Samba 3.0 alpha and LDAP: some questions

Andrew Bartlett abartlet at
Wed Oct 2 12:06:00 GMT 2002

> Hi all
> We are migrating from an AS/U(Advanced Server for Unix)/NT environment  to
> Samba/NT, using the Samba 3.0 alpha19.
> We have implemented a domain with Samba acting as both PDC and BDC. Also we
> use  OpenLDAP as Samba backend in multimaster replication  to realize the
> sam syncronization between  PDC and BDC. At the moment  not all our
> requirement are satisfied. We'd like to have your help to overcome the
> obstacles. Following are the questions raised during our implementation:
>         1)       Samba schema does not include the Domain groups and the
> domain SID. Is it scheduled to include these in the Samba schema? I think
> that is useful (no local
>                 Secrets.tdb and group_mapping.tdb to replicate via rsync)

We are activly looking at these issues, and the best way to solve them
in both the long and short term.  

>         2)      About BDC, could I update the user accounts when the PDC is
> down? Is the BDC read-only like NT for the SAM?

Yes, the BDC is considerd read-only.  If you really have a mulimaster
replication scheme, then you could 'flip' the BDC up to a PDC for that
period, but windows clients won't attempt to send updates to a BDC. 
pdbedit/smbpasswd etc don't actually know about this, so would attempt
to update regardless.

>         3)      We have dumped the Sam database from the AS/U server to
> fully migrate our environment to Samba.  We've seen that some machine
> accounts and interdomain trust account  have the lanman password length = 0,
> lm password null and  ntpasswd not null.

This is correct.  Samba only sets both for historical reasons.  It sets
them to the same value too...

>          How the Samba  would  interpret that behaviors?  That means  we
> should put "NO PASSWORDxxx...",  or "disabled" for those accounts? I have
> also found that after removing lmPassword from the SAMBA LDAP interdomain
> trust account  (with ldapmodify ) the trust seems to work but is this the
> right thing to do ?

In Samba 3.0, this should be fine.  I put a bit of work into ensuring
that 'magic' tests on the value on the LM password no longer apply.  

>         4)      What does mean the acctFlag for "MNS logon account" ?

No idea...

> We hope you could kindly give us some suggestion. At the end of our project
> we'll like to public our experiences if could be contribute to the Samba
> community.

I look forward to hearing how you go.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list