 separated by a VPN.

On the LAN 192.168.1.0/24, I have a Windows Server with "Active Directory
Sites and Services".
I can see:
------------------------------------------------------------
Active Directory Sites and Services [server_a.mycompany.net]
Sites
-- Inter-Site Transports
-- Subnets
-- Default-First-Site-Name
---- Servers
------ SERVER_A
-------- NTDS Settings
------------------------------------------------------------

So, we can say we have:
- one forest
- one site (Default-First-Site-Name)
- Nothing about subnets
- The notion of domain "mycompany.net" on the first line

I can ping "server_b" which is on the other side of the VPN.
I would like its Samba AD DC to belong to this site.
My problem is that it is on the other side of the VPN and I don't know how
to reach it.

Please help. Thank you.
-- 
Lea




=====================================================
=====================================================
On 06/04/2018 5:44 PM, Rowland Penny wrote:
> On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
> Lea Massiot via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> My post is about having two Samba 4 AD DC at two different
>> geographical places and access resources bidirectionnaly through a
>> VPN as summarized in the schema below.
>>
>> -------------------------
>> Geographical site 1
>> -------------------------
>> - AD DC: Samba 4.1.4
>> - LAN_1 IPs: 192.168.1.0/24
>> - Machines DNS names: <hostname>.company.lan
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 2).
>> - We can access some resources that are on LAN_2 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>> |
>> |
>> |
>> |
>> VPN
>> |
>> |
>> |
>> |
>> -------------------------
>> Geographical site 2
>> -------------------------
>> - AD DC: Samba 4.8.0
>> - LAN_2 IPs: 192.168.2.0/24
>> - Machines DNS names: <hostname>.company.lan2
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 1).
>> - We can access some resources that are on LAN_1 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>>
>> On Geographical site 2, I am about to (*):
>>
>> /"Select a DNS domain for your AD forest.
>> The name will also be used as the AD Kerberos realm.
>> WARNING | Make sure that you provision the AD using a DNS domain that
>> will not need to be changed.
>> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
>> realm."
>> /
>>
>> I am wondering which is the good way to go as far as these domain
>> names are concerned.
>> Also, I have read about AD forests but I couldn't find literature
>> explaining how to set up such a system with two Samba 4 AD DC.
>>
>> In
>> https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
>> dating back to 2013, one can read:
>> /"Support for cross-forest trusts and multiple domain controllers is
>> still to come. "/
>>
>> Can you help me?
>> Best regards.
>>
>> (*)
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>
>>
>>
=====================================================
=====================================================
> As far as I am aware, trusts still do not fully work yet. This isn't
> really a problem, mainly because you will probably be better off
> setting up a one domain forest and using subnets and sites. Do an
> internet search on 'active directory sites and services' for more info.
>
> Rowland





--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

More information about the samba mailing list