Michael Gasch
2005-Nov-05 14:37 UTC
[Samba] Understanding Documentation about BDC in HowTo Collection
hi list&john, i read in the documention about BDCs: The domain SID has to be the same on the PDC and the BDC. In Samba versions pre-2.2.5, the domain SID was stored in the file |private/MACHINE.SID|. For all versions of Samba released since 2.2.5 the domain SID is stored in the file |private/secrets.tdb|. This file is unique to each server and cannot be copied from a PDC to a BDC; the BDC will generate a new SID at startup. It will overwrite the PDC domain SID with the newly created BDC SID. There is a procedure that will allow the BDC to aquire the domain SID. This is described here. To retrieve the domain SID from the PDC or an existing BDC and store it in the |secrets.tdb|, execute: |root# |*|net rpc getsid is this enough, because net getlocalsid gives SID of DOMAIN MYDOMBDC is s-1-5-21-.... which is not the same like the SID of MYDOM. net getlocalsid MYDOM gives the right SID on BDC. on PDC "net getlocalsid" and "net getlocalsid MYDOM" produces the same SID so should i also do "net setlocalsid <SID_OF_MYDOM> on BDC" or is it not wise to have 2 machines with the same SID on the network although they're linux??? btw:|* i have a samba v3 setup like: PDC -> LDAP master, with secondary slave LDAP server. BDC -> LDAP slave server, with secondary master LDAP server. i think this is fine but i'm thinking about migrating to: PDC -> LDAP master, with secondary slave LDAP server. BDC -> LDAP master, with secondary slave LDAP server. what's zour opinion about switching the BDC to point its first ldap server to ldapmaster? both are in the same subnet. i'm just afraid of LDAP master failing and time outs on BDC side because it tries to connect to LDAP master....well if BDC LDAP fails then i have timeout, too...right...so what's zour opinion? thx as usual :)
Felipe Augusto van de Wiel
2005-Nov-07 12:53 UTC
[Samba] Understanding Documentation about BDC in HowTo Collection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Gasch escreveu:> hi list&john,Hi. :)> i read in the documention about BDCs:[...]> To retrieve the domain SID from the PDC or an existing BDC and store it > in the |secrets.tdb|, execute: > > |root# |*|net rpc getsid > > is this enough, because net getlocalsid gives > SID of DOMAIN MYDOMBDC is s-1-5-21-.... which is not the same like the > SID of MYDOM. > net getlocalsid MYDOM gives the right SID on BDC. > > on PDC "net getlocalsid" and "net getlocalsid MYDOM" produces the same SID > > so should i also do "net setlocalsid <SID_OF_MYDOM> on BDC" or is it not > wise to have 2 machines with the same SID on the network although > they're linux???PDC and BDC should have the same SID to work properly. The getlocalsid and setlocalsid is tricky. :-) After useing the 'net rpc getsid', I usually stop the samba server, run the net setlocalsid with the right SID and then start the samba server again. It works when the net rpc fails. =)> btw:|* > i have a samba v3 setup like: > > PDC -> LDAP master, with secondary slave LDAP server. > BDC -> LDAP slave server, with secondary master LDAP server. > > i think this is fine but i'm thinking about migrating to: > PDC -> LDAP master, with secondary slave LDAP server. > BDC -> LDAP master, with secondary slave LDAP server. > > what's zour opinion about switching the BDC to point its first ldap > server to ldapmaster? both are in the same subnet. > i'm just afraid of LDAP master failing and time outs on BDC side because > it tries to connect to LDAP master....well if BDC LDAP fails then i have > timeout, too...right...so what's zour opinion? > > thx as usual :)From Samba docs looks like that the best option is setup the PDC with LDAP Master and BDC with LDAP Slave, if master fails, slave could attend requests, the point of being a BDC is that you can only read (no write), which is good for a LDAP slave. :) But remember to test you setup, which means, turn off the master to check if the slave (BDC) will work fine. Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFDb05zCj65ZxU4gPQRAnpAAKDEiS8gp6Q1dMB0TBaOGfiGYTjDmQCeKTEA kD9jn/gctnV9UoMOPyZSmxg=7WkQ -----END PGP SIGNATURE-----