Samba 3.0 alpha and LDAP: some questions

Andrew Bartlett abartlet at samba.org
Wed Oct 2 12:06:00 GMT 2002 

PINTO ELIA wrote:
> 
> Hi all
> 
> We are migrating from an AS/U(Advanced Server for Unix)/NT environment  to
> Samba/NT, using the Samba 3.0 alpha19.
> We have implemented a domain with Samba acting as both PDC and BDC. Also we
> use  OpenLDAP as Samba backend in multimaster replication  to realize the
> sam syncronization between  PDC and BDC. At the moment  not all our
> requirement are satisfied. We'd like to have your help to overcome the
> obstacles. Following are the questions raised during our implementation:
> 
>         1)       Samba schema does not include the Domain groups and the
> domain SID. Is it scheduled to include these in the Samba schema? I think
> that is useful (no local
>                 Secrets.tdb and group_mapping.tdb to replicate via rsync)

We are activly looking at these issues, and the best way to solve them
in both the long and short term.  

>         2)      About BDC, could I update the user accounts when the PDC is
> down? Is the BDC read-only like NT for the SAM?

Yes, the BDC is considerd read-only.  If you really have a mulimaster
replication scheme, then you could 'flip' the BDC up to a PDC for that
period, but windows clients won't attempt to send updates to a BDC. 
pdbedit/smbpasswd etc don't actually know about this, so would attempt
to update regardless.

>         3)      We have dumped the Sam database from the AS/U server to
> fully migrate our environment to Samba.  We've seen that some machine
> accounts and interdomain trust account  have the lanman password length = 0,
> lm password null and  ntpasswd not null.

This is correct.  Samba only sets both for historical reasons.  It sets
them to the same value too...

>          How the Samba  would  interpret that behaviors?  That means  we
> should put "NO PASSWORDxxx...",  or "disabled" for those accounts? I have
> also found that after removing lmPassword from the SAMBA LDAP interdomain
> trust account  (with ldapmodify ) the trust seems to work but is this the
> right thing to do ?

In Samba 3.0, this should be fine.  I put a bit of work into ensuring
that 'magic' tests on the value on the LM password no longer apply.  

>         4)      What does mean the acctFlag for "MNS logon account" ?

No idea...

> We hope you could kindly give us some suggestion. At the end of our project
> we'll like to public our experiences if could be contribute to the Samba
> community.

I look forward to hearing how you go.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list