[Samba] two PDCs

Tamás Pisch pischta at gmail.com
Wed Jul 14 07:09:41 MDT 2010 

As I see, when I send a reply, and I leave [samba] in the subject, the SaMBa
archive get confused. My topic is in several threads. Sorry.

Look, I'm not sure if my emails are getting through or not, but drop this
> multi PDC thing.  It's just more complexity.
>
> Dropped :)


> You need some sort of LDAP replication because you want authentication done
> locally.  Multi-master is more difficult to set up, but more flexible. There
> are other schemes.  I had some 16 servers setup this way and had very few
> difficulties.  It is quite resilient and reliable.  Here is a good primer:
>
> http://www.zytrax.com/books/ldap/ch7/
>
Thank you. It is important to me, if people answer me who have more
experience than me. Last year, when I set up my present system, I used
zytrax.com, and I found it very useful. At that time, I read all ldap
replication versions, and I finally chose master-slave configuration with
refreshAndPersist replication method.

>
>
>
>     a. Master LDAP server in the HQ, and slave in the branch site,
> according
> to the SaMBa guide.
>     b. Branch site uses master LDAP server too. It looks tepmting, but
> difficult/dangerous to me.
> 2. PDC on the HQ, BDC on the branch site
>     a. branch site uses slave LDAP server.
>     b. Branch site uses master LDAP server too.
> In 1/a and 2/a, the VPN outage could be problem. Am I right?
>
> No, the b's are the problem if the VPN is down.  They're calling the
> "master" which is at the other end of the VPN.  The a's have a slave copy.
> All is good, unless they need to write to LDAP.  How much LDAP writing goes
> on in the branch?
>
Very few. I think, users change their passwords very rarely. I manage users
with my own scripts, which call smbldap-tools scripts. One important thing
remains:  machine account passwords. It is automatic, and is repeated
periodically. A longer-than-some-minutes outage could be a serious problem.
Fortunately, it can be ruled:
http://support.microsoft.com/kb/175468/
I'm going to disable the machine account password change for the clients in
the branch office.

> As i know, only
> PDC writes to the LDAP database. Is that true?
>
> No.  If you're using smbldap-tools, the ldap calls are made via
> smbldap_bind.conf.  So with multi-master this whole dual PDC thing is fairly
> useless.  See, Multi-master...all are writable.
>

Now, I don't use smbldap-passwd for password change. I use pam-ldap for it.

Because in case of VPN
> outage, this situation has the same drawback.
> So, my main problem is the unreliable ADSL line. Can we live with slave
> server in the branch office?
>
>
> Yes, using Replication refreshOnly or Replication refreshAndPersist.  You
> can truly go apeshit with this stuff, making only pieces of the DIT
> available to branches.  Very nifty once you get it down.
>

So, I'm going to set up a slave ldap server in the branch site. It won't be
flexible, but I don't want troubles. If I would have much time, I made a
test system first, with multi-master replication.
Thanks all for your help, and if you have additional thoughts, they are
welcome.

More information about the samba mailing list