Samba as BDC in windows domain?

David Lee t.d.lee at
Tue Jun 11 09:13:02 GMT 2002

On Tue, 11 Jun 2002, Paul Reilly wrote:

> I've been reading about setting up Samba as a PDC with LDAP storage.
> However if I am to do this it needs to co-exist with the exisitng windows
> NT domain using windows NT PDC's. Everything I've read so far says you
> can't have a Samba BDC unless it's in a Samba PDC controlled domain. Is this
> correct? Is there *any_possible_way* of having a Samba BDC get SAM updates
> from a windows NT PDC ?
> If not, is there any other way to sync an OpenLDAP server against a NT PDC ?

Might be possible, but first the disclaimer...

Disclaimer:  I have absolutely zero knowledge of PDC/BDC/NT internals.
Zero, zilch, rein, nothing, nil, nowt, ...


At our site, we have just started dabbling with a thing called "Microsoft
Services for UNIX" (hereinafter called "SFU") that our PC folk obtained.

Until now, our service has been basically UNIX.  Although most of the
user-visible front-end (i.e. desktop machines) is a variant of W2K, the
"real work" has hitherto been UNIX: the identifier and password the user
gives is actually a UNIX pair, used to authenticate their Samba drive from
UNIX.  (Behind the scenes on W2K, there was simply a blanket guest-type
login just before this.)

Now...  we are contemplating a migration to Active Directory ("AD") of
these accounts: some 20,000 or them.  (Gives me, as a UNIX person, the
shudders, but that's another story...!)  One reason is so that the id/pw
pair can be a real Windows authentication, so they can do real Windozy
things.  We are very keen to preserve the "single authentication" model.

Our plan is to set up accounts for all users in AD.  We would then use
UNIX password-aging mechanisms to "persuade" all users to change their
password "at leisure, in their own time".  But behind the scenes we would
be using the UNIX PAM module from Microsoft's SFU to copy (synchronise)
these password changes out from UNIX into AD.  (We'll also be using SFU's
corresponding "ssod" daemon for a small number of real-AD folk who might
want to maintain synchronisation from AD towards UNIX.)

Our initial, very small, tests look promising.

I've no real idea whether that can map to your environment, but it might
be worth looking at.

Hope that helps.


:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the samba-technical mailing list