samba - May 2003 - WINT-NT is working as PDC and Redhat Linux Samba BDC and how to use rsync?

Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with 
rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients can 
still get Authentication service from Samba BDC(RedHat 9.0). i have seen 
in Samba documentation that it can be done using rsync but nowhwere it 
is clearly explained howto do it.. I ran out of gas by looking through 
google also... :-(


With Best Regards
YS

Yeri,

The dogma to use rsync to replicate the password database is bad karma.
	"It's a bit like your karma runs over your dogma."

MS Windows NT Domain member machines change their password at certain
intervals. If they do so on a local copy of the database nad it gets
over-written by the rsync'd copy then your local workstation trusts get
broken.

A better solution is to use LDAP, and follow the guidelines available from
several sources on how to set up a PDC/BDC using an LDAP backend.

The following reference might help you:

	http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf

- John T.

On Wed, 28 May 2003, Yeri Swamy wrote:
> Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with
> rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients can
> still get Authentication service from Samba BDC(RedHat 9.0). i have seen
> in Samba documentation that it can be done using rsync but nowhwere it
> is clearly explained howto do it.. I ran out of gas by looking through
> google also... :-(
>
>
> With Best Regards
> YS
>
>
-- 
John H Terpstra
Email: jht@samba.org

Yeri Swamy wrote:
> Thanks a lot! for ur speedy reply...
> The link u sent i looked at it very closely... i am still confused 
> what to do...
>
> It is not explained anywhere howto setup LDAP for Linux Samba BDC..
> that means do i have to setup Linux Samba BDC as LDAP server or client 
> or ???
> I believe if i setup Linux Samba BDC as a LDAP server then do i have 
> to setup WIN-NT PDC as LDAP client and how to transfer all the machine 
> accounts, users, groups and passwords from NT to Linux..
> So that when WIN-NT PDC fails then Linux SAMBA BDC can takeover the 
> network...
>
> with Best Regards
> YS
>
> John H Terpstra wrote:
>
>> Yeri,
>>
>> The dogma to use rsync to replicate the password database is bad karma.
>>     "It's a bit like your karma runs over your dogma."
>>
>> MS Windows NT Domain member machines change their password at certain
>> intervals. If they do so on a local copy of the database nad it gets
>> over-written by the rsync'd copy then your local workstation trusts
get
>> broken.
>>
>> A better solution is to use LDAP, and follow the guidelines available 
>> from
>> several sources on how to set up a PDC/BDC using an LDAP backend.
>>
>> The following reference might help you:
>>
>>     http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf
>>
>> - John T.
>>
>> On Wed, 28 May 2003, Yeri Swamy wrote:
>>
>>  
>>
>>> Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with
>>> rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients
can
>>> still get Authentication service from Samba BDC(RedHat 9.0). i have
>>> seen
>>> in Samba documentation that it can be done using rsync but nowhwere
it
>>> is clearly explained howto do it.. I ran out of gas by looking
through
>>> google also... :-(
>>>
>>>
>>> With Best Regards
>>> YS
>>>
>>>
>>>   
>>
>>
>>  
>>
>
>

On Wed, 28 May 2003, Yeri Swamy wrote:
> Thanks a lot! for ur speedy reply...
> The link u sent i looked at it very closely... i am still confused what
> to do...
>
> It is not explained anywhere howto setup LDAP for Linux Samba BDC..
If you implement a Samba based solution you need a Samba SAM (Security
Account Managment) database. The soon to be released Samba-3 fully
supports two SAM solutions that will store the extended security
information needed to implement a true replacement for MS Windows NT.
These are tdbsam and ldapsam.

See chapter on "Account Information Database", sub-section on LDAP
back
end.

Samba-3 ldapsam is the only passdb backend that allows scalability across
Samba PDC/BDC configurations. See Chapter on "Backup Domain Control"
for
information about how this works.
> that means do i have to setup Linux Samba BDC as LDAP server or client
> or ???
> I believe if i setup Linux Samba BDC as a LDAP server then do i have to
> setup WIN-NT PDC as LDAP client and how to transfer all the machine
> accounts, users, groups and passwords from NT to Linux..
> So that when WIN-NT PDC fails then Linux SAMBA BDC can takeover the
> network...
Ok. I looked at your original question more closely. Sad to say, but Samba
can NOT be a true BDC to an MS Windows PDC. There is NO facility for using
rsync to replicate an MS Windows NT PDC SAM to a Samba server (not with
Samba-2 nor with soon to be released Samba-3).

Samba-3 has a facility to suck MS Windows NT4 SAM accounts into it's own
tdbsam or into an ldapsam database. This is a new facility that is not
available with Samba-2.2.x.

In the strict definition of the terms:

	1. Samba can not be a BDC to an NT PDC
	2. Samba can not do what you have described

You can replace your Windows NT PDC with a Samba server, in which case you
CAN run a Samba BDC (so long as you use an LDAP accounts database
backend).

The old solution involved using a flat text based file called smbpasswd in
which Samba stored the Microsoft encrypted passwords. This file could be
replicated using rsync. The problem with that method is that domain member
workstations do change their trust account password periodically. This
will happen locally with the old method - this breaks machine trusts.

That is what I was referring to.

- John T.
>
> with Best Regards
> YS
>
> John H Terpstra wrote:
>
> >Yeri,
> >
> >The dogma to use rsync to replicate the password database is bad karma.
> >	"It's a bit like your karma runs over your dogma."
> >
> >MS Windows NT Domain member machines change their password at certain
> >intervals. If they do so on a local copy of the database nad it gets
> >over-written by the rsync'd copy then your local workstation trusts
get
> >broken.
> >
> >A better solution is to use LDAP, and follow the guidelines available
from
> >several sources on how to set up a PDC/BDC using an LDAP backend.
> >
> >The following reference might help you:
> >
> >	http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf
> >
> >- John T.
> >
> >On Wed, 28 May 2003, Yeri Swamy wrote:
> >
> >
> >
> >>Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with
> >>rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients
can
> >>still get Authentication service from Samba BDC(RedHat 9.0). i have
seen
> >>in Samba documentation that it can be done using rsync but nowhwere
it
> >>is clearly explained howto do it.. I ran out of gas by looking
through
> >>google also... :-(
> >>
> >>
> >>With Best Regards
> >>YS
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org

On Wed, 28 May 2003, Yeri Swamy wrote:
> John H Terpstra wrote:
>
> >On Wed, 28 May 2003, Yeri Swamy wrote:
> >
> >
> >
> >>Thanks a lot! for ur speedy reply...
> >>The link u sent i looked at it very closely... i am still confused
what
> >>to do...
> >>
> >>It is not explained anywhere howto setup LDAP for Linux Samba BDC..
> >>
> >>
> >
> >If you implement a Samba based solution you need a Samba SAM (Security
> >Account Managment) database. The soon to be released Samba-3 fully
> >supports two SAM solutions that will store the extended security
> >information needed to implement a true replacement for MS Windows NT.
> >These are tdbsam and ldapsam.
> >
> >See chapter on "Account Information Database", sub-section on
LDAP back
> >end.
> >
> >Samba-3 ldapsam is the only passdb backend that allows scalability
across
> >Samba PDC/BDC configurations. See Chapter on "Backup Domain
Control" for
> >information about how this works.
> >
>      Thanks a ton...
>
>     Please bear with me coz before coming to you i did search tons of
> links with no proper clear cut details...
>
>      This means NT PDC and Samba BDC to work like(NT PDC & NT BDC i.e
if
> PDC fails BDC will take over)
No read my reply carefully:

	Samba CAN NOT be a BDC to an NT PDC!
>      we have to wait till we get a tool/utility  tdbsam which will
> gather all the machine account. users and groups info from NT will
> convert into meaningfull format that Samba BDC can understand then Samba
> BDC will work like a horse as BDC when NT PDC fails...
No. You can migrate your NT PDC SAM account information to a Samba PDC
using the "vampire" tool. Then you will need to replace your NT PDC
with a
Samba PDC, if you want a Samba BDC to work correctly.

You should NOT use tdbsam for ANY Samba PDC/BDC combination. The tdbsam is
only intended for sites that do NOT need a BDC.
>  And with ldapsam we can only have Samba PDC and Samba BDC and this case
> if Samba PDC fails then Samba BDC will take over
With Samba-3 using ldapsam you can have a Samba PDC and as many Samba BDCs
are you like. The real benefit of this is that machine account password
changes will be stored in a common LDAP backend.


- John T.

> >
> >>that means do i have to setup Linux Samba BDC as LDAP server or
client
> >>or ???
> >>I believe if i setup Linux Samba BDC as a LDAP server then do i
have to
> >>setup WIN-NT PDC as LDAP client and how to transfer all the machine
> >>accounts, users, groups and passwords from NT to Linux..
> >>So that when WIN-NT PDC fails then Linux SAMBA BDC can takeover the
> >>network...
> >>
> >>
> >
> >Ok. I looked at your original question more closely. Sad to say, but
Samba
> >can NOT be a true BDC to an MS Windows PDC. There is NO facility for
using
> >rsync to replicate an MS Windows NT PDC SAM to a Samba server (not with
> >Samba-2 nor with soon to be released Samba-3).
> >
> >Samba-3 has a facility to suck MS Windows NT4 SAM accounts into
it's own
> >tdbsam or into an ldapsam database. This is a new facility that is not
> >available with Samba-2.2.x.
> >
> >In the strict definition of the terms:
> >
> >	1. Samba can not be a BDC to an NT PDC
> >	2. Samba can not do what you have described
> >
> >You can replace your Windows NT PDC with a Samba server, in which case
you
> >CAN run a Samba BDC (so long as you use an LDAP accounts database
> >backend).
> >
> >The old solution involved using a flat text based file called smbpasswd
in
> >which Samba stored the Microsoft encrypted passwords. This file could
be
> >replicated using rsync. The problem with that method is that domain
member
> >workstations do change their trust account password periodically. This
> >will happen locally with the old method - this breaks machine trusts.
> >
> >That is what I was referring to.
> >
> >- John T.
> >
> >
> >
> >>with Best Regards
> >>YS
> >>
> >>John H Terpstra wrote:
> >>
> >>
> >>
> >>>Yeri,
> >>>
> >>>The dogma to use rsync to replicate the password database is
bad karma.
> >>>	"It's a bit like your karma runs over your
dogma."
> >>>
> >>>MS Windows NT Domain member machines change their password at
certain
> >>>intervals. If they do so on a local copy of the database nad it
gets
> >>>over-written by the rsync'd copy then your local
workstation trusts get
> >>>broken.
> >>>
> >>>A better solution is to use LDAP, and follow the guidelines
available from
> >>>several sources on how to set up a PDC/BDC using an LDAP
backend.
> >>>
> >>>The following reference might help you:
> >>>
> >>>	http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf
> >>>
> >>>- John T.
> >>>
> >>>On Wed, 28 May 2003, Yeri Swamy wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>Can anybody give me a hint how to set up Samba BDC(RedHat
9.0) with
> >>>>rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the
clients can
> >>>>still get Authentication service from Samba BDC(RedHat
9.0). i have seen
> >>>>in Samba documentation that it can be done using rsync but
nowhwere it
> >>>>is clearly explained howto do it.. I ran out of gas by
looking through
> >>>>google also... :-(
> >>>>
> >>>>
> >>>>With Best Regards
> >>>>YS
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
>
>
-- 
John H Terpstra
Email: jht@samba.org