Prev: One account can access samba, another can't.SOLVED
Next: [Samba] Another WINS Question/Issue
From: tms3 on 9 Jul 2010 09:10



>
>
>
>
>
> On Friday 09/07/2010 at 4:36 am, Tamás Pisch wrote:
>> Hello,
>>
>> I have a PDC with master ldap backend and a BDC with slave ldap
>> backend
>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>> SaMBa
>> server on an another site (on Debian Squeeze). The two sites is
>> connected
>> with VPN (on not so reliable ADSL lines). I read an interesting
>> network
>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>> install one PDC on both site, with the same domain, server name, and
>> SID. I
>> like this idea, but: is there anyone who tried that, have experience
>> with
>> it?
>
> No, but your best option is to simply use LDAP replication and install
> an LDAP server on the remote location server. This way, auth traffic
> on the remote is always local (saving bandwidth) and is available
> regardless of the link being up or down. Do the same with DNS, and
> you'll be quite happy with the results as will your users.
>>
>>
>>
>> Thank you, in advance.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Scott Grizzard on 9 Jul 2010 10:20
I think the multi-master replication sort-of defeats the purpose of
the PDC in the remote office - multi-master replication means the
information must be sent to both servers anyway. If I recall
correctly, I think Chapter 6 refers to running BDC's in each remote
office, and only one PDC...

I played with this once, and I got it working by setting up a PDC and
BDC in the main office, a BDC (not PDC) in the remote office, and
using LDAP's new multi-master replication to keep everything in sync.
Throw in your DNS database, and It works, it's cool, but I think it
was so not worth the effort (unless you have nothing better to do with
your 20% time). I spent a whole lot of time making sure the configs
were perfect for the mult-master replication.

The thing that threw the monkey-wrench is DNS and DHCP...I ended up
putting all the DHCP information into the LDAP as well, with defined
IP addresses for every MAC, because DHCPd updates the DNS when a new
user requests an IP address. Since I put a DHCP server on both sides
of the VPN, I needed multi-master replication for the DNS information
so the computers could find each other. In the end, I dumped the MAC
addresses from my hardware catalog into the LDAP, and preassigned all
the IP's to reduce the number of writes to the LDAP server.


I found it is much easier to set up two separate domains and have them
trust each other, using different branches of the same LDAP tree.
Then, let one server write to one branch, the other server write to
the other branch, and do multi-master replication between them. That
way, there is no worrying about simultaneous updates or any of that
jazz. Not as cool...or as elegant, but it made my life easier by
isolating problems. I did the same for the DNS information, setting
up separate zones for each physical office. Since the information was
in the same tree, it was much easier to configure mail servers and
other services needing directory information, and since I did not
delegate the branches, the mail server (only in the main office) did
not need to read off my remote directories over VPN.

Of course, my users only visited each others' offices "occasionally".
If you have tons of movement between the offices, a one-domain
solution may be forced upon you...



On Fri, Jul 9, 2010 at 8:58 AM, <tms3(a)tms3.com> wrote:
>
>
>
>>
>>
>>
>>
>>
>> On Friday 09/07/2010 at 4:36 am, Tamás Pisch  wrote:
>>>
>>> Hello,
>>>
>>> I have a PDC with master ldap backend and a BDC with slave ldap backend
>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>>> SaMBa
>>> server on an another site (on Debian Squeeze). The two sites is connected
>>> with VPN (on not so reliable ADSL lines). I read an interesting network
>>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>>> install one PDC on both site, with the same domain, server name, and SID.
>>> I
>>> like this idea, but: is there anyone who tried that, have experience with
>>> it?
>>
>> No, but your best option is to simply use LDAP replication and install an
>> LDAP server on the remote location server.  This way, auth traffic on the
>> remote is always local (saving bandwidth) and is available regardless of the
>> link being up or down.  Do the same with DNS, and you'll be quite happy with
>> the results as will your users.
>>>
>>>
>>>
>>> Thank you, in advance.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
----
Scott Grizzard
Scott(a)ScottGrizzard.com
http://www.ScottGrizzard.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: tms3 on 9 Jul 2010 13:10




>
> SNIP
>
> I think the multi-master replication sort-of defeats the purpose of
> the PDC in the remote office - multi-master replication means the
> information must be sent to both servers anyway. If I recall
> correctly, I think Chapter 6 refers to running BDC's in each remote
> office, and only one PDC...
>
> I played with this once, and I got it working by setting up a PDC and
> BDC in the main office, a BDC (not PDC) in the remote office, and
> using LDAP's new multi-master replication to keep everything in sync.
> Throw in your DNS database, and It works, it's cool, but I think it
> was so not worth the effort (unless you have nothing better to do with
> your 20% time). I spent a whole lot of time making sure the configs
> were perfect for the mult-master replication.

I found it quite simple. But I had a rather extensive use of NTLM auth
stuff going on as well.
>
>
>
> The thing that threw the monkey-wrench is DNS and DHCP...I ended up
> putting all the DHCP information into the LDAP as well, with defined
> IP addresses for every MAC, because DHCPd updates the DNS when a new
> user requests an IP address. Since I put a DHCP server on both sides
> of the VPN, I needed multi-master replication for the DNS information
> so the computers could find each other. In the end, I dumped the MAC
> addresses from my hardware catalog into the LDAP, and preassigned all
> the IP's to reduce the number of writes to the LDAP server.

Well, I'll just say there are many ways to skin a cat, and leave it at
that.
>
>
>
>
> I found it is much easier to set up two separate domains and have them
> trust each other, using different branches of the same LDAP tree.
> Then, let one server write to one branch, the other server write to
> the other branch, and do multi-master replication between them. That
> way, there is no worrying about simultaneous updates or any of that
> jazz. Not as cool...or as elegant, but it made my life easier by
> isolating problems. I did the same for the DNS information, setting
> up separate zones for each physical office. Since the information was
> in the same tree, it was much easier to configure mail servers and
> other services needing directory information, and since I did not
> delegate the branches, the mail server (only in the main office) did
> not need to read off my remote directories over VPN.
>
> Of course, my users only visited each others' offices "occasionally".
> If you have tons of movement between the offices, a one-domain
> solution may be forced upon you...
>
>
>
> On Fri, Jul 9, 2010 at 8:58 AM, <tms3(a)tms3.com> wrote:
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Friday 09/07/2010 at 4:36 am, Tamás Pisch wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I have a PDC with master ldap backend and a BDC with slave ldap
>>>> backend
>>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>>>> SaMBa
>>>> server on an another site (on Debian Squeeze). The two sites is
>>>> connected
>>>> with VPN (on not so reliable ADSL lines). I read an interesting
>>>> network
>>>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>>>> install one PDC on both site, with the same domain, server name, and
>>>> SID.
>>>> I
>>>> like this idea, but: is there anyone who tried that, have experience
>>>> with
>>>> it?
>>>
>>> No, but your best option is to simply use LDAP replication and install
>>> an
>>> LDAP server on the remote location server. This way, auth traffic on
>>> the
>>> remote is always local (saving bandwidth) and is available regardless
>>> of the
>>> link being up or down. Do the same with DNS, and you'll be quite
>>> happy with
>>> the results as will your users.
>>>>
>>>>
>>>>
>>>>
>>>> Thank you, in advance.
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> ----
> Scott Grizzard
> Scott(a)ScottGrizzard.com
> http://www.ScottGrizzard.com

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Scott Grizzard on 9 Jul 2010 14:10
How did you get it working like that so quickly? Did you get it
working with two primary domain controllers? (As opposed to one PDC
and two BDC's?)

How did you manage to resolve the DNS update issue?

On Fri, Jul 9, 2010 at 12:58 PM, <tms3(a)tms3.com> wrote:
>
>
>
>
>>
>> SNIP
>>
>> I think the multi-master replication sort-of defeats the purpose of
>> the PDC in the remote office - multi-master replication means the
>> information must be sent to both servers anyway.  If I recall
>> correctly, I think Chapter 6 refers to running BDC's in each remote
>> office, and only one PDC...
>>
>> I played with this once, and I got it working by setting up a PDC and
>> BDC in the main office, a BDC (not PDC) in the remote office, and
>> using LDAP's new multi-master replication to keep everything in sync.
>> Throw in your DNS database, and It works, it's cool, but I think it
>> was so not worth the effort (unless you have nothing better to do with
>> your 20% time).  I spent a whole lot of time making sure the configs
>> were perfect for the mult-master replication.
>
> I found it quite simple. But I had a rather extensive use of NTLM auth stuff
> going on as well.
>>
>>
>>
>> The thing that threw the monkey-wrench is DNS and DHCP...I ended up
>> putting all the DHCP information into the LDAP as well, with defined
>> IP addresses for every MAC, because DHCPd updates the DNS when a new
>> user requests an IP address.  Since I put a DHCP server on both sides
>> of the VPN, I needed multi-master replication for the DNS information
>> so the computers could find each other.  In the end, I dumped the MAC
>> addresses from my hardware catalog into the LDAP, and preassigned all
>> the IP's to reduce the number of writes to the LDAP server.
>
> Well, I'll just say there are many ways to skin a cat, and leave it at that.
>>
>>
>>
>>
>> I found it is much easier to set up two separate domains and have them
>> trust each other, using different branches of the same LDAP tree.
>> Then, let one server write to one branch, the other server write to
>> the other branch, and do multi-master replication between them.  That
>> way, there is no worrying about simultaneous updates or any of that
>> jazz.  Not as cool...or as elegant, but it made my life easier by
>> isolating problems.  I did the same for the DNS information, setting
>> up separate zones for each physical office.  Since the information was
>> in the same tree, it was much easier to configure mail servers and
>> other services needing directory information, and since I did not
>> delegate the branches, the mail server (only in the main office) did
>> not need to read off my remote directories over VPN.
>>
>> Of course, my users only visited each others' offices "occasionally".
>> If you have tons of movement between the offices, a one-domain
>> solution may be forced upon you...
>>
>>
>>
>> On Fri, Jul 9, 2010 at 8:58 AM,  <tms3(a)tms3.com> wrote:
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Friday 09/07/2010 at 4:36 am, Tamás Pisch  wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I have a PDC with master ldap backend and a BDC with slave ldap backend
>>>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>>>>> SaMBa
>>>>> server on an another site (on Debian Squeeze). The two sites is
>>>>> connected
>>>>> with VPN (on not so reliable ADSL lines). I read an interesting network
>>>>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>>>>> install one PDC on both site, with the same domain, server name, and
>>>>> SID.
>>>>> I
>>>>> like this idea, but: is there anyone who tried that, have experience
>>>>> with
>>>>> it?
>>>>
>>>> No, but your best option is to simply use LDAP replication and install
>>>> an
>>>> LDAP server on the remote location server.  This way, auth traffic on
>>>> the
>>>> remote is always local (saving bandwidth) and is available regardless of
>>>> the
>>>> link being up or down.  Do the same with DNS, and you'll be quite happy
>>>> with
>>>> the results as will your users.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thank you, in advance.
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> ----
>> Scott Grizzard
>> Scott(a)ScottGrizzard.com
>> http://www.ScottGrizzard.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
----
Scott Grizzard
Scott(a)ScottGrizzard.com
http://www.ScottGrizzard.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Tamás Pisch on 12 Jul 2010 02:20
> I have a PDC with master ldap backend and a BDC with slave ldap backend
> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa
> server on an another site (on Debian Squeeze). The two sites is connected
> with VPN (on not so reliable ADSL lines). I read an interesting network
> scenario in the Samba Guide chapter 6: theoretically it is possible to
> install one PDC on both site, with the same domain, server name, and SID. I
> like this idea, but: is there anyone who tried that, have experience with
> it?
>
> No, but your best option is to simply use LDAP replication and install an
> LDAP server on the remote location server. This way, auth traffic on the
> remote is always local (saving bandwidth) and is available regardless of the
> link being up or down. Do the same with DNS, and you'll be quite happy with
> the results as will your users.
>
> Thanks. Of course, local LDAP and DNS is fundamental. My problem is the
modifications (user and machine account passwords). It is written to the
master LDAP server. As Scott wrote me, I could set up multi-master
replication, but it is very hard.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 |  Next  |  Last
Pages: 1 2 3
Prev: One account can access samba, another can't.SOLVED
Next: [Samba] Another WINS Question/Issue