samba - Nov 2022 - several offices: home dirs, local resources, ...

Hello!

This is not exactly a samba question, but maybe someone here have some input.

Historically, we had several geographically spread offices, with
local servers in each location, and local resources.  All had
their own DNS domain (a subdomain of the main domain), and local
short names like "fs" (for file server), "mail" etc.  So far
so
good.  (We even had DFS working once when the load to one file
server was too high).

Home directories for the users are kept on local servers, including
the roaming profiles.  When they log in to a machine in another office,
their home dir in that office is used. So effectively, these aren't
exactly roaming, in the sense that they're not being copied between
the offices automatically - it's done on demand only.

The local LAN is fast obviously, inter-office connectivity is
dramatically slower and isn't always available, so keeping local
resources is vital.

This has always worked with NT4-style domains, worked quite well.
For over 20 years.

Now, I'm trying to switch to a Samba-based AD.  One office has been
switched, but an attempt to include another office immediately
stuck with quite some issues which I don't know how to solve.

First, the home server for the users. I want their home dirs to
be stored in *local* site (local for the computer they're logging
at).  I can't seem to find a way to make it to work, - I can configure
home server for each user in the AD, but I can't make it *different*
servers depending on the location. I can force a machine to grab
roaming profiles from a fixed server (this overrides per-user setting)
but this way, local user (eg, a local administrator account used for
rescue purposes) does not work well anymore, it too tries to store
their home dir on that server.

Second, the short names like "fs" - it should be different
"fs" for
each location. I forced windows clients to use local DNS suffix
before the main domain suffix. But when this is about a file server,
the main domain suffix is always used despite that this name
exists in local subdomain too, which should be searched before.

Users are used to the short names in many years, they have lots
of shortcuts/links to these names, and I can't seem to find a
way how to make the same name to point to a different server in
each location.

How it is usually done?

Thanks!

/mjt

Hi Michael,

Location-specific DFS might help you: an UNC path looks the same across
all offices from the Windows client side, but it is resolves specific
for the office it is being accessed from.

The concept is explained in Microsoft terms here:
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview
.

Concluding from a different mail thread, you are working on AD sites
reflecting different offices. Once you have that working - site-specific
AD-DCs in the various offices of your company, it will not be a big step
to get site-specific "Folder Targets" (in Microsoft terms)
implemented.
E.g. \\your.domain.fqdn\profiles\userA will point to a share hosted in
the office of that user, or even \\your.domain.fqdn\profiles could be
site-specific. Technically on the samba DC it's just a matter of a few
entries in smb.conf plus symbolic links in the file system of the DC.

I tried to get DFS running with Samba DCs a few years ago. I was not
successful, and because it was not important for my use case I did not
try for long and gave up. In theory it should work, and maybe one or the
other bug might have been resolved in the meantime.

Maybe that helps?

And BTW, thank you for all your hard work for the Debian samba packages!
You're doing a big favour to the samba community.

Regards, Norbert

On 17.11.2022 15:24, Michael Tokarev via samba wrote:
> Hello!
>
> This is not exactly a samba question, but maybe someone here have some
> input.
>
> Historically, we had several geographically spread offices, with
> local servers in each location, and local resources.? All had
> their own DNS domain (a subdomain of the main domain), and local
> short names like "fs" (for file server), "mail" etc.?
So far so
> good.? (We even had DFS working once when the load to one file
> server was too high).
>
> Home directories for the users are kept on local servers, including
> the roaming profiles.? When they log in to a machine in another office,
> their home dir in that office is used. So effectively, these aren't
> exactly roaming, in the sense that they're not being copied between
> the offices automatically - it's done on demand only.
>
> The local LAN is fast obviously, inter-office connectivity is
> dramatically slower and isn't always available, so keeping local
> resources is vital.
>
> This has always worked with NT4-style domains, worked quite well.
> For over 20 years.
>
> Now, I'm trying to switch to a Samba-based AD.? One office has been
> switched, but an attempt to include another office immediately
> stuck with quite some issues which I don't know how to solve.
>
> First, the home server for the users. I want their home dirs to
> be stored in *local* site (local for the computer they're logging
> at).? I can't seem to find a way to make it to work, - I can configure
> home server for each user in the AD, but I can't make it *different*
> servers depending on the location. I can force a machine to grab
> roaming profiles from a fixed server (this overrides per-user setting)
> but this way, local user (eg, a local administrator account used for
> rescue purposes) does not work well anymore, it too tries to store
> their home dir on that server.
>
> Second, the short names like "fs" - it should be different
"fs" for
> each location. I forced windows clients to use local DNS suffix
> before the main domain suffix. But when this is about a file server,
> the main domain suffix is always used despite that this name
> exists in local subdomain too, which should be searched before.
>
> Users are used to the short names in many years, they have lots
> of shortcuts/links to these names, and I can't seem to find a
> way how to make the same name to point to a different server in
> each location.
>
> How it is usually done?
>
> Thanks!
>
> /mjt
>

Te easyiest way would be. Create sites and subnet and use GPOs to 
connect to the shares and configure the GPO so that the share will only 
be used if a user connect from his site. So you can have different GPOs 
for each site.


Am 17.11.22 um 15:24 schrieb Michael Tokarev via samba:
> Hello!
> 
> This is not exactly a samba question, but maybe someone here have some 
> input.
> 
> Historically, we had several geographically spread offices, with
> local servers in each location, and local resources.? All had
> their own DNS domain (a subdomain of the main domain), and local
> short names like "fs" (for file server), "mail" etc.?
So far so
> good.? (We even had DFS working once when the load to one file
> server was too high).
> 
> Home directories for the users are kept on local servers, including
> the roaming profiles.? When they log in to a machine in another office,
> their home dir in that office is used. So effectively, these aren't
> exactly roaming, in the sense that they're not being copied between
> the offices automatically - it's done on demand only.
> 
> The local LAN is fast obviously, inter-office connectivity is
> dramatically slower and isn't always available, so keeping local
> resources is vital.
> 
> This has always worked with NT4-style domains, worked quite well.
> For over 20 years.
> 
> Now, I'm trying to switch to a Samba-based AD.? One office has been
> switched, but an attempt to include another office immediately
> stuck with quite some issues which I don't know how to solve.
> 
> First, the home server for the users. I want their home dirs to
> be stored in *local* site (local for the computer they're logging
> at).? I can't seem to find a way to make it to work, - I can configure
> home server for each user in the AD, but I can't make it *different*
> servers depending on the location. I can force a machine to grab
> roaming profiles from a fixed server (this overrides per-user setting)
> but this way, local user (eg, a local administrator account used for
> rescue purposes) does not work well anymore, it too tries to store
> their home dir on that server.
> 
> Second, the short names like "fs" - it should be different
"fs" for
> each location. I forced windows clients to use local DNS suffix
> before the main domain suffix. But when this is about a file server,
> the main domain suffix is always used despite that this name
> exists in local subdomain too, which should be searched before.
> 
> Users are used to the short names in many years, they have lots
> of shortcuts/links to these names, and I can't seem to find a
> way how to make the same name to point to a different server in
> each location.
> 
> How it is usually done?
> 
> Thanks!
> 
> /mjt
> l

Mandi! Michael Tokarev via samba
  In chel di` si favelave...

I was in exactly your situation. But with only 4 sites.
> This has always worked with NT4-style domains, worked quite well.
> For over 20 years.
Forgot NT4. Forgot the flat domain you are (ab)used with. AD is effectively
hierarchical, and the namespace is unique between all the domain.

So cannot coexist FS in Site A, and FS in site B. As you have understood,
can exist FSA and FSB, if needed.


But now you have 'Site and Services', so you can design the hierarchy of
your domain, and define policy for every domain (so, users in site A get
effectively shares in site A).

Still profiles (and homes) are binded to users, so now they effectively
'roam', but cleraly you can stop that simply adding ACL to file server
in
site A, leading access ony to ip in site A (if needed).

-- 
  Il ministro dei temporali in un tripudio di tromboni
  auspicava democrazia con la tovaglia sulle mani
  e le mani sui coglioni				(F. De Andre`)