[Samba] two PDCs
Tamás Pisch
pischta at gmail.com
Wed Jul 14 07:09:41 MDT 2010
As I see, when I send a reply, and I leave [samba] in the subject, the SaMBa
archive get confused. My topic is in several threads. Sorry.
Look, I'm not sure if my emails are getting through or not, but drop this
> multi PDC thing. It's just more complexity.
>
> Dropped :)
> You need some sort of LDAP replication because you want authentication done
> locally. Multi-master is more difficult to set up, but more flexible. There
> are other schemes. I had some 16 servers setup this way and had very few
> difficulties. It is quite resilient and reliable. Here is a good primer:
>
> http://www.zytrax.com/books/ldap/ch7/
>
Thank you. It is important to me, if people answer me who have more
experience than me. Last year, when I set up my present system, I used
zytrax.com, and I found it very useful. At that time, I read all ldap
replication versions, and I finally chose master-slave configuration with
refreshAndPersist replication method.
>
>
>
> a. Master LDAP server in the HQ, and slave in the branch site,
> according
> to the SaMBa guide.
> b. Branch site uses master LDAP server too. It looks tepmting, but
> difficult/dangerous to me.
> 2. PDC on the HQ, BDC on the branch site
> a. branch site uses slave LDAP server.
> b. Branch site uses master LDAP server too.
> In 1/a and 2/a, the VPN outage could be problem. Am I right?
>
> No, the b's are the problem if the VPN is down. They're calling the
> "master" which is at the other end of the VPN. The a's have a slave copy.
> All is good, unless they need to write to LDAP. How much LDAP writing goes
> on in the branch?
>
Very few. I think, users change their passwords very rarely. I manage users
with my own scripts, which call smbldap-tools scripts. One important thing
remains: machine account passwords. It is automatic, and is repeated
periodically. A longer-than-some-minutes outage could be a serious problem.
Fortunately, it can be ruled:
http://support.microsoft.com/kb/175468/
I'm going to disable the machine account password change for the clients in
the branch office.
> As i know, only
> PDC writes to the LDAP database. Is that true?
>
> No. If you're using smbldap-tools, the ldap calls are made via
> smbldap_bind.conf. So with multi-master this whole dual PDC thing is fairly
> useless. See, Multi-master...all are writable.
>
Now, I don't use smbldap-passwd for password change. I use pam-ldap for it.
Because in case of VPN
> outage, this situation has the same drawback.
> So, my main problem is the unreliable ADSL line. Can we live with slave
> server in the branch office?
>
>
> Yes, using Replication refreshOnly or Replication refreshAndPersist. You
> can truly go apeshit with this stuff, making only pieces of the DIT
> available to branches. Very nifty once you get it down.
>
So, I'm going to set up a slave ldap server in the branch site. It won't be
flexible, but I don't want troubles. If I would have much time, I made a
test system first, with multi-master replication.
Thanks all for your help, and if you have additional thoughts, they are
welcome.
More information about the samba
mailing list