[Samba] Planing infrastructure - request for advice

Luis Peromarta lperoma at icloud.com
Sat Mar 8 10:35:07 UTC 2025 

I would follow this guide exactly:

http://samba.bigbird.es/doku.php?id=samba:start

Do not use --use-rfc2307, not even during provisioning. If you’re unsure whether you need it (and you really don’t), then you don’t need it.

I strongly recommend using KVM VMs for domain controllers (DCs), even if they must reside on your member servers. You’ll appreciate the ability to create full backups before upgrading.

For your organization’s size, 5GB of disk space and 512MB of RAM are more than sufficient for your DCs.

User RID for your file servers.

Don’t use roaming profiles. They’ll hog your network.

Regards.


On 7 Mar 2025 at 14:22 +0000, Piotr Adamcio via samba <samba at lists.samba.org>, wrote:

> I need to plan this solution properly. I have 3 entities in 3 different
> locations, with approximately 50 computers in each entity. Each entity
> currently uses its own files on its own server. However, there are
> people who travel between entities and need to have access to all files
> regardless of the entity. The entities are connected by VPN, and access
> is available. The point is that I have set up a Domain Controller for
> testing and I would like to have a central database of users and groups
> that the company uses. However, the infrastructure must be resistant to
> internet problems. So, in my plan, I set up 1 PDC (for the main list,
> which I provisioned with the command: |samba-tool domain provision
> --use-rfc2307 --option="ad dc functional level = 2016"
> --function-level=2016 --interactive --option="dns forwarder =
> 192.168.xx.xx" --option="winbind enum groups = Yes" --option="winbind
> enum users = Yes"|) and 3 BDCs (which I added with this command:
> |samba-tool domain join dom.lan DC -U administrator --realm=DOM.LAN -W
> DOM --option="ad dc functional level = 2016" --function-level=2016
> --use-rfc2307 --option="winbind enum groups = Yes" --option="winbind
> enum users = Yes)|) on which I was sharing files.
>
> From what I understand from other post, should I also add 3 Unix domain
> members on which I share files? Is that correct? File shares should NOT
> be created on BDCs, right? And then, should I keep profiles and network
> shares on these file servers? So, should I use |idmap| with |autorid| on
> these Unix domain members? The goal is that internet outages (which
> happen) do not block access to network shares, so in each entity I must
> ensure a BDC?
>
>
> Entity 1 ----------------------- VPN ----------------------- Entity 2
> ----------------------- VPN ----------------------- Entity 3
>     | |                                                           |
>     +--- PDC (Domain Controller) +--- BDC (Domain
> Controller)                                +--- BDC (Domain Controller)
>     | |                                                           |
>     +--- File Server (Unix Domain Member) +--- File Server (Unix Domain
> Member)                       +--- File Server (Unix Domain Member)
>     | |                                                           |
>     +--- ~50 Computers +--- ~50
> Computers                                          +--- ~50 Computers
>
>
> Is this a good direction, or is it overcomplicating things?
>
> Then, between the DC servers, I must synchronize sysvol and idmap.ldb,
> and unix domain members(fileservers)  must use idmap rid or autorid?
>
> Any other suggestions? ideas?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list