Hi, I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but don't understand something:>Samba-3 cannot participate in true SAM replication and is therefore notable to employ>precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will notcreate>SAM update delta files.Ok, I understand until that, but:>It will not interoperate with a PDC (NT4 or Samba) to synchronize >the SAM from delta files that are held by BDCs. >The BDC is said to hold a read-only of the SAM from which it is able toprocess network>logon requests and authenticate users. The BDC can continue to provide thisservice,>particularly while, for example, the wide-area network link to the PDC isdown. So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), can BDC update machine and/or user information or not? As I understood, only the LDAP solution is suitable for a PDC-BDC setup, because "domain member servers and workstations periodically change the Machine Trust Account password", so BDC has to update some data. As I understood, BDC can change at least Machine Trust Account passwords. Additional question: can a user change his/her login password, when he/she connected to the BDC (in case PDC is available and in case PDC is temporarily unavailable)? I read in TOSHARG2 too that in the BDC's smb.conf, I don't need user/group modification scripts, so I guess, I cannot add/modify them from the BDC. Thanks.
Tam?s Pisch wrote:> Hi, > > I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but don't > understand something: > > >> Samba-3 cannot participate in true SAM replication and is therefore not >> > able to employ > >> precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will not >> > create > >> SAM update delta files. >> > > Ok, I understand until that, but: > > >> It will not interoperate with a PDC (NT4 or Samba) to synchronize >> the SAM from delta files that are held by BDCs. >> The BDC is said to hold a read-only of the SAM from which it is able to >> > process network > >> logon requests and authenticate users. The BDC can continue to provide this >> > service, > >> particularly while, for example, the wide-area network link to the PDC is >> > down. > > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), can > BDC update machine and/or user information or not? As I understood, only the > LDAP solution is suitable for a PDC-BDC setup, because "domain member > servers and workstations periodically change the Machine Trust Account > password", so BDC has to update some data. > As I understood, BDC can change at least Machine Trust Account passwords. > Additional question: can a user change his/her login password, when he/she > connected to the BDC (in case PDC is available and in case PDC is > temporarily unavailable)? I read in TOSHARG2 too that in the BDC's smb.conf, > I don't need user/group modification scripts, so I guess, I cannot > add/modify them from the BDC. > >I have the exact same questions. I had a PDC usisng a master LDAP server and a few BDCs using slave LDAP servers. Now, I upgraded LDAP to replicate in multi-master mode and set PDC and BDCs point to these LDAP servers. In my current setup, what is the difference between the PDC and a BDC? When an administrator add a computer or user to the domain from a Windows machine, how does the Windows machine decides which DC to contact? I have read the Samba-How-To many times but have never understood this part. Thanks for clarifying... John> Thanks. >
>I have the exact same questions.>I had a PDC usisng a master LDAP server and a few >BDCs using slave LDAP >servers.>Now, I upgraded LDAP to replicate in multi-master >mode and set PDC and >BDCs point to these LDAP servers. In my current >setup, what is the >difference between the PDC and a BDC?Nothing has changed as far as Samba is concerned. The rules for updating the LDAP databases are now governed by the standard rules governing multi-master replication for the LDAP software.>When an administrator add a computer or user to the >domain from a >Windows machine, how does the Windows machine >decides which DC to contact?The machine will contact the PDC and the PDC will contact the LDAP server specified in its smb.conf file. The LDAP software will take it from that point. Take a look at chapter 5 in the Official Samba Howto. Pay special attention to the section entitled "LDAP Configuration Notes".
> So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP),can> BDC update machine and/or user information or not? As I understood, onlythe> LDAP solution is suitable for a PDC-BDC setup, because "domain member > servers and workstations periodically change the Machine Trust Account > password", so BDC has to update some data. > As I understood, BDC can change at least Machine Trust Account passwords.Here is my understanding of the situation. Samba does not manage replication. Replication is managed by the LDAP software that is used with Samba. The rules governing replication are the same rules that apply to any other LDAP database. If you set up master/slave replication on OpenLDAP, requests sent to the BDC to update records will be redirected to the master LDAP server. When the master server has been updated, the changes will be propagated to the slave LDAP server. The process is no different from any other OpenLDAP database.> Additional question: can a user change his/her login password, when he/she > connected to the BDC (in case PDC is available and in case PDC is > temporarily unavailable)? I read in TOSHARG2 too that in the BDC'ssmb.conf,> I don't need user/group modification scripts, so I guess, I cannot > add/modify them from the BDC.You do not need the user/group modification scripts on a BDC because the slave LDAP server does not update the database. The rules governing multi-master replication will depend on the rules governing multi-master replication for the LDAP software you implement.
Hi,>>It will not interoperate with a PDC (NT4 or Samba) to synchronize > >>the SAM from delta files that are held by BDCs. > > Samba3 BDCs can not do SAM sync with a Windows NT4 PDC. Samba3 BDCs passe > update requests to the Samba3 PDC - and the PDC will then apply the update > to the LDAP directory. It is possible to configure a Samba3 BDC to update > LDAP directly - the choice is yours. > > > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), > > can > > BDC update machine and/or user information or not? > > Yes, when a BDC receives an update request it will pass it to the PDC.> > As I understood, only >> the> > LDAP solution is suitable for a PDC-BDC setup, because "domain member > > servers and workstations periodically change the Machine Trust Account > > password", so BDC has to update some data. > > As I understood, BDC can change at least Machine Trust Account passwords. > > Additional question: can a user change his/her login password, when > he/she > > connected to the BDC (in case PDC is available and in case PDC is > > temporarily unavailable)? > > It depends on how the BDC is configured to integrate with LDAP. It is > possible to configure a Samba3 BDC to directly write to the LDAP master. > This may not be an optimum solution, but it does work. >I would like to realize a configuration, where BDC can serve the network even the PDC (with its master LDAP database) is temporarily unavailable. Serving means at least password changes, but ideally the other user and computer management tasks too. How can I do this? It is not good, when BDC writes to the PDC's master LDAP, because the master LDAP will be on the PDC, so, when SaMBa 3 PDC is out, the master LDAP is out too. Is multi-master LDAP configuration the solution for this?> > > I read in TOSHARG2 too that in the BDC's smb.conf, > > I don't need user/group modification scripts, so I guess, I cannot > > add/modify them from the BDC. > > You can - IF the BDC is given direct write access to the LDAP directory. > > - John T. >To the master LDAP, so this is why I thinking about multi master setup, if this scenario ensures the availability and consistency too. Thanks, in advance Tamas.
> Hi, > > I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but > don't > understand something: > >>Samba-3 cannot participate in true SAM replication and is therefore not > able to employ >>precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will >> not > create >>SAM update delta files. > > Ok, I understand until that, but: > >>It will not interoperate with a PDC (NT4 or Samba) to synchronize >>the SAM from delta files that are held by BDCs.Samba3 BDCs can not do SAM sync with a Windows NT4 PDC. Samba3 BDCs passe update requests to the Samba3 PDC - and the PDC will then apply the update to the LDAP directory. It is possible to configure a Samba3 BDC to update LDAP directly - the choice is yours.>>The BDC is said to hold a read-only of the SAM from which it is able to > process network >>logon requests and authenticate users. The BDC can continue to provide >> this > service, >>particularly while, for example, the wide-area network link to the PDC is > down. > > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), > can > BDC update machine and/or user information or not?Yes, when a BDC receives an update request it will pass it to the PDC.> As I understood, only > the > LDAP solution is suitable for a PDC-BDC setup, because "domain member > servers and workstations periodically change the Machine Trust Account > password", so BDC has to update some data. > As I understood, BDC can change at least Machine Trust Account passwords. > Additional question: can a user change his/her login password, when he/she > connected to the BDC (in case PDC is available and in case PDC is > temporarily unavailable)?It depends on how the BDC is configured to integrate with LDAP. It is possible to configure a Samba3 BDC to directly write to the LDAP master. This may not be an optimum solution, but it does work.> I read in TOSHARG2 too that in the BDC's smb.conf, > I don't need user/group modification scripts, so I guess, I cannot > add/modify them from the BDC.You can - IF the BDC is given direct write access to the LDAP directory. - John T.