Hi, I?ve been reading up on SSO-based logins for the last couple of weeks. I?ve found a lot of information about it, but nothing that matches my situation. Here?s the gist of my situation... - I have a Samba 3 PDC in our corporate office as well as three remote offices. - Each remote office is in a different physical building and connected to the Corporate office either via Point-to-Point T-1 or a Cisco PIX on-demand VPN tunnel. Each office resides in a separate IP subnet. - Each office is a separate domain. Each server has it's own domain user and group accounts. - I have laptop users who travel between the various offices on a regular basis. I also have some desktop users who travel to remote offices to provide training and such. What I'd like to do is make this a fault tolerant, SSO environment. Fault tolerance is very important for us in case one of the VPN tunnels or T-1s goes down--each office would still need to be able to log in to their server(s) and work. Another challenge has been laptop users--if they're configured for the Corporate office domain, they cannot access the domains of remote offices while on-site at those locations. This has always been a manual workaround for them to get access to printers and network shares. Can anyone suggest a direction to go in here? I know this is a lot, I'm not looking for someone to do the work. I just need some help locating the appropriate technology or how-tos for configuring something of this scale. Thanks, in advance, for your help! ~ Tom
I assume the remote VPNs are full tunnels, and that you can ping any of the computers in any of the networks from any of the networks. You should create trust relationships among all of the domains, along with permissions that allow logons and file access cross-domain - an important omission in the documentation. Search google with - "trust relationship" site:samba.org -. You will also want wins running on all servers, and that each server calls the others and allows calls from the servers. This is also documented. The key with the laptop users is to logon first to the home domain. This caches the profile password, and as long as the password is not changed (in either side) while the home server is unavailable, everything will be OK. Assuming 2000, XP, and/or Vista clients, of course. (You might also want to consider an LDAP backend with master/slave relationships among them, but this is highly complex and error prone if you are not an LDAP expert.) I run similar complex setups without a problem, the key is to make sure the smb.conf has the wins and subneting info in place, that the trust relationships work, and that permissions are set correctly. It does require some planning, an quite an amount of rote work, but all the documentation is right there in samba.org. This is done pretty much in the same way it was done in NT4, so any docus/flowcharts you find for NT4 apply to samba. Samba howto/docs + NT4 charts = easiest way Thanks, Carlos -----Original Message----- From: samba-bounces+carlos=sinu.com@lists.samba.org on behalf of Thomas Smith Sent: Sun 7/29/2007 9:22 PM To: samba@lists.samba.org Subject: [Samba] SSO across multiple physical subnets Hi, I?ve been reading up on SSO-based logins for the last couple of weeks. I?ve found a lot of information about it, but nothing that matches my situation. Here?s the gist of my situation... - I have a Samba 3 PDC in our corporate office as well as three remote offices. - Each remote office is in a different physical building and connected to the Corporate office either via Point-to-Point T-1 or a Cisco PIX on-demand VPN tunnel. Each office resides in a separate IP subnet. - Each office is a separate domain. Each server has it's own domain user and group accounts. - I have laptop users who travel between the various offices on a regular basis. I also have some desktop users who travel to remote offices to provide training and such. What I'd like to do is make this a fault tolerant, SSO environment. Fault tolerance is very important for us in case one of the VPN tunnels or T-1s goes down--each office would still need to be able to log in to their server(s) and work. Another challenge has been laptop users--if they're configured for the Corporate office domain, they cannot access the domains of remote offices while on-site at those locations. This has always been a manual workaround for them to get access to printers and network shares. Can anyone suggest a direction to go in here? I know this is a lot, I'm not looking for someone to do the work. I just need some help locating the appropriate technology or how-tos for configuring something of this scale. Thanks, in advance, for your help! ~ Tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Hi Tom, Sounds like a "chapter 6 samba 3 by example" scenario. http://us1.samba.org/samba/docs/man/Samba-Guide/2000users.html Cheers, Adrian Sender.>From: Thomas Smith <tom71713-misc@inqone.com> >To: <samba@lists.samba.org> >Subject: [Samba] SSO across multiple physical subnets >Date: Sun, 29 Jul 2007 18:22:04 -0700 >Hi, > >I¹ve been reading up on SSO-based logins for the last couple of weeks. I¹ve >found a lot of information about it, but nothing that matches my situation. >Here¹s the gist of my situation... > >- I have a Samba 3 PDC in our corporate office as well as three remote >offices. > >- Each remote office is in a different physical building and connected to >the Corporate office either via Point-to-Point T-1 or a Cisco PIX on-demand >VPN tunnel. Each office resides in a separate IP subnet. > >- Each office is a separate domain. Each server has it's own domain user >and >group accounts. > >- I have laptop users who travel between the various offices on a regular >basis. I also have some desktop users who travel to remote offices to >provide training and such. > >What I'd like to do is make this a fault tolerant, SSO environment. Fault >tolerance is very important for us in case one of the VPN tunnels or T-1s >goes down--each office would still need to be able to log in to their >server(s) and work. > >Another challenge has been laptop users--if they're configured for the >Corporate office domain, they cannot access the domains of remote offices >while on-site at those locations. This has always been a manual workaround >for them to get access to printers and network shares. > >Can anyone suggest a direction to go in here? I know this is a lot, I'm not >looking for someone to do the work. I just need some help locating the >appropriate technology or how-tos for configuring something of this scale. > >Thanks, in advance, for your help! > >~ Tom >_________________________________________________________________ Advertisement: Search for local singles online at Lavalife http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D29555&_t=764581033&_r=email_taglines_Search&_m=EXT