samba - Sep 2010 - Multiple Samba PDCs doubt

First, excuse me because I don't speak english very well (perhaps this
is the reason that I mess up something when reading the documentation).
I have read the Howto, some Examples and the book and I have some doubts
which I like to solve. Excuse me for the big post, too ;)

My starting point:
- 3 Debian Linux Samba Servers
- 1 Windows XP SP3 Professional
- 1 OpenLDAP Server (on another Debian Linux Server)
- All hosts in the same network

Software that I'm using:
- Debian Stable (Lenny) 5.0 
- Samba 3.2.5
- OpenLDAP 2.4
- Samba LDAP tools from IDEALX
- PAM-LDAP
- NSS-LDAP

I verfied it all and with a simple configuration for Samba (Simple
Workgroup), the LDAP backend works well for all uses (authentication,
authorization, NSS resolving, etc.) meaning that all LDAP packages are
well configured. (But this question is more about Samba than Samba
+LDAP).

WHAT I AM TRYING TO DO:

- Configure *ALL* 3 Linux Samba Servers as PDC for a NT4 Domain (for
redundancy/fault tolerance).
- Use the same LDAP backend for all Samba servers (centralized authn
+authz)
- Include the Windows XP SP3 as a Domain Member.

I want that if one of the Samba Servers goes down (any of them) the
Domain will not be affected.

MY DOUBTS:

- Following the documentation I must configure all Samba Servers with at
least:

[global]
workgroup = MYWORKGROUP
passdb backend = ldapsam:ldap://my.ldap.server
os level = 33
preferred master = yes
domain master = yes
local master = yes
security = user
domain logons = yes

My big doubts appear when I read 'Security Mode and Master Browsers'
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564901
> Configuring a Samba box as a domain controller for a domain that
already by definition has
> a PDC is asking for trouble.
I understand that probably the problem gets fixed by the fact that all
PDCs will use the same backend (LDAP), but I want to be sure that I
don't have problems in the network nor broadcasts storms.

If the problem is related to the Master Browser election can I solve it
simply configuring different values for os level en each server?

Please, if I don't explain well are do you have any question don't
hesitate to ask me again.


Thanks for the help and for this killapp


-- 
----------------------------------
Marc Franquesa
Lady 3Jane http://www.l3jane.net/
Nexus

You should only have one PDC for a domain.  You can have multiple 
"Domain Controllers."  But you can have only one "Primary Domain 
Controller."  Any other domain controllers must be "Backup Domain 
Controllers."

All domain controllers provide logon functionality to clients.  All DC's 
use the same account backend.  Only a PDC can change the account 
database (e.g. when accounts are added, or password are changed.)

With true Windows "NT4" domain controllers, a readonly copy of account
database is replicated to the BDC's from PDC's.

With Samba DC's, you have a common LDAP backend (this can be a single 
LDAP server or multiple LDAP servers configured for replication.)

The samba BDC should have "domain logons=yes"  but other masters
should
be no.

In terms of master browsers etc, the PDC should be the master browser.  
I would also configure the PDC as a WINS server-  that makes a lot of 
those issues go away.

By default, XP clients will prefer to logon to a BDC over a PDC.    In 
most cases this is fine.





On 09/03/2010 09:20 AM, Marc Franquesa wrote:
> First, excuse me because I don't speak english very well (perhaps this
> is the reason that I mess up something when reading the documentation).
> I have read the Howto, some Examples and the book and I have some doubts
> which I like to solve. Excuse me for the big post, too ;)
>
> My starting point:
> - 3 Debian Linux Samba Servers
> - 1 Windows XP SP3 Professional
> - 1 OpenLDAP Server (on another Debian Linux Server)
> - All hosts in the same network
>
> Software that I'm using:
> - Debian Stable (Lenny) 5.0
> - Samba 3.2.5
> - OpenLDAP 2.4
> - Samba LDAP tools from IDEALX
> - PAM-LDAP
> - NSS-LDAP
>
> I verfied it all and with a simple configuration for Samba (Simple
> Workgroup), the LDAP backend works well for all uses (authentication,
> authorization, NSS resolving, etc.) meaning that all LDAP packages are
> well configured. (But this question is more about Samba than Samba
> +LDAP).
>
> WHAT I AM TRYING TO DO:
>
> - Configure *ALL* 3 Linux Samba Servers as PDC for a NT4 Domain (for
> redundancy/fault tolerance).
> - Use the same LDAP backend for all Samba servers (centralized authn
> +authz)
> - Include the Windows XP SP3 as a Domain Member.
>
> I want that if one of the Samba Servers goes down (any of them) the
> Domain will not be affected.
>
> MY DOUBTS:
>
> - Following the documentation I must configure all Samba Servers with at
> least:
>
> [global]
> workgroup = MYWORKGROUP
> passdb backend = ldapsam:ldap://my.ldap.server
> os level = 33
> preferred master = yes
> domain master = yes
> local master = yes
> security = user
> domain logons = yes
>
> My big doubts appear when I read 'Security Mode and Master
Browsers'
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564901
>
>    
>> Configuring a Samba box as a domain controller for a domain that
>>      
> already by definition has
>    
>> a PDC is asking for trouble.
>>      
> I understand that probably the problem gets fixed by the fact that all
> PDCs will use the same backend (LDAP), but I want to be sure that I
> don't have problems in the network nor broadcasts storms.
>
> If the problem is related to the Master Browser election can I solve it
> simply configuring different values for os level en each server?
>
> Please, if I don't explain well are do you have any question don't
> hesitate to ask me again.
>
>
> Thanks for the help and for this killapp
>
>
>