samba - May 2005 - BDC, documentation, Machine Accounts Keep Expiring

Hello!

I want to create BDC with smbpasswd backend, just because I run ldap 
master on the same machine as PDC and I don't think that using ldap 
backend will be far better for me.
Only thing I don't understand:
I read in howto:
<quote>


      Machine Accounts Keep Expiring


This problem will occur when the passdb (SAM) files are copied from a 
central server but the local Backup Domain Controller is acting as a 
PDC. This results in the application of Local Machine Trust Account 
password updates to the local SAM. Such updates are not copied back to 
the central server.
</quote>

But I looked into change_trust_pw.c
and see
 /* if this next call fails, then give up.  We can't do
           password changes on BDC's  --jerry */

I.e., looks like machines will not change their password when working 
with BDC (i.e. when PDC is down).

Do I understand this right?

Thank you!

You could always use gpedit.msc and set the machine password change to
"NO"
Dmitry Melekhov wrote:
> Hello!
> 
> I want to create BDC with smbpasswd backend, just because I run ldap 
> master on the same machine as PDC and I don't think that using ldap 
> backend will be far better for me.
> Only thing I don't understand:
> I read in howto:
> <quote>
> 
> 
>      Machine Accounts Keep Expiring
> 
> 
> This problem will occur when the passdb (SAM) files are copied from a 
> central server but the local Backup Domain Controller is acting as a 
> PDC. This results in the application of Local Machine Trust Account 
> password updates to the local SAM. Such updates are not copied back to 
> the central server.
> </quote>
> 
> But I looked into change_trust_pw.c
> and see
> /* if this next call fails, then give up.  We can't do
>           password changes on BDC's  --jerry */
> 
> I.e., looks like machines will not change their password when working 
> with BDC (i.e. when PDC is down).
> 
> Do I understand this right?
> 
> Thank you!
> 
>

>
> I want to create BDC with smbpasswd backend, just because I run ldap 
> master on the same machine as PDC and I don't think that using ldap 
> backend will be far better for me.
>
<snip>
> I.e., looks like machines will not change their password when working 
> with BDC (i.e. when PDC is down).
>
> Do I understand this right?
That would appear to be the case.  I guess you've found one good reason 
(of the many) to use an LDAP backend where multiple servers are involved.

-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

What is your setup can you post your BDC configurations


mark

----- Original Message -----
From: Dmitry Melekhov <dm@belkam.com>
Date: Tuesday, May 3, 2005 1:57 am
Subject: [Samba] BDC, documentation, Machine Accounts Keep Expiring
> Hello!
> 
> I want to create BDC with smbpasswd backend, just because I run 
> ldap 
> master on the same machine as PDC and I don't think that using ldap 
> backend will be far better for me.
> Only thing I don't understand:
> I read in howto:
> <quote>
> 
> 
>      Machine Accounts Keep Expiring
> 
> 
> This problem will occur when the passdb (SAM) files are copied from 
> a 
> central server but the local Backup Domain Controller is acting as 
> a 
> PDC. This results in the application of Local Machine Trust Account 
> password updates to the local SAM. Such updates are not copied back 
> to 
> the central server.
> </quote>
> 
> But I looked into change_trust_pw.c
> and see
> /* if this next call fails, then give up.  We can't do
>           password changes on BDC's  --jerry */
> 
> I.e., looks like machines will not change their password when 
> working 
> with BDC (i.e. when PDC is down).
> 
> Do I understand this right?
> 
> Thank you!
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

----- Original Message ----- 
From: <marksarria@socal.rr.com>
To: "Dmitry Melekhov" <dm@belkam.com>
Cc: <samba@lists.samba.org>
Sent: Tuesday, May 03, 2005 9:55 PM
Subject: Re: [Samba] BDC, documentation, Machine Accounts Keep Expiring

> 
> What is your setup can you post your BDC configurations
> 
I have no BDC, yet.

>Samba-3 does not at this time have this infrastructure. Samba-3 BDCs try to 
>contact the LDAP server directly. So long as the master LDAP server can be 
>contacted by the BDC the machine password change can be written, but if it
is
>down, or can not be contacted the change will fail.
>
>In other words, in the absence of the PDC, the BDC can deal with machine 
>account password changes so long as it can contact the master LDAP server.
>
If my PDC will fail, this mean that master ldap is down too ;-) And 
master ldap is single point of failure ......
IMHO, main question is does Samba BDC allow password change for domain 
machines. AFAIK, this is not fatal for domain machines to not change 
their passwords, i.e. it is possible to have SAM (or smbpasswd ;-) ) on 
BDC read-only.
I just want  to know does following comment 

       /* if this next call fails, then give up.  We can't do
           password changes on BDC's  --jerry */
in change_trust_pw.c
mean that machine password will not be changed on BDC?
Does somebody know answer to this , imho, simple question?
Certanly,  it is easy enough to add configuration parameter to smb.conf, 
something like bdc=yes/no and return NT_STATUS_UNSUCCESSFUL in this 
function, but should I? :-)

On Tue, 2005-05-03 at 10:55 -0700, marksarria@socal.rr.com
wrote:
> What is your setup can you post your BDC configurations
The Samba guide contains specific examples of setting up a BDC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050504/062d7d7f/attachment.bin