samba - Jan 2010 - Multi samba domain in one LDAP Backend with multi-site authentication

Hello,



I need some help to set up a multi-site authentication architecture with
samba.

Our company is composed by 6 sites which are VPN-Linked.

On each, there is Samba 3.0.27 PDC with LDAP backend on Debian Etch (I will
probably upgrade it to lenny with this project, and an upper version of
Samba). We would like to permit an user of one domain to login in other with
the same credentials.

Actually, if a user need to connect to a share of another domain, we have to
create it again in the other LDAP backend. So we have a lot of doubloon,
what is not very good because we store a lot of administrative information
as email, function, etc. , and we need to use LDAP for others application
(Intranet on Apache server, ERP,?).

My boss is not closed with that and want to keep the multi-domain
architecture (I?m actually converting it to free software?). I know that it
would be easier to have only one domain with LDAP replication, but he still
don?t want.

Is there a multi samba domain schema for LDAP ? What about trusted
relationship ? Are they work fine ? Other possibilities (RADIUS, etc.) ?

Thanks a lot for answer, and sorry for my English which is not very well.





Thibault Van?on

---------

System and Network administrator ? Alsapan ? France

On 01/29/10 05:59, Thibault Van?on wrote:
> Hello,
>
>
>
> I need some help to set up a multi-site authentication architecture with
> samba.
>
> Our company is composed by 6 sites which are VPN-Linked.
>
> On each, there is Samba 3.0.27 PDC with LDAP backend on Debian Etch (I will
> probably upgrade it to lenny with this project, and an upper version of
> Samba). We would like to permit an user of one domain to login in other
with
> the same credentials.
>
> Actually, if a user need to connect to a share of another domain, we have
to
> create it again in the other LDAP backend. So we have a lot of doubloon,
> what is not very good because we store a lot of administrative information
> as email, function, etc. , and we need to use LDAP for others application
> (Intranet on Apache server, ERP,?).
>
> My boss is not closed with that and want to keep the multi-domain
> architecture (I?m actually converting it to free software?). I know that it
> would be easier to have only one domain with LDAP replication, but he still
> don?t want.
>
> Is there a multi samba domain schema for LDAP ? What about trusted
> relationship ? Are they work fine ? Other possibilities (RADIUS, etc.) ?
>
> Thanks a lot for answer, and sorry for my English which is not very well.
>
>
>
>
>
> Thibault Van?on
>
> ---------
>
> System and Network administrator ? Alsapan ? France
>    
The samba how-to book documentation on www.samba.org does a pretty good 
job of explaining inter-domain trusts.  Will does allow you to allow 
users from one domain to have access to resources in another 
domain.      The samba domains are trusting each other.  The LDAP server 
in one domain does not have to talk to the LDAP server in another 
domain.   You do need to use winbind and setup IDMAP ranges - which can 
get a little tricky.    So if each site has its own domain, and each 
domain has only one PDC, you will not have to worry about LDAP replication.




There are some benefits to a multiple domain approach-
    -  if you need to designate local administrators in each domain  but 
not for the entire company
    - their is a logical business division between each site (maybe one 
site has the Sales people and one site has Engineering people.)
    -  less problems if your VPN links are unreliable or slow.


If you want to consolidate domains  that you may want to make sure that 
either your remote site has a Samba BDC (with ldap replication) and a 
reliable VPN connection.

Either way you want people to run their login scripts and have their 
home directories on a server in their site.  You also may want to 
consider having a WINS server in each site-  depending on the number of 
computers.

Thanks Gaiseric for your answer,


I know this things about trust relashionship even if i still don't
have setup one, but we need to have only one LDAP backend, to allow
others applications to authenticate user with LDAP. We can't specifie
more than one backend in our application.

I've thought that i could create different OU with each domain, and
configure smbldap-tools and pam to work with this OU, with a base like
: dc=DOMAIN, dc=company, dc=com , and replicate this LDAP on other
site.

But is it possible to use trust relationship with this kind of LDAP
structure ? will i need IDMAP ?

Thanks,


Thibault