Hi, I'm after some clarification on a concept I'm toying with, the big question being is it feasible to do this, and are there any things I ought to consider. What I'm after is domain authentication across a multi-subnet VPN. I figured there are three ways of doing this, based on my limited knowledge of Samba (version 2.2.3a): 1. Have a single Samba PDC to control the entire VPN (up to 10 remote sites) using a single LDAP server to authenticate users. 2. Have a Samba server at each site as some sort of pseudo-BDC, all authenticating with a single LDAP server. 3. Have a Samba PDC at each site controlling a domain of its own, but all using the same LDAP server. One requirement I have is that I don't want WAN bandwidth saturating with home directories and user profiles needing to be transmitted across the WAN so I want them stored local to each site, and I think this is possible with Samba and LDAP (is it?). Is this 'shared password server' concept possible with Samba and LDAP? Any URLs or other resources would be great, and I appreciate any help or comments. Please dont tell me to create a trust relationship with Mr Gates. :-) Regards, Phil
On Mon, 2002-04-29 at 22:26, Philip Burrow wrote:> Hi, > > I'm after some clarification on a concept I'm toying with, the big question > being is it feasible to do this, and are there any things I ought to > consider. What I'm after is domain authentication across a multi-subnet VPN. > I figured there are three ways of doing this, based on my limited knowledge > of Samba (version 2.2.3a): > > 1. Have a single Samba PDC to control the entire VPN (up to 10 remote sites) > using a single LDAP server to authenticate users.this will mean that all profiles and authentication goes over the vpn probably not a good idea (as you say below)> 2. Have a Samba server at each site as some sort of pseudo-BDC, all > authenticating with a single LDAP server.again - all authentication goes over the wan> 3. Have a Samba PDC at each site controlling a domain of its own, but all > using the same LDAP server.still the same problem I think you should modify idea 3 by setting up replicated LDAP on the PDC (or another machine) at each site. That way everybody can log in even if the lan is down (though the distributed ldap dbs might diverge if your wan is down for a long time. brad