domain controller promotion

Steve Langasek vorlon at
Tue Sep 12 17:04:13 GMT 2000

On Tue, 12 Sep 2000, Akop Pogosian wrote:

> > > This option is not used to designate a machine as PDC.
> > > >From smb.conf man page:

> > >      preferred master (G)

> > >           This boolean parameter controls if nmbd is a  preferred
> > >           master browser for its workgroup.

> > >           If this is set to true, on startup, nmbd will force  an
> > >           election,  and  it will have a slight advantage in win-
> > >           ning the election.  It is recommended that this parame-
> > >           ter  is used in conjunction with "domain master = yes",
> > >           so that nmbd can guarantee becoming a domain master.
> > >                   ...

> > > If you don't want your Samba box to be a PDC, make sure you do not
> > > set "domain logons" in smb.conf or use "domain logons = no"
> > > in smb.conf file.

> > "domain logons = yes" is needed to retrieve the passwords from the PDC.
> > to avoid beeing PDC you should set "domain master = no".

> Not true. "domain master = no" tells nmbd not to become a domain
> master browser. A machine can be a PDC without being a domain master
> browser.

> If "domain logons = yes" then samba becomes a PDC and authentication
> is done on the samba server. If you want samba to authenticate users
> from some other PDC then you certainly can't have "domain logons =
> yes" option on the samba server because that promotes it into a PDC as
> well.  (you need to use "password server = *" , and "security  =
> domain" options for that.)

'domain master = yes' is the option that causes nmbd to become a domain master
browser, *BUT* NT uses the same netbios name type for 'domain master browser'
as it does for 'primary domain controller'.  If 'domain master = yes' and
'domain logons = yes', then Samba will act as a PDC (at least, as well as it
can) and all NT workstations in that workgroup will also treat it as such.

If 'domain master = no' and 'domain logons = yes', then Samba appears to be a
BDC on the network.  If using Samba-TNG and a proper trust relationship has
been established with the PDC, then Samba will even act as a BDC.

If you set 'domain master = yes' and 'domain logons = no', then all the other
machines on the network will look at you askance because you're a DMB, but
you're not a logon server (and therefore not a domain controller).  But
because you're registered as the DMB, no other server can become the PDC for
that domain, either.

OTOH, if there's no NT domain to speak of on your network (in which case this
is hardly the appropriate forum), then by all means, set 'domain master' and
'domain logons' to whatever settings you think work best for you.

Steve Langasek
postmodern programmer

More information about the samba-ntdom mailing list