Help setting up Samba BDC of Samba PDC

Ignacio Coupeau icoupeau at unav.es
Mon Aug 23 15:00:49 GMT 1999 


Charles Owens wrote:
> 
> Ignacio Coupeau wrote:
> 
> > Charles Owens wrote:
> >>
...
> > for me, the LDAP runs with a very decent degree of fault tolerance...
...
> If I'm reading you correctly, with and LDAP based PDC we can achieve two
> benefits:
> 
>    * BDC-functionality (PDC failover)
>    * PDC scalability via a "cluster" approach (multiple _active_
>      Samba-PDC nodes serving the same domain)
> 
> Is this what you're saying, Ignacio, when you say you're serving 50
> workstations with 3 PDCs?  Is anything special required to get all three
> nodes to actively share the burden of workstation authentication?

...is quite different to a BDC. 
Now we share the "smbpasswd" between all the domains: the LDAP is a
"common and centric smbpasswd database" for all the domains. "All the
domains" means all the NT-WS and "all the users".
So, in each PDC we have a list of the WS in the /etc/passwd, and with
the bin/smbpasswd (with ldap) from a PDC we can add a NT-WS to a domain:
only the ldap database keeps the WS record: 
	...
	lmpassword: CAEF8D32BEC47FDE41FE21646AC40B0C
	ntpassword: CAEF8D32BEC47FDE41FE21646AC40B0C
	pwdlastset: 37C13C3E
	...
We maintains only the WS in each /etc/passwd's PDC because with the LDAP
I can manage a WS account with bin/smbpasswd from any PDC: this is
practical but also may be a disaster...

If a LDAP server is down, we need a Backup (for example, upgraded via
slurpd) and the PDC find the new ldap via DNS record. I don't tested if
"ldap server" can allow several ldap servers, but may be very useful..

If a PDC is down, perhaps -with a the secondary WINS server- the NT can
find another PDC, but you need a tuning of the "preferred master = yes"
and "os level = <x>" parameters. If you remember, the NT allows a second
wins server: I hope this'll be a way.

I think that an advantage of the ldap is the common database, because
any Samba server with the appropriate smb.conf/SID can act as PDC.

But this is my opinion: at this time, I no tested the competition
between two PDC with different "os level" for the same domain with LDAP.
In few days I can write something.

> 
> When a true BDC (by Microsoft's definition) is set up, there is a trust
> relationship between it and the PDC.  In your scenerio, there are no
> trust relationships, right?  In fact, there isn't really a single node
> identifiable as _the_ PDC.  All 3 nodes are "collectively" the PDC.  All
> nodes must share a common <domain_name>.SID file, right?

No are "collectively PDC": we have several domains (PDCs). Our plan is
that the pseudo-BDC will be pointed via WINS...
> 
> The role of domain browse master (as set by the "domain master"
> parameter), however, can only be handled by a single node at a time,
> right?  So, if all 3 nodes have the setting "domain master = auto"
> they'll settle by election which one is the domain browse master.  

... that is my plan more or less but playing with "os level", "domain
master = yes", and so.

Regards,
Ignacio
____________________________________________________
Ignacio Coupeau, Ph.D.     e-mail: icoupeau at unav.es
CTI, Director              fax:    948 425619
University of Navarra      voice:  948 425600
Pamplona, SPAIN            http://www.unav.es/cti/

More information about the samba-ntdom mailing list