[Samba] PDC/BDC Domain Logins Samba 2.2.7

[Buchan Milne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Date: Mon, 5 May 2003 19:26:41 +0000 (GMT)
> From: John H Terpstra <jht at samba.org>
> To: "Collins, Kevin" <KCollins at nesbittengineering.com>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] PDC/BDC Domain Logins Samba 2.2.7
> Message-ID: <Pine.LNX.4.50.0305051923400.23429-100000 at dp.samba.org>
> In-Reply-To: <5DE7560BBF09D6119ED100B0D03D84260139E7 at MAIL-SERVER>
> References: <5DE7560BBF09D6119ED100B0D03D84260139E7 at MAIL-SERVER>
> Content-Type: TEXT/PLAIN; charset=US-ASCII MIME-Version: 1.0
> Precedence: list
> Message: 22
> On Mon, 5 May 2003, Collins, Kevin wrote:
>
>>> We're about to start migrating from Windows NT 4.0 to a Samba controlled
>>> setup.  I've got a question about the functionality of the Samba
PDCs and
>>> BDCs.
>>>
>>> In my Windows setup I have three domains that are defined by geographic
>>> locations.  Each of these domains "trusts" the other.  In Samba 2.2.7, I
>>> can't have the trusts, so I'm looking at creating one giant domain
that will
>>> be comprised of one Samba PDC and two Samba BDCs.  These domains
are/will be
>>> separated with IP subnets, WAN lines and routers.
>>>
>>> My question is, in one of the remote locations (which will house a
BDC) will
>>> the local BDC be the main authentication source?  Or will the
request get
>>> forwarded to the PDC?
>
>
> That depends on how you configure the BDC setup. You can keep all
> authentication local. You can use LDAP and let LDAP do the replication of
> the user accounts database.
>

This is one aspect that isn't really covered in sufficient detail in any
of the currently available documentation, so I have covered it in this
article (which is not quite finished and not in it's final location):

http://ranger.dnsalias.com/samba-ldap-advanced.html

The content of this document is complete, I am currently fixing up the
wording etc, cleaning sample config files and finalising references, so
it should be accurate enough to use. Feedback welcome.

(JHT, I don't think I will have time to cover samba3, but the
replication setup, which constitutes a large part of the document, and
is not covered anywhere else, may be of value for the samba3 docs, and I
think it is complete. Let me know if you want sample configs also).

>
>>>
>>> I know in Windows the request would be kept local, but I want to
make sure
>>> that they will remain so in the Samba world too.  These offices are
>>> connected only by 128k Frame Relay lines and I'd hate for every
>>> authentication request to be sent down those slow lines.
>

If you run samba against a slave LDAP server, you will only have
replication traffic from the master to the slave, and password changes.

BTW, you will want samba-2.2.8a for this, since 2.2.8 was the first
release to have working LDAP referrals (allowing password changing when
the local LDAP is a slave, by rebinding to the server returned by the
referral), without which BDC's don't really work.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+t5lbrJK6UGDSBKcRAufhAKCwUl0jERBhu2ggSiamB3F1v06rogCgsMSw
Dy9Oig/NkXitNVvMXD6JJbs=
=a/s7
-----END PGP SIGNATURE-----