samba - Jul 2004 - Domains: Pros and Cons?

I have Samba running without a PDC and I have some questions
about the advantages for implementing one with Samba vs. the
problems and disadvantages.  Perhaps some kind souls can
help me determine whether I should do this or not.

We have three offices connected by a Checkpoint VPN, plus
people "on the road" using their SecureClient tool.  We
want everyone to be able to get to all the Samba servers
from wherever they are.

Here's a sample topology:
     MtLaurel (NJ,US)
         172.25.0.0/16
             corp -- a samba server running on our large Sun file server
             print -- a samba server running on a linux box with CUPS for
                 printing
     Dallas (TX,US)
         172.27.0.0/16
             derby -- a samba server on Sun for local storage and printing
     Sophia (-Antipolis,FR)
         172.26.0.0/16
             tank -- a samba server on Sun for local storage and printing

Right now each location is running in its own workgroup, no PDCs.

If we go with a PDC I see the following advantages and disadvantages:

1) Single sign-on, consistent login -- advantage
    It would all be backed by our current LDAP SAM.
2) Anyone can log into any PC -- disadvantage
    People have become used to not worrying about security on
    their own PCs as nobody else could login.  Once "domained"
    anyone can login.
3) Complexity
    I am concerned about keeping this whole house of cards working with
    a PDC in MtLaurel and "slave" PDCs in the other locations.   Our
    people travel a lot and they need to use resources while in non-home
    offices.  How do they join the MtLaurel PDC and then move to the Sophia
    one?  How do they use one inside the corporate network from outside?
4) Password change -- this is the thing driving (forcing) the issue.
    With a PDC, the user logs in at the windows client with the same password
    as is used for all the other network resources.  It can be setup to
    expire passwords and the user can change their password from the login
    dialog (or with ctl-alt-del...) and it will take effect for everything.
    Is there any way to get just this capability without all the issues
    associated with a PDC?


-- 
Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
     People don't read documentation voluntarily.

> 2) Anyone can log into any PC -- disadvantage
>    People have become used to not worrying about security on
>    their own PCs as nobody else could login.  Once "domained"
>    anyone can login.
There is an option in Samba 3 that is designed to work like the host 
attribute in LDAP.  Basically, you list the machine that people can log 
in on. 
> 3) Complexity
>    I am concerned about keeping this whole house of cards working with
>    a PDC in MtLaurel and "slave" PDCs in the other locations.  
Our
>    people travel a lot and they need to use resources while in non-home
>    offices.  How do they join the MtLaurel PDC and then move to the 
> Sophia
>    one?  How do they use one inside the corporate network from outside?
We're currently planning on solving this issue with only one domain 
across our sites.  The plan is to set up DC boxes in each site, all 
connected to the same ldap data store, also replicated at each site 
naturally.  When a laptop is off the network, you still are allowed to 
log in with cached (I believe that's the right term) credentials as long 
as the user has logged in on that machine before.  However, you don't 
have access to the networked resources until such time as you connect 
with your vpn naturally.

-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com