samba - Nov 2005 - Promoting Samba BDC to PDC

Hi All,
 
         Has any one got an idea of how to make clients automatically 
find the BDC when the PDC is stopped. Both PDC and BDC are running by 
Samba authenticating again a LDAPSAM backend replicated on both the PDC 
with master LDAP database and BDC with replicated LDAP database. But 
when I stop PDC the clients are not detecting the BDC broadcast. I can 
see that the replication is of the OpenLDAP data is perfect.

Any idea of where i may be wrong??

thankx in advance.

pavan.

Hello Pavan

Firstly have you been following the samba guide - Samba 3 by example by John 
Terpstra.

Chapter 5.

You must now set the LDAP administrative password into the Samba-3 
secrets.tdb file by executing this command:

root#  smbpasswd -w not24get
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in
secrets.tdb


Now you must obtain the domain SID from the PDC and store it into the 
secrets.tdb file also. This step is not necessary with an LDAP passdb 
backend because Samba-3 obtains the domain SID from the sambaDomain object 
it automatically stores in the LDAP backend. It does not hurt to add the SID 
to the secrets.tdb, and if you wish to do so, this command can achieve that:

root#  net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
                           for Domain MEGANET2 in secrets.tdb

Regards,

Adrian Sender.


-------------------------------------------------------------------------------
Hi All,

        Has any one got an idea of how to make clients automatically find 
the BDC when the PDC is stopped. Both PDC and BDC are running by Samba 
authenticating again a LDAPSAM backend replicated on both the PDC with 
master LDAP database and BDC with replicated LDAP database. But when I stop 
PDC the clients are not detecting the BDC broadcast. I can see that the 
replication is of the OpenLDAP data is perfect.

Any idea of where i may be wrong??

thankx in advance.

pavan.
---------------------------------------------------------------------------

Hi Adrian,
 
        Thank you for your reply. Yeah i have done what you have 
described already, but the problem is that my client machine is not able 
to detect the BDC, though my testparm on the BDC shows me no errors. And 
yes the LDAP administrative password is stored in secrets.tdb else i 
cannot join my client machine to the domain and cannot even make changes 
to the ldapsam database with the admindn user.

Do you think i need to add something else on the Samba BDC file, 
following are my configuration settings for the BDC using the replicated 
ldapsam database.

[global]
    workgroup = testdom
    interfaces = 127.0.0.1/255.255.255.0 192.168.9.238
    printing = cups
    printcap name = cups
    printer admin = @ntadmin, root, administrator
    map to guest = Bad User
    security = user
    encrypt passwords = yes
    allow trusted domains = yes
    server string = Samba Server
    add machine script = /usr/sbin/useradd  -c Machine -d 
/var/lib/nobody -s /bin/false %m$
    domain master = no
    admin users = root
      hosts allow=192.168.9. 255.255.255. localhost
      remote announce=192.168.9.255
    domain logons = yes
      preferred master=no
       enhanced browsing=yes
    local master = yes
    unix password sync = no
    passwd program = /bin/passwd %u
    ldap passwd sync = yes
    ldap delete dn = no
    pam password change = yes
    preferred master = yes
    os level = 65
    ldap suffix = dc=dart,dc=com
    ldap user suffix = ou=People
    ldap group suffix = ou=Group
    passdb backend = ldapsam:ldap://localhost
    netbios name = dartlinux
    username map = /etc/samba/smbusers
    logon home = \\%L\%U\.profile
    logon drive = H:
    logon path = \\%L\profiles\%U
    logon script = netlogon.bat
    wins support = yes
    log file = /var/log/samba/log.%m
    log level = 5
    ldap admin dn = uid=root,ou=People,dc=dart,dc=com
    idmap backend = ldap:ldap://localhost
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=Computers

thanks,
pavan.

adrian sender wrote:
> Hello Pavan
>
> Firstly have you been following the samba guide - Samba 3 by example 
> by John Terpstra.
>
> Chapter 5.
>
> You must now set the LDAP administrative password into the Samba-3 
> secrets.tdb file by executing this command:
>
> root#  smbpasswd -w not24get
> Setting stored password for "cn=Manager,dc=abmas,dc=biz" in
secrets.tdb
>
>
> Now you must obtain the domain SID from the PDC and store it into the 
> secrets.tdb file also. This step is not necessary with an LDAP passdb 
> backend because Samba-3 obtains the domain SID from the sambaDomain 
> object it automatically stores in the LDAP backend. It does not hurt 
> to add the SID to the secrets.tdb, and if you wish to do so, this 
> command can achieve that:
>
> root#  net rpc getsid MEGANET2
> Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
>                           for Domain MEGANET2 in secrets.tdb
>
> Regards,
>
> Adrian Sender.
>
>
>
-------------------------------------------------------------------------------
>
> Hi All,
>
>        Has any one got an idea of how to make clients automatically 
> find the BDC when the PDC is stopped. Both PDC and BDC are running by 
> Samba authenticating again a LDAPSAM backend replicated on both the 
> PDC with master LDAP database and BDC with replicated LDAP database. 
> But when I stop PDC the clients are not detecting the BDC broadcast. I 
> can see that the replication is of the OpenLDAP data is perfect.
>
> Any idea of where i may be wrong??
>
> thankx in advance.
>
> pavan.
> ---------------------------------------------------------------------------
>
>
>

-- 
Pavan Krishna L
Systems Administrator
Diversity Arrays Technology Pty Ltd
Ph:  +61 2 6281 8512
Fax: +61 2 6281 8533
Mob: +61 423 411 281

Pavan,

Assuming you can id username; pdbedit -Lv username, slapcat, getent passwd, 
gentent group etc on the BDC then we can assume that all information is been 
replicated and ldap is working.

There is a command used to query what domain controllers are on your 
network, nmblookup. I have not used this in a while and cannot remember the 
exact command; but because you have a pdc & bdc they register the same 
netbios name under 1b & 1c. I'll try to find this out as its very
usefull;
from it you can tell how many domain controllers are on a network.

Also remember that you cannot join a machine to a domain when the pdc is 
down; you can however login.

Here is my working bdc smb.conf without the shares; it is a copy of the one 
from Samba 3 by example.
(Chapter 6)
--------------------------------------------------------------------
[global]
unix charset = LOCALE
workgroup = DDESIGN
netbios name = node2
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = %U.bat
logon path = \\%L\profiles\%U
logon drive = H:
domain logons = Yes
os level = 63
domain master = No
wins server = 192.168.0.2
ldap suffix = dc=ddesign,dc=com
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
#ldap admin dn = cn=sambaadmin,dc=ddesign,dc=com
ldap admin dn = cn=Manager,dc=ddesign,dc=com
utmp = Yes
idmap backend = ldap://192.168.0.2
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
-----------------------------------------------------

I have idmap backend pointing to the pdc.

Regards,

Adrian Sender.
>From: Pavan krishna <p.krishna@diversityarrays.com>
>To: adrian sender <adrian_au1@hotmail.com>
>CC: samba@lists.samba.org
>Subject: Re: [Samba] Promoting Samba BDC to PDC
>Date: Fri, 18 Nov 2005 09:49:39 +1100
>
>Hi Adrian,
>
>        Thank you for your reply. Yeah i have done what you have described 
>already, but the problem is that my client machine is not able to detect 
>the BDC, though my testparm on the BDC shows me no errors. And yes the LDAP 
>administrative password is stored in secrets.tdb else i cannot join my 
>client machine to the domain and cannot even make changes to the ldapsam 
>database with the admindn user.
>
>Do you think i need to add something else on the Samba BDC file, following 
>are my configuration settings for the BDC using the replicated ldapsam 
>database.
>
>[global]
>    workgroup = testdom
>    interfaces = 127.0.0.1/255.255.255.0 192.168.9.238
>    printing = cups
>    printcap name = cups
>    printer admin = @ntadmin, root, administrator
>    map to guest = Bad User
>    security = user
>    encrypt passwords = yes
>    allow trusted domains = yes
>    server string = Samba Server
>    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody 
>-s /bin/false %m$
>    domain master = no
>    admin users = root
>      hosts allow=192.168.9. 255.255.255. localhost
>      remote announce=192.168.9.255
>    domain logons = yes
>      preferred master=no
>       enhanced browsing=yes
>    local master = yes
>    unix password sync = no
>    passwd program = /bin/passwd %u
>    ldap passwd sync = yes
>    ldap delete dn = no
>    pam password change = yes
>    preferred master = yes
>    os level = 65
>    ldap suffix = dc=dart,dc=com
>    ldap user suffix = ou=People
>    ldap group suffix = ou=Group
>    passdb backend = ldapsam:ldap://localhost
>    netbios name = dartlinux
>    username map = /etc/samba/smbusers
>    logon home = \\%L\%U\.profile
>    logon drive = H:
>    logon path = \\%L\profiles\%U
>    logon script = netlogon.bat
>    wins support = yes
>    log file = /var/log/samba/log.%m
>    log level = 5
>    ldap admin dn = uid=root,ou=People,dc=dart,dc=com
>    idmap backend = ldap:ldap://localhost
>    ldap idmap suffix = ou=Idmap
>    ldap machine suffix = ou=Computers
>
>thanks,
>pavan.
>
>adrian sender wrote:
>
>>Hello Pavan
>>
>>Firstly have you been following the samba guide - Samba 3 by example by 
>>John Terpstra.
>>
>>Chapter 5.
>>
>>You must now set the LDAP administrative password into the Samba-3 
>>secrets.tdb file by executing this command:
>>
>>root#  smbpasswd -w not24get
>>Setting stored password for "cn=Manager,dc=abmas,dc=biz" in
secrets.tdb
>>
>>
>>Now you must obtain the domain SID from the PDC and store it into the 
>>secrets.tdb file also. This step is not necessary with an LDAP passdb 
>>backend because Samba-3 obtains the domain SID from the sambaDomain
object
>>it automatically stores in the LDAP backend. It does not hurt to add the
>>SID to the secrets.tdb, and if you wish to do so, this command can
achieve
>>that:
>>
>>root#  net rpc getsid MEGANET2
>>Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
>>                           for Domain MEGANET2 in secrets.tdb
>>
>>Regards,
>>
>>Adrian Sender.
>>
>>
>>-------------------------------------------------------------------------------
>>
>>Hi All,
>>
>>        Has any one got an idea of how to make clients automatically
find
>>the BDC when the PDC is stopped. Both PDC and BDC are running by Samba 
>>authenticating again a LDAPSAM backend replicated on both the PDC with 
>>master LDAP database and BDC with replicated LDAP database. But when I 
>>stop PDC the clients are not detecting the BDC broadcast. I can see that
>>the replication is of the OpenLDAP data is perfect.
>>
>>Any idea of where i may be wrong??
>>
>>thankx in advance.
>>
>>pavan.
>>---------------------------------------------------------------------------
>>
>>
>>
>
>
>--
>Pavan Krishna L
>Systems Administrator
>Diversity Arrays Technology Pty Ltd
>Ph:  +61 2 6281 8512
>Fax: +61 2 6281 8533
>Mob: +61 423 411 281
>
>

Hello Pavan,

try nmblookup domainname#1C

Multiple netbios names can be registered under 1C; this shows the PDC & BDC.

[root@node1 ~]# nmblookup DDESIGN#1C
WARNING: The "printer admin" option is deprecated
querying DDESIGN on 192.168.0.255
192.168.0.4 DDESIGN<1c>
192.168.0.3 DDESIGN<1c>

Only one netbios name can be registered as 1B; this is the PDC

[root@node1 ~]# nmblookup DDESIGN#1B
WARNING: The "printer admin" option is deprecated
querying DDESIGN on 192.168.0.255
192.168.0.4 DDESIGN<1b>
[root@node1 ~]#


Regards,
Adrian Sender,
>From: Pavan krishna <p.krishna@diversityarrays.com>
>To: adrian sender <adrian_au1@hotmail.com>
>CC: samba@lists.samba.org
>Subject: Re: [Samba] Promoting Samba BDC to PDC
>Date: Fri, 18 Nov 2005 09:49:39 +1100
>
>Hi Adrian,
>
>        Thank you for your reply. Yeah i have done what you have described 
>already, but the problem is that my client machine is not able to detect 
>the BDC, though my testparm on the BDC shows me no errors. And yes the LDAP 
>administrative password is stored in secrets.tdb else i cannot join my 
>client machine to the domain and cannot even make changes to the ldapsam 
>database with the admindn user.
>
>Do you think i need to add something else on the Samba BDC file, following 
>are my configuration settings for the BDC using the replicated ldapsam 
>database.
>
>[global]
>    workgroup = testdom
>    interfaces = 127.0.0.1/255.255.255.0 192.168.9.238
>    printing = cups
>    printcap name = cups
>    printer admin = @ntadmin, root, administrator
>    map to guest = Bad User
>    security = user
>    encrypt passwords = yes
>    allow trusted domains = yes
>    server string = Samba Server
>    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody 
>-s /bin/false %m$
>    domain master = no
>    admin users = root
>      hosts allow=192.168.9. 255.255.255. localhost
>      remote announce=192.168.9.255
>    domain logons = yes
>      preferred master=no
>       enhanced browsing=yes
>    local master = yes
>    unix password sync = no
>    passwd program = /bin/passwd %u
>    ldap passwd sync = yes
>    ldap delete dn = no
>    pam password change = yes
>    preferred master = yes
>    os level = 65
>    ldap suffix = dc=dart,dc=com
>    ldap user suffix = ou=People
>    ldap group suffix = ou=Group
>    passdb backend = ldapsam:ldap://localhost
>    netbios name = dartlinux
>    username map = /etc/samba/smbusers
>    logon home = \\%L\%U\.profile
>    logon drive = H:
>    logon path = \\%L\profiles\%U
>    logon script = netlogon.bat
>    wins support = yes
>    log file = /var/log/samba/log.%m
>    log level = 5
>    ldap admin dn = uid=root,ou=People,dc=dart,dc=com
>    idmap backend = ldap:ldap://localhost
>    ldap idmap suffix = ou=Idmap
>    ldap machine suffix = ou=Computers
>
>thanks,
>pavan.
>
>adrian sender wrote:
>
>>Hello Pavan
>>
>>Firstly have you been following the samba guide - Samba 3 by example by 
>>John Terpstra.
>>
>>Chapter 5.
>>
>>You must now set the LDAP administrative password into the Samba-3 
>>secrets.tdb file by executing this command:
>>
>>root#  smbpasswd -w not24get
>>Setting stored password for "cn=Manager,dc=abmas,dc=biz" in
secrets.tdb
>>
>>
>>Now you must obtain the domain SID from the PDC and store it into the 
>>secrets.tdb file also. This step is not necessary with an LDAP passdb 
>>backend because Samba-3 obtains the domain SID from the sambaDomain
object
>>it automatically stores in the LDAP backend. It does not hurt to add the
>>SID to the secrets.tdb, and if you wish to do so, this command can
achieve
>>that:
>>
>>root#  net rpc getsid MEGANET2
>>Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
>>                           for Domain MEGANET2 in secrets.tdb
>>
>>Regards,
>>
>>Adrian Sender.
>>
>>
>>-------------------------------------------------------------------------------
>>
>>Hi All,
>>
>>        Has any one got an idea of how to make clients automatically
find
>>the BDC when the PDC is stopped. Both PDC and BDC are running by Samba 
>>authenticating again a LDAPSAM backend replicated on both the PDC with 
>>master LDAP database and BDC with replicated LDAP database. But when I 
>>stop PDC the clients are not detecting the BDC broadcast. I can see that
>>the replication is of the OpenLDAP data is perfect.
>>
>>Any idea of where i may be wrong??
>>
>>thankx in advance.
>>
>>pavan.
>>---------------------------------------------------------------------------
>>
>>
>>
>
>
>--
>Pavan Krishna L
>Systems Administrator
>Diversity Arrays Technology Pty Ltd
>Ph:  +61 2 6281 8512
>Fax: +61 2 6281 8533
>Mob: +61 423 411 281
>
>