samba - Oct 2004 - Samba PDC in many branch offices + one LDAP database - how to change passwords?

Hello,

I just configured Samba 3 PDC + LDAP.

The aim is to have a Samba 3 PDC + LDAP in each branch office; and there 
should be one user/password database.

There are about 20 branch offices in different locations and users 
travel a lot between them with laptops.

Each branch office has a below configuration:

- Samba 3 PDC
- slave OpenLDAP server

There is also one central user/password OpenLDAP (master) - changes in 
it (added users etc.) are replicated to the slaves.

As it is relatively easy to have one LDAP database across all office 
branches, I don't know how to make Samba 3 to read/retrieve 
usernames/passwords from local OpenLDAP slave, but to write added 
machines/changed passwords to the master OpenLDAP server (which would 
then replicate the changes to all its slaves).

Any ideas?


Tomek

> As it is relatively easy to have one LDAP database across all office 
> branches, I don't know how to make Samba 3 to read/retrieve 
> usernames/passwords from local OpenLDAP slave, but to write added 
> machines/changed passwords to the master OpenLDAP server (which would 
> then replicate the changes to all its slaves).
If you have the smbldap-tools configured properly with the right master 
and slave set, then adding machines is not a problem.  Changing 
passwords is also not a problem provided you have LDAP referrals set up 
properly.  Setting up referrals is really more of a question for the 
openldap folks, and probably covered in the setup guide at openldap.

-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

On Thu, Oct 28, 2004 at 03:51:07PM +0200, Tomasz Chmielewski
wrote:
> Hello,
> 
> I just configured Samba 3 PDC + LDAP.
> 
> The aim is to have a Samba 3 PDC + LDAP in each branch office; and there 
> should be one user/password database.
> 
> There are about 20 branch offices in different locations and users 
> travel a lot between them with laptops.
> 
> Each branch office has a below configuration:
> 
> - Samba 3 PDC
> - slave OpenLDAP server
What about having each branch office with a samba 3 BDC instead of PDC?
It seems you are already replicating the whole ldap tree to every office.
Having a PDC there will cause unnecessary delays since it will always try
to write to the local ldap server and get a referral to the master ldap
server anyway.

Andreas wrote:

 > On Thu, Oct 28, 2004 at 03:51:07PM +0200, Tomasz Chmielewski wrote:
 >
 >> Hello,
 >>
 >> I just configured Samba 3 PDC + LDAP.
 >>
 >> The aim is to have a Samba 3 PDC + LDAP in each branch office; and 
there should be one user/password database.
 >>
 >> There are about 20 branch offices in different locations and users 
travel a lot between them with laptops.
 >>
 >> Each branch office has a below configuration:
 >>
 >> - Samba 3 PDC
 >> - slave OpenLDAP server
 >
 >
 >
 > What about having each branch office with a samba 3 BDC instead of PDC?


These offices are divided by WAN (which means loss of connectivity, 
slowness etc.) - isn't that a problem?
Users should be able to log in even when the link is down; the only 
thing impossible then should be password change / adding new accounts.


Tomek

Andreas schrieb:
> On Thu, Oct 28, 2004 at 03:51:07PM +0200, Tomasz Chmielewski wrote:
> 
>>Hello,
>>
>>I just configured Samba 3 PDC + LDAP.
>>
>>The aim is to have a Samba 3 PDC + LDAP in each branch office; and there
>>should be one user/password database.
>>
>>There are about 20 branch offices in different locations and users 
>>travel a lot between them with laptops.
>>
>>Each branch office has a below configuration:
>>
>>- Samba 3 PDC
>>- slave OpenLDAP server
> 
> 
> What about having each branch office with a samba 3 BDC instead of PDC?
> It seems you are already replicating the whole ldap tree to every office.
> Having a PDC there will cause unnecessary delays since it will always try
> to write to the local ldap server and get a referral to the master ldap
> server anyway.
> 
Hi,
there should be no problem with having smb bdc in the offices
but you have to look about the profiles and homes if you have a lot of 
laptop users.
Regards