samba - Aug 2009 - central PDC + remote BDCs: LDAP strategy, my lack of comprehension

Hello, I am trying to figure out how to implement a samba domain in a 
number of remote offices around the world with partly bad and often 
interrupted WAN connections/VPNs. The goal is to administer the directory 
from the central data center.

My obvious choice would be to set up a central server with 
SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server with 
OpenLDAP as a read-only slave from the central master.

Although I seem to make progress, it seems that the more time I invest in 
this project, the more questions emerge. My latest issue made me create 
this mailman account.

My question is: When the remote SAMBA server only talks to its own local, 
read-only LDAP slave, how is it going to change user/machine passwords or 
add machine accounts (when joining the domain)?

In my test setup an XP client inisisted on trying to join the BDC, failing 
because a) smbldap-tools is not installed or b) it could not write to the 
slave LDAP directory.

I surely could configure the remote SAMBA to talk to the central OpenLDAP 
service, but then I would not need LDAP replication and would not have a 
failover in case the WAN link goes down.

There was the SAMBA option to have multiple tdbsam backends but this is 
not supported anymore.

I hope that my explanation does enable somebody to give me a hint 
understanding what can/should/must be done.

Kind regards
Sven Ehret

Hello Sven,
I have the following structure here:
- one PDC talking to RW OpenLDAP
- three BDCs talking to RO OpenLDAP replica

Basically I am using additional BDCs as file servers - and so far it
works fine. Please take a look on "password server" and "passdb
backend" (here you specify the RO replica). Think also about
"ldapsam:trusted = yes" (large performance gain).

One of the BDCs is located 500km from where I am right now - and there
is also a replica out there (accessed by Samba running out there to
get all user/group info - but "password server" is located here).

According to a much older e-mail (when I had a question about BDCs) -
a copy-paste from Volker's reply:
--- copy paste ---
On Fri, Oct 05, 2007 at 10:15:02PM +0200, Michal Dobroczynski
wrote:
> Well - what I have discovered is that setting
>
> domain logons = Yes
> domain master = No
>
> seems to solve the problem.
... because this *is* the only way to tell Samba to be a
BDC. This must be somewhere in the docs.

Volker
--- copy paste ---

I hope this helps a bit.

Regards,
Michal

2009/8/20  <sven.ehret at comdok.de>:
> Hello, I am trying to figure out how to implement a samba domain in a
> number of remote offices around the world with partly bad and often
> interrupted WAN connections/VPNs. The goal is to administer the directory
> from the central data center.
>
> My obvious choice would be to set up a central server with
> SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server with
> OpenLDAP as a read-only slave from the central master.
>
> Although I seem to make progress, it seems that the more time I invest in
> this project, the more questions emerge. My latest issue made me create
> this mailman account.
>
> My question is: When the remote SAMBA server only talks to its own local,
> read-only LDAP slave, how is it going to change user/machine passwords or
> add machine accounts (when joining the domain)?
>
> In my test setup an XP client inisisted on trying to join the BDC, failing
> because a) smbldap-tools is not installed or b) it could not write to the
> slave LDAP directory.
>
> I surely could configure the remote SAMBA to talk to the central OpenLDAP
> service, but then I would not need LDAP replication and would not have a
> failover in case the WAN link goes down.
>
> There was the SAMBA option to have multiple tdbsam backends but this is
> not supported anymore.
>
> I hope that my explanation does enable somebody to give me a hint
> understanding what can/should/must be done.
>
> Kind regards
> Sven Ehret
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>