We're about to start migrating from Windows NT 4.0 to a Samba controlled setup. I've got a question about the functionality of the Samba PDCs and BDCs. In my Windows setup I have three domains that are defined by geographic locations. Each of these domains "trusts" the other. In Samba 2.2.7, I can't have the trusts, so I'm looking at creating one giant domain that will be comprised of one Samba PDC and two Samba BDCs. These domains are/will be separated with IP subnets, WAN lines and routers. My question is, in one of the remote locations (which will house a BDC) will the local BDC be the main authentication source? Or will the request get forwarded to the PDC? I know in Windows the request would be kept local, but I want to make sure that they will remain so in the Samba world too. These offices are connected only by 128k Frame Relay lines and I'd hate for every authentication request to be sent down those slow lines. Thanks, Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. (859) 233-3111 x24
On Mon, 5 May 2003, Collins, Kevin wrote:> We're about to start migrating from Windows NT 4.0 to a Samba controlled > setup. I've got a question about the functionality of the Samba PDCs and > BDCs. > > In my Windows setup I have three domains that are defined by geographic > locations. Each of these domains "trusts" the other. In Samba 2.2.7, I > can't have the trusts, so I'm looking at creating one giant domain that will > be comprised of one Samba PDC and two Samba BDCs. These domains are/will be > separated with IP subnets, WAN lines and routers. > > My question is, in one of the remote locations (which will house a BDC) will > the local BDC be the main authentication source? Or will the request get > forwarded to the PDC?That depends on how you configure the BDC setup. You can keep all authentication local. You can use LDAP and let LDAP do the replication of the user accounts database.> > I know in Windows the request would be kept local, but I want to make sure > that they will remain so in the Samba world too. These offices are > connected only by 128k Frame Relay lines and I'd hate for every > authentication request to be sent down those slow lines.- John T. -- John H Terpstra Email: jht@samba.org
it depends on how you define your smb.conf there are seeral parameters that define how it will happen security = server/domain/user local master = yes/no domain master = yes/no domain logins = yes/no check this howto out: http://www.skippy.net/linux/smb-howto.html> -----Original Message----- > From: Collins, Kevin [mailto:KCollins@nesbittengineering.com] > Sent: Monday, May 05, 2003 2:10 PM > To: samba@lists.samba.org > Subject: [Samba] PDC/BDC Domain Logins Samba 2.2.7 > > > We're about to start migrating from Windows NT 4.0 to a Samba > controlled > setup. I've got a question about the functionality of the > Samba PDCs and > BDCs. > > In my Windows setup I have three domains that are defined by > geographic > locations. Each of these domains "trusts" the other. In > Samba 2.2.7, I > can't have the trusts, so I'm looking at creating one giant > domain that will > be comprised of one Samba PDC and two Samba BDCs. These > domains are/will be > separated with IP subnets, WAN lines and routers. > > My question is, in one of the remote locations (which will > house a BDC) will > the local BDC be the main authentication source? Or will the > request get > forwarded to the PDC? > > I know in Windows the request would be kept local, but I want > to make sure > that they will remain so in the Samba world too. These offices are > connected only by 128k Frame Relay lines and I'd hate for every > authentication request to be sent down those slow lines. > > Thanks, > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > (859) 233-3111 x24 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Date: Mon, 5 May 2003 19:26:41 +0000 (GMT) > From: John H Terpstra <jht@samba.org> > To: "Collins, Kevin" <KCollins@nesbittengineering.com> > Cc: samba@lists.samba.org > Subject: Re: [Samba] PDC/BDC Domain Logins Samba 2.2.7 > Message-ID: <Pine.LNX.4.50.0305051923400.23429-100000@dp.samba.org> > In-Reply-To: <5DE7560BBF09D6119ED100B0D03D84260139E7@MAIL-SERVER> > References: <5DE7560BBF09D6119ED100B0D03D84260139E7@MAIL-SERVER> > Content-Type: TEXT/PLAIN; charset=US-ASCII MIME-Version: 1.0 > Precedence: list > Message: 22 > On Mon, 5 May 2003, Collins, Kevin wrote: > >>> We're about to start migrating from Windows NT 4.0 to a Samba controlled >>> setup. I've got a question about the functionality of the SambaPDCs and>>> BDCs. >>> >>> In my Windows setup I have three domains that are defined by geographic >>> locations. Each of these domains "trusts" the other. In Samba 2.2.7, I >>> can't have the trusts, so I'm looking at creating one giant domainthat will>>> be comprised of one Samba PDC and two Samba BDCs. These domainsare/will be>>> separated with IP subnets, WAN lines and routers. >>> >>> My question is, in one of the remote locations (which will house aBDC) will>>> the local BDC be the main authentication source? Or will therequest get>>> forwarded to the PDC? > > > That depends on how you configure the BDC setup. You can keep all > authentication local. You can use LDAP and let LDAP do the replication of > the user accounts database. >This is one aspect that isn't really covered in sufficient detail in any of the currently available documentation, so I have covered it in this article (which is not quite finished and not in it's final location): http://ranger.dnsalias.com/samba-ldap-advanced.html The content of this document is complete, I am currently fixing up the wording etc, cleaning sample config files and finalising references, so it should be accurate enough to use. Feedback welcome. (JHT, I don't think I will have time to cover samba3, but the replication setup, which constitutes a large part of the document, and is not covered anywhere else, may be of value for the samba3 docs, and I think it is complete. Let me know if you want sample configs also).> >>> >>> I know in Windows the request would be kept local, but I want tomake sure>>> that they will remain so in the Samba world too. These offices are >>> connected only by 128k Frame Relay lines and I'd hate for every >>> authentication request to be sent down those slow lines. >If you run samba against a slave LDAP server, you will only have replication traffic from the master to the slave, and password changes. BTW, you will want samba-2.2.8a for this, since 2.2.8 was the first release to have working LDAP referrals (allowing password changing when the local LDAP is a slave, by rebinding to the server returned by the referral), without which BDC's don't really work. Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+t5lbrJK6UGDSBKcRAufhAKCwUl0jERBhu2ggSiamB3F1v06rogCgsMSw Dy9Oig/NkXitNVvMXD6JJbs=a/s7 -----END PGP SIGNATURE-----