samba - Feb 2004 - samba PDC and BDC with ldap master and slave backend

Hi all !
In the samba-Howto, i was looking on informations on how to set up
both a samba PDC and a samba BDC controller with ldap backend.
I can read:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Do not install a
Samba PDC on a OpenLDAP slave server...
Possible PDC/BDC plus LDAP configurations include:
. PDC -> LDAP master server, BDC -> LDAP slave server.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
And now i am wondering this questions :
. if the samba DBC contain the following configuration
  => passdb backend = ldapsam:"ldap://slave.quenya.org
ldap://master.quenya.org"
  will samba store informations in the master ldap server or will it fail ?
  Or is it necessary to put the master ldap server first like this :
  => passdb backend = ldapsam:"ldap://master.quenya.org
ldap://slave.quenya.org"
. can i install a samba BDC with a ldap slave server ? Yes you will answer me
  but in the case where the master ldap server is unreachable, where does
  the samba BDC will store new informations (Machine Trust Account password
  for example wich are periodically changed)

Thanks for any precision :)
--
J?r?me

On Mon, 2004-02-09 at 07:35, J?r?me Tournier wrote:
> Hi all !
> In the samba-Howto, i was looking on informations on how to set up
> both a samba PDC and a samba BDC controller with ldap backend.
> I can read:
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> Do not
install a Samba PDC on a OpenLDAP slave server...
> Possible PDC/BDC plus LDAP configurations include:
> . PDC -> LDAP master server, BDC -> LDAP slave server.
I have removed this comment.  With the addition of the 'ldap replication
sleep' parameter, this can be made to work quite well.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> 
> And now i am wondering this questions :
> . if the samba DBC contain the following configuration
>   => passdb backend = ldapsam:"ldap://slave.quenya.org
ldap://master.quenya.org"
>   will samba store informations in the master ldap server or will it fail ?
This will work fine.  Samba will talk to the master for updates.  Set
'ldap replication sleep' to the amount of time you expect the slave to
take to catch up to reality.  (Oh, and I know that's dody, but better
ideas haven't yet been implemented).
>   Or is it necessary to put the master ldap server first like this :
>   => passdb backend = ldapsam:"ldap://master.quenya.org
ldap://slave.quenya.org"
> . can i install a samba BDC with a ldap slave server ? Yes you will answer
me
>   but in the case where the master ldap server is unreachable, where does
>   the samba BDC will store new informations (Machine Trust Account password
>   for example wich are periodically changed)
In the configuration, if the master cannot be reached, the slave will be
contacted as a read-only backup.  Updates will fail.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040209/4495fdbd/attachment.bin

Hi @ll,
i changed my vpn as recommended to ethertap ( tap0 )
now the trusts work as in the how to described.
So i didd a view tests with usrmgr but the simple try to admin my vpn domain
failed with domain was not found.
( After all the trust is established )

robowarp:/ # net rpc trustdom list
MUSI                S-1-5-21-3861108627-588665743-2869584934

Trusting domains list:

MUSI                S-1-5-21-3861108627-588665743-2869584934

this is vice versa
files:/ # net rpc trustdom list
ROBOWARP            S-1-5-21-4039322326-1194518759-4008328055

Trusting domains list:

ROBOWARP            S-1-5-21-4039322326-1194518759-4008328055

the same occurs if i try to add some user from the advynced properties
button of user permissons,
there is no way to browse the users the vpn domain
someone knows some tricks?
Best Regards

On Tue, 2004-02-10 at 01:02, J?r?me Tournier wrote:
> Le Mon, Feb 09, 2004 at 07:34:38PM +0700, Beast a ecrit:
> > Problem if master ldap is over wan and link is down. nobody will be
able to change any attributes on that site. I know its not samba fault, but any
advise on that setup?
> 
> and if the link is down, as computers peridically changed their trust
> account password, what will happen if they can't do that ? They'll
keep
> their current password, but can they keep it a long time without problem
> in user authentication or anything else ? 
Not only will they just keep changing it, I have found that they keep
changing it to the same value.  I'll commit a patch shortly that makes
avoid touching ldap if they 'change but don't change' their
passwords...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040210/bd7956cc/attachment.bin