samba - Mar 2009 - PDC / BDC in a Samba Domain Controller.

Hello
I makeing a Domain Controller with Samba (v3.0.33) and LDAP (v2.4).
I will install a PDC in the headquarter and a BDC in the subsidiary of 
the company that I work.
The PDC and the BDC will have his own LDAP data base.
I just install the PDC without problems and my next step is to install 
the BDC.
I configured the LDAP that work in multi master mode. I made some test 
and the LDAP works well.
I need to know if the BDC can write in his local data base.
In other side: Can the BDC acts as PDC when the conection betwen both 
servers is broken? I need that the users that works in the subsidiary 
can log in and make changes in his profiles (e.g. change his password 
and so on) including when the conection with the headquarter is lost.
Below I copy the BDC's smb.conf
Can anyone help me? Thanks.

# --------------------------------------------------------------------
    admin users = manager @"Domain Admins" @administradores
    ntlm auth = yes
    netbios name = PDC_Rosario
    workgroup = SECCO
    lanman auth = no
    winbind trusted domains only = yes
    encrypt passwords = yes
    winbind use default domain = yes
    server string = BDC
    domain logons = yes

# ----------------------- Network Related Options -----------------        

    hosts allow = 10.20.0.0/16 10.18.0.0/16 localhost

# --------------------------- Logging Options ---------------------

      max log size = 500
      log file = /var/log/samba/%m.log

# ----------------------------- LDAP Options ----------------------

        ldap passwd sync = yes
        ldap admin dn = cn=manager,dc=secco,dc=com,dc=ar
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap suffix = dc=secco,dc=com,dc=ar
   
# ----------------------- Standalone Server Options ---------------

    security = user
    passdb backend = ldapsam:ldap://127.0.0.1

# ----------------------- Domain Members Options -------------------  
# ----------------------- Domain Controller Options ---------------

      logon script = login.bat
      add machine script = /usr/sbin/smbldap-useradd -w "%u"
      delete user script = /usr/sbin/smbldap-userdel "%u"
      add group script = /usr/sbin/smbldap-groupadd -p "%g"
      add user script = /usr/sbin/smbldap-useradd -m "%u"

# ----------------------- Browser Control Options -----------------

       local master = yes
       os level = 65
       domain master = no
       preferred master = yes

#----------------------------- Name Resolution --------------------

       wins support = yes
       name resolve order = wins lmhosts bcast

# --------------------------- Printing Options --------------------

# --------------------------- Filesystem Options ------------------

#====================== Share Definitions ========================
[homes]

        comment = Home Directories
        browseable = no
        writable = no
        root preexec = /etc/samba/mk_sambadir "/home/%u"
"%u" "%g"
        write list = %S manager
        valid users = SECCO\%S SECCO\manager
        inherit permissions = yes
        force user = %S
        force group = @administradores
        directory mask = 0700
        create mask = 0700

[netlogon]
        comment = Network Logon Service
        browseable = yes
        path = /home/netlogon
        guest ok = yes
        writable = no
        valid users = SECCO\manager %U
        write list = llattan

[shares]
        comment = Carpeta del grupo Sistemas
        path = /home2/sistemas
        valid users = @shares @administradores
        browseable = yes
        writable  = no
        write list = @shares_w @administradores
  inherit permissions = yes
        force user = %U
        force group = share


# --------------------------------------------------------------------


--
Juan Pablo Michelino

Your PDC and BDC must have the same SID,
Your BDCs ldap database should be a copy of Your PDCs. Also the BDC should
be a slave to the PDCs ldap. So every change in Your
PDcs database should change on your BDC. This is quite simple with slurpd.
If the PDC now stops the BDC will take over. The users are able to logg in,
but to have there shares accesseable you should hve the same shares
on PDC and BDC. Write a script when you log on or off to rsync the files of
the users.

Greetings Daniel

On Thu, 26 Mar 2009 11:15:34 -0300, Juan Pablo Michelino
<jpmichelino@jfsecco.com.ar> wrote:
> Hello
> I makeing a Domain Controller with Samba (v3.0.33) and LDAP (v2.4).
> I will install a PDC in the headquarter and a BDC in the subsidiary of 
> the company that I work.
> The PDC and the BDC will have his own LDAP data base.
> I just install the PDC without problems and my next step is to install 
> the BDC.
> I configured the LDAP that work in multi master mode. I made some test 
> and the LDAP works well.
> I need to know if the BDC can write in his local data base.
> In other side: Can the BDC acts as PDC when the conection betwen both 
> servers is broken? I need that the users that works in the subsidiary 
> can log in and make changes in his profiles (e.g. change his password 
> and so on) including when the conection with the headquarter is lost.
> Below I copy the BDC's smb.conf
> Can anyone help me? Thanks.
> 
> # --------------------------------------------------------------------
>     admin users = manager @"Domain Admins" @administradores
>     ntlm auth = yes
>     netbios name = PDC_Rosario
>     workgroup = SECCO
>     lanman auth = no
>     winbind trusted domains only = yes
>     encrypt passwords = yes
>     winbind use default domain = yes
>     server string = BDC
>     domain logons = yes
> 
> # ----------------------- Network Related Options -----------------      
 
> 
>     hosts allow = 10.20.0.0/16 10.18.0.0/16 localhost
> 
> # --------------------------- Logging Options ---------------------
> 
>       max log size = 500
>       log file = /var/log/samba/%m.log
> 
> # ----------------------------- LDAP Options ----------------------
> 
>         ldap passwd sync = yes
>         ldap admin dn = cn=manager,dc=secco,dc=com,dc=ar
>         ldap user suffix = ou=People
>         ldap group suffix = ou=Groups
>         ldap machine suffix = ou=Computers
>         ldap suffix = dc=secco,dc=com,dc=ar
>    
> # ----------------------- Standalone Server Options ---------------
> 
>     security = user
>     passdb backend = ldapsam:ldap://127.0.0.1
> 
> # ----------------------- Domain Members Options -------------------  
> # ----------------------- Domain Controller Options ---------------
> 
>       logon script = login.bat
>       add machine script = /usr/sbin/smbldap-useradd -w "%u"
>       delete user script = /usr/sbin/smbldap-userdel "%u"
>       add group script = /usr/sbin/smbldap-groupadd -p "%g"
>       add user script = /usr/sbin/smbldap-useradd -m "%u"
> 
> # ----------------------- Browser Control Options -----------------
> 
>        local master = yes
>        os level = 65
>        domain master = no
>        preferred master = yes
> 
> #----------------------------- Name Resolution --------------------
> 
>        wins support = yes
>        name resolve order = wins lmhosts bcast
> 
> # --------------------------- Printing Options --------------------
> 
> # --------------------------- Filesystem Options ------------------
> 
> #====================== Share Definitions ========================> 
> [homes]
> 
>         comment = Home Directories
>         browseable = no
>         writable = no
>         root preexec = /etc/samba/mk_sambadir "/home/%u"
"%u" "%g"
>         write list = %S manager
>         valid users = SECCO\%S SECCO\manager
>         inherit permissions = yes
>         force user = %S
>         force group = @administradores
>         directory mask = 0700
>         create mask = 0700
> 
> [netlogon]
>         comment = Network Logon Service
>         browseable = yes
>         path = /home/netlogon
>         guest ok = yes
>         writable = no
>         valid users = SECCO\manager %U
>         write list = llattan
> 
> [shares]
>         comment = Carpeta del grupo Sistemas
>         path = /home2/sistemas
>         valid users = @shares @administradores
>         browseable = yes
>         writable  = no
>         write list = @shares_w @administradores
>   inherit permissions = yes
>         force user = %U
>         force group = share
> 
> 
> # --------------------------------------------------------------------
> 
> 
> --
> Juan Pablo Michelino

On Fri, Mar 27, 2009 at 5:24 AM, Daniel M?ller <mueller@tropenklinik.de>
wrote:
> Your PDC and BDC must have the same SID,
> Your BDCs ldap database should be a copy of Your PDCs. Also the BDC should
> be a slave to the PDCs ldap. So every change in Your
> PDcs database should change on your BDC. This is quite simple with slurpd.
> If the PDC now stops the BDC will take over. The users are able to logg in,
> but to have there shares accesseable you should hve the same shares
> on PDC and BDC. Write a script when you log on or off to rsync the files of
> the users.
>
I thought slurpd was deprecated years ago when openldap-2.3 came out.

http://www.openldap.org/doc/admin24/replication.html

John

Thanks Daniel and John.
I am not using slurp. I am using rsync to syncronize all data base.
I need to know if the BDC can write his local LDAP data base. If it is 
OK, I think that the domain go to work well, regardless if the conection 
betwen PDC and BDC is broken or not.
Can your help me?
Tanks.

Juan Pablo Michelino



John Drescher escribi?:
> On Fri, Mar 27, 2009 at 5:24 AM, Daniel M?ller
<mueller@tropenklinik.de> wrote:
>   
>> Your PDC and BDC must have the same SID,
>> Your BDCs ldap database should be a copy of Your PDCs. Also the BDC
should
>> be a slave to the PDCs ldap. So every change in Your
>> PDcs database should change on your BDC. This is quite simple with
slurpd.
>> If the PDC now stops the BDC will take over. The users are able to logg
in,
>> but to have there shares accesseable you should hve the same shares
>> on PDC and BDC. Write a script when you log on or off to rsync the
files of
>> the users.
>>
>>     
>
> I thought slurpd was deprecated years ago when openldap-2.3 came out.
>
> http://www.openldap.org/doc/admin24/replication.html
>
> John
>
>
>

> I am not using slurp. I am using rsync to syncronize all data base.
> I need to know if the BDC can write his local LDAP data base. If it is OK,
I
> think that the domain go to work well, regardless if the conection betwen
> PDC and BDC is broken or not.
> Can your help me?
> Tanks.
>
I would use syncrepl instead. With openldap 2.4 both ldap servers can
be masters in multimaster mode.

http://www.openldap.org/doc/admin24/replication.html


John

---------- Forwarded message ----------

Sorry John. I made a mistake. I am not using rsync. I am using syncrepl.
It works very well in multimaster mode.
Do you know if is possible that the BDC can write in the LDAP data base?

Juan Pablo Michelino

>> but to have there shares accesseable you should hve the same shares
>> on PDC and BDC. Write a script when you log on or off to rsync the
files of
>> the users.
How do you reliably capture logoff events?
>I thought slurpd was deprecated years ago when openldap-2.3 came out.
It is (was).  Current setups use syncrepl,  and recent versions support
multimaster and
mirror-mode.
>http://www.openldap.org/doc/admin24/replication.html