Topic: How to couple two SMEs across two network segments?

[turandot]

Hi,

I am using SME now for quite a while: good stuff  However I am now stuck with quite a challenge... Consider the following setup with SMEs acting in "Server only" configuration.


Network setup

SME-Server1 (IP address 192.168.1.2) <-(LAN)-> Gateway1 (IP address 192.168.1.1) <-(VPN/WAN)-+
                                                                                                                                       |
SME-Server2 (IP address 192.168.2.2) <-(LAN)-> Gateway2 (IP address 192.168.2.1) <-(VPN/WAN)-+

Goal:

• Setup a unique Windows Domain across both network segments with SME-Server1 acting as Domain controller. All Windows clients on both subnets as well as SME-Server2 should authenticate against SME-Server1.

Achieved so far

• IP and DNS across both network segments works perfectly. Ping with IP address and DNS name works, the same applies for accessing the webserver of SME-Server1 from the network segment 192.168.2.0 (and vice versa).
• Both SME-Servers work perfectly on their own in their network segment.

To be done

• How to setup e.g. SME-Server2 to act as "slave" to SME-Server1?
• How to enable Windows clients on network segment 192.168.2.0 to authenticate against Domain controller in different subnet?

Background

Currently I am working with two Windows domains, one in each network segment, but I would like to merge them into a single domain... I know that a domain across multiple network segments is quite tricky, and I have also read "Using Samba". However I would like to get some advice whether my idea is feasible with SME or whether it is too hard manual work to be achieved. So if someone has some ideas or advice....

Thx, turandot

[turandot]

May be I need to refine my thoughts / requirements a little bit further...

My only requirement for SME-Server2 is providing local disk space in that network segment because the bandwidth between both network segments is limited. Otherwise I would just rely on a single SME: SME-Server1.

With regard to the configuration of SME-Server2, I am now thinking that the two network segments are of secondary relevance. The principle questions are:

• Is it possible to couple SME-Server2 to SME-Server1 in such a way that there is a common user database i.e. that of SME-Server1? Can the user database of SME-Server2 "synced" to that of SME-Server1? Is it possible to use SME-Server2 as a domain member server to SME-Server1?
• Is it possible to setup SME-Server2 as WINS proxy to SME-Server1?

Having read "Using Samba" once again, I would use the following options for a "naked" Samba installation (instead of SME-Server2) in the GLOBAL section of smb.conf for the second bullet point above:

• # section to configure NetBios browsing
• domain master = no
• local master = yes
• preferred master = yes
• os level = 65
• # section for WINS support
• wins server = <DNS or IP of SME-Server1>
• wins proxy = yes
• name resolve order = wins lmhosts bcast host

Does it make sense at all to use the SME distro for a domain member server? Any ideas / considerations / suggestions?

Thanks a lot!

[arne]

I am not very updated on "everything", but like it used to be, it is not possible to run a Samba domain over two subnet. Reason: Samba uses non routable protocols. I would believe this is still the answer: No, it can not be done as a Samba domain has allways to be used from one subnet, because of the non routable nature of the Samba protocol(s).

Any other point of views on this item ?

[turandot]

Hi arne,

although browsing across subnets is complicated, it is still supprted, see e.g. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id371479 . There is only a single difference between a workgroup and a domain: the latter is using a single common user database where the former is using two or more decoupled ones.

You are correct that NetBios broadcasts are not routed, but with support of a WINS server (part of Samba) it should work because there is no need for broadcasts anymore.

Thx, turandot

[arne]

My only knowledge about this theme is from setting up and modifying diverse firewalls for SME server, and related to this doing packet dumping, traffic monitoring etc.

It is my impression from looking into the data traffic that the sme server does the Samba in the old style with broadcasts, etc. For the sme server and as a result of how the Samba implementation for the sme server is done, I would guess it can not do samba over more than one subnet.

I would guess it would require some more heavy modifications for the Samba part of it to make it do things completely different.

Thanks for updated info about the Samba development.

Anybody from the development team that can say something more reasonable about this item ?

[turandot]

Hi arne,

interestingly this thread in German language was started two days after this one: http://forums.contribs.org/index.php?topic=41630.0 Actually it covers exactly the same topic, at least from my perspective. This thread is referring to this enhancement request: http://bugs.contribs.org/show_bug.cgi?id=4172 "ServerRole=DM: SME will perform as a Windows Domain Member" is exactly what I was looking for.

Conclusion: the requested feature is under development now and will be probably added later. I need to evaluate the enhancement made by Greg Zartman. I will post the results, but this may take quite a few weeks.

Thanks a lot to this great forum!

turandot

[turandot]

Success!

Although I did not achieve an entirely clean solution, I figured it out how to use cumstomized templates to achieve what I was after. Have a look here http://forums.contribs.org/index.php?topic=41630.15 . I will translate the solution and post it here on request.

Many thanks, turandot

[jptechnical]

Please translate. I am trying to figure out how to make an sme server a member server... I am trying to keep a single ldap but multiple servers.

Thanks.

[janet]

turandot

Please translate & also create a wiki article howto and share your work with others.

[the-heck]

Please translate.  Thank you very much in advance.

[psdata]

Hello

I have done this once before with the hoot from Sweets Knudsen

http://sme.swerts-knudsen.dk/index.html?frame=http%3A//sme.swerts-knudsen.dk/howtos/howto_6.htm

Some header topic info:

NIS or Network Information Service, is a service that provides information, that has to be known throughout the network, to all machines on the network. NIS is a system that becomes very usefull when you have more than one SME server in your network and you want to be able to log into all with the same username. First we need to install the NIS Master Server and secondary the NIS Client.

Maybe you can use this info

Regards

John

[EnglishRob]

I too have been looking for details on how to do this sort of thing with an SME Server acting as a master server at one site, and having a secondary SME server at another site.

Hello

I have done this once before with the hoot from Sweets Knudsen

http://sme.swerts-knudsen.dk/index.html?frame=http%3A//sme.swerts-knudsen.dk/howtos/howto_6.htm

Some header topic info:
Maybe you can use this info

Regards

John

Does this mean using NIS, if I was to create a user on the master server at the main site, they would be able to login to the slave server at the remote site too?

Does the user have to be configured on both servers or can the slave server just be installed without any users? (Assuming it won't have any iBays or home shares for the users themselves).

I do wonder too, is it possible to add a user via the command line, i.e. run the command that are run through the web interface to add a new user?

What I'm thinking is that when a new user is added/deleted they can be created on the master server and then this could ssh into the secondary server and run the scripts on there, does this sound feasible?

Rob

[turandot]

@all

first of all please excuse my long absence. I have seen your requests for translation, but I am currently changing my job, and in fact I am working on two contracts in parallel... So here is my translation 

First of all I have to admit that I don't have an entire clean solution: it is sort of botched together. So use this approach with care. Today I have seen an update in this other German thread, and I hope that I will be able to drive it a little further.

So what does the approach provide? The second slave SME "integrates" into the domain in that way that it provides WINS services for the local  network segment. However there are still two separate user databases which need to be updated in parallel (first SME being the domain controller with option "DomainController: Yes" and the second SME with option "DomainController: No"). This is not too much a problem for me because I have a VERY limited number of users in the second network segment.

This is the concept:

• Configure first SME through web-GUI to become domain controller
• Configure second SME through web-GUI to be NOT a domain controller
• Create customized templates on second SME with necessary Samba options

The use of custom templates will keep applied tweaks even though the SME distro might be updated or changes of the Samba configuration are applied through the web-GUI.

All following steps should be performed in a root shell.

Create /etc/e-smith/templates-custom/etc/smb.conf/11winsLocalMaster :

Code: [Select]

return "local master = yes";
Create /etc/e-smith/templates-custom/etc/smb.conf/11winsOsLevel :

Code: [Select]

return "os level = 65";
Create /etc/e-smith/templates-custom/etc/smb.conf/11winsPreferredMaster :

Code: [Select]

return "preferred master = yes";
Create /etc/e-smith/templates-custom/etc/smb.conf/11winsProxy :

Code: [Select]

return "wins proxy = yes";
Create /etc/e-smith/templates-custom/etc/smb.conf/11winsServer :

Code: [Select]

return "wins server = <IP-address or DNS of first SME-Server>";
Then expand template(s) i.e. run (the following command is currently based on best guess, sorry!)

Code: [Select]

expand-template /etc/samba/smb.conf
Now restart Samba demon:

Code: [Select]

/etc/init.d/smbd restartAlternatively reboot SME server.

That's it. Be aware of the fact that I achieved NetBIOS name resolution just in the slave network: the NetBIOS names of those machines are replicated up to the SME domain controller, but not vice versa. I did not figure out why this is the case.

So folks: good success now. Please post further thoughts, results, suggestion.

Thanks to all in this forum, turandot.