Hi all,
We are trying to set up a global domain for NT users, where the actual
shares are stored on the backend with AFS (that part is done and works fine),
and where multiple branch locations have access to this system. We are using
Samba to serve the files to the desktops. To ensure that we can have a single
big domain so anyone can login in any location as oneself (and see the same
profile, etc), the PDC is located in the same central location as the AFS cell.
Each branch is being set up with a BDC so that local authentication can be
done against the domain and files can be served from the local Samba server,
while still being able to maintain a global domain concept by the fact that
all account management is done by the PDC anyway (since the BDC are read-only
SAM instances).
In theory this seems to be a sound concept, but it does not seem to
work, and we are not sure why. Say the domain is DOMAIN. The PDC is located
at IP 10.0.0.5, while two BDCs are 192.168.10.1 and 192.168.10.2. The PDC
has os level 72, while the two BDCs have os level 67 and 66 respectively. The
smbpasswd files are being rsync'd from the PDC to the BDCs, and the Unix
users
are stored in NIS, with the BDCs configured as NIS slave servers.
What we are seeing is that when a machine is joining the domain, the
trust account is being created on one of the BDCs rather than on the PDC. That
seems to violate the concept that the BDC has a read-only version of the SAM
information.
So, the main questions are:
- Is the setup that I describe here possible with Samba 2.2.3a (that is
the version we are currently using), or with the most recent alpha
version, or with the CVS version?
- If it is possible, what is possibly wrong with our setup, causing
NT workstations to cause trust accounts to be created directly on
the BDC rather than on the PDC.
Any help is very welcome!
Kris
PS: The BDCs are configured as 'wins support = no', 'wins proxy =
yes', and
'wins server = 10.0.0.1'. The PDC has 'wins support = yes'.
The BDCs
are 'domain master = no', 'local master = no',
'preferred master = no',
while the PDC has yes for those three settings.