samba - Nov 2005 - Understanding Documentation about BDC in HowTo Collection

hi list&john,

i read in the documention about BDCs:
The domain SID has to be the same on the PDC and the BDC. In Samba 
versions pre-2.2.5, the domain SID was stored in the file 
|private/MACHINE.SID|. For all versions of Samba released since 2.2.5 
the domain SID is stored in the file |private/secrets.tdb|. This file is 
unique to each server and cannot be copied from a PDC to a BDC; the BDC 
will generate a new SID at startup. It will overwrite the PDC domain SID 
with the newly created BDC SID. There is a procedure that will allow the 
BDC to aquire the domain SID. This is described here.

To retrieve the domain SID from the PDC or an existing BDC and store it 
in the |secrets.tdb|, execute:

|root# |*|net rpc getsid

is this enough, because net getlocalsid gives
SID of DOMAIN MYDOMBDC is s-1-5-21-.... which is not the same like the SID of
MYDOM.
net getlocalsid MYDOM gives the right SID on BDC.

on PDC "net getlocalsid" and "net getlocalsid MYDOM"
produces the same SID

so should i also do "net setlocalsid <SID_OF_MYDOM> on BDC" or
is it not wise to have 2 machines with the same SID
on the network although they're linux???


btw:|*
i have a samba v3 setup like:

PDC -> LDAP master, with secondary slave LDAP server.
BDC -> LDAP slave server, with secondary master LDAP server.

i think this is fine but i'm thinking about migrating to:
PDC -> LDAP master, with secondary slave LDAP server.
BDC -> LDAP master, with secondary slave LDAP server.

what's zour opinion about switching the BDC to point its first ldap 
server to ldapmaster? both are in the same subnet.
i'm just afraid of LDAP master failing and time outs on BDC side because 
it tries to connect to LDAP master....well if BDC LDAP fails then i have 
timeout, too...right...so what's zour opinion?

thx as usual :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Gasch escreveu:
> hi list&john,
	Hi. :)

> i read in the documention about BDCs:
[...]
> To retrieve the domain SID from the PDC or an existing BDC and store it
> in the |secrets.tdb|, execute:
> 
> |root# |*|net rpc getsid
> 
> is this enough, because net getlocalsid gives
> SID of DOMAIN MYDOMBDC is s-1-5-21-.... which is not the same like the
> SID of MYDOM.
> net getlocalsid MYDOM gives the right SID on BDC.
> 
> on PDC "net getlocalsid" and "net getlocalsid MYDOM"
produces the same SID
> 
> so should i also do "net setlocalsid <SID_OF_MYDOM> on BDC"
or is it not
> wise to have 2 machines with the same SID on the network although
> they're linux???
	PDC and BDC should have the same SID to work properly. The
getlocalsid and setlocalsid is tricky. :-)  After useing the 'net rpc
getsid', I usually stop the samba server, run the net setlocalsid
with the right SID and then start the samba server again. It works
when the net rpc fails. =)

> btw:|*
> i have a samba v3 setup like:
> 
> PDC -> LDAP master, with secondary slave LDAP server.
> BDC -> LDAP slave server, with secondary master LDAP server.
> 
> i think this is fine but i'm thinking about migrating to:
> PDC -> LDAP master, with secondary slave LDAP server.
> BDC -> LDAP master, with secondary slave LDAP server.
> 
> what's zour opinion about switching the BDC to point its first ldap
> server to ldapmaster? both are in the same subnet.
> i'm just afraid of LDAP master failing and time outs on BDC side
because
> it tries to connect to LDAP master....well if BDC LDAP fails then i have
> timeout, too...right...so what's zour opinion?
> 
> thx as usual :)
	From Samba docs looks like that the best option is setup
the PDC with LDAP Master and BDC with LDAP Slave, if master fails,
slave could attend requests, the point of being a BDC is that you
can only read (no write), which is good for a LDAP slave. :)

	But remember to test you setup, which means, turn off the
master to check if the slave (BDC) will work fine.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFDb05zCj65ZxU4gPQRAnpAAKDEiS8gp6Q1dMB0TBaOGfiGYTjDmQCeKTEA
kD9jn/gctnV9UoMOPyZSmxg=7WkQ
-----END PGP SIGNATURE-----