Hello, at the Moment we use and Samba 4 in NT4-style Domain with approx. 20 Clients. With the Problem of Windows 10 to join to NT4-style (https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request) we plan to migrate to Samba AD. At the Moment there is the following scheme: samba PDC (Fileserver) -> Openldap syncrepl to Mailserver (to receive mails if PDC is down) As I can read Samba LDAP can't sync to OpenLDAP and it's not recomment to run PDC on Fileserver. What is the best way? samba PDC (kvm vm/ host1) <- drs -> Samba BDC (kvm vm/ host2) Fileserver, get users via pam_ldap from PDC. Mailserver, get users via pam_ldap from PDC. How does the mailserver know to ask the bdc if pdc is down? Or should I place the bdc on mailserver? Best Regards, Basti
On Wed, 25 Jan 2017 15:55:16 +0100 basti via samba <samba at lists.samba.org> wrote:> Hello, > > at the Moment we use and Samba 4 in NT4-style Domain with approx. 20 > Clients. > > With the Problem of Windows 10 to join to NT4-style > (https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request) > we plan to migrate to Samba AD. > > At the Moment there is the following scheme: > > samba PDC (Fileserver) -> Openldap syncrepl to Mailserver (to receive > mails if PDC is down) > > As I can read Samba LDAP can't sync to OpenLDAP and it's not recomment > to run PDC on Fileserver.I think you mean, it is not recommended to use a Samba AD DC as a fileserver. Two things, whilst it is not recommended, you can use a Samba AD DC as a fileserver, you just have to be aware of the limitations, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server Secondly, please stop referring to an AD DC as a PDC or BDC, this is what you have now. All AD DCs are equal except for the FSMO roles and these can be on any DC, there is no concept of a PDC or BDC in AD.> > What is the best way? > > samba PDC (kvm vm/ host1) <- drs -> Samba BDC (kvm vm/ host2) > > Fileserver, get users via pam_ldap from PDC.Fileserver, get users & groups via winbind from AD> Mailserver, get users via pam_ldap from PDC.Depends on your mailserver, if it can use kerberos, then use kerneros.> > How does the mailserver know to ask the bdc if pdc is down?Seeing as there is neither a PDC or BDC, it shouldn't matter. Rowland
And to get a strong platform with servers which can go down without breaking whatever services which depend on your AD, just build several domain controllers. As all DC (for normal use) do the same job, your mail server will be able to discuss with DCx or DCy when DCz is down. 2017-01-25 16:37 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 25 Jan 2017 15:55:16 +0100 > basti via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > at the Moment we use and Samba 4 in NT4-style Domain with approx. 20 > > Clients. > > > > With the Problem of Windows 10 to join to NT4-style > > (https://wiki.samba.org/index.php/Required_Settings_for_ > Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_ > Servers_Available_to_Service_the_Logon_Request) > > we plan to migrate to Samba AD. > > > > At the Moment there is the following scheme: > > > > samba PDC (Fileserver) -> Openldap syncrepl to Mailserver (to receive > > mails if PDC is down) > > > > As I can read Samba LDAP can't sync to OpenLDAP and it's not recomment > > to run PDC on Fileserver. > > I think you mean, it is not recommended to use a Samba AD DC as a > fileserver. > Two things, whilst it is not recommended, you can use a Samba AD DC as > a fileserver, you just have to be aware of the limitations, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_ > Active_Directory_Domain_Controller#Using_the_Domain_ > Controller_as_a_File_Server > > Secondly, please stop referring to an AD DC as a PDC or BDC, this is > what you have now. All AD DCs are equal except for the FSMO roles and > these can be on any DC, there is no concept of a PDC or BDC in AD. > > > > > What is the best way? > > > > samba PDC (kvm vm/ host1) <- drs -> Samba BDC (kvm vm/ host2) > > > > Fileserver, get users via pam_ldap from PDC. > > Fileserver, get users & groups via winbind from AD > > > Mailserver, get users via pam_ldap from PDC. > > Depends on your mailserver, if it can use kerberos, then use kerneros. > > > > > How does the mailserver know to ask the bdc if pdc is down? > > Seeing as there is neither a PDC or BDC, it shouldn't matter. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 25/01/17 14:55, basti via samba wrote:> Hello, > > at the Moment we use and Samba 4 in NT4-style Domain with approx. 20 > Clients. > > With the Problem of Windows 10 to join to NT4-style > (https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request) > we plan to migrate to Samba AD. > > At the Moment there is the following scheme: > > samba PDC (Fileserver) -> Openldap syncrepl to Mailserver (to receive > mails if PDC is down) > > As I can read Samba LDAP can't sync to OpenLDAP and it's not recomment > to run PDC on Fileserver. > What is the best way? > > samba PDC (kvm vm/ host1) <- drs -> Samba BDC (kvm vm/ host2) > > Fileserver, get users via pam_ldap from PDC. > Mailserver, get users via pam_ldap from PDC. > > How does the mailserver know to ask the bdc if pdc is down? > > Or should I place the bdc on mailserver? > > > Best Regards, > Basti >Hi, You can't replicate between AD and OpenLDAP. There are two ways to go (and you should avoid using a DC as a fileserver, it may work for you but it's less painful to just set up new DCs) 1) Change your mail server to talk to AD, preferably set up multiple AD DCs and have them fail over. Dovecot and Postfix make this very easy. 2) Set up a caching OpenLDAP proxy to AD, point the backend LDAP DB to all your DCs. OpenLDAP have docs on a proxy cache, it's quite easy to get it working. You may need to tune your queries and timeouts. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).