Samba 3.0 alpha and LDAP: some questions
abartlet at samba.org
Wed Oct 2 12:06:00 GMT 2002
PINTO ELIA wrote:
> Hi all
> We are migrating from an AS/U(Advanced Server for Unix)/NT environment to
> Samba/NT, using the Samba 3.0 alpha19.
> We have implemented a domain with Samba acting as both PDC and BDC. Also we
> use OpenLDAP as Samba backend in multimaster replication to realize the
> sam syncronization between PDC and BDC. At the moment not all our
> requirement are satisfied. We'd like to have your help to overcome the
> obstacles. Following are the questions raised during our implementation:
> 1) Samba schema does not include the Domain groups and the
> domain SID. Is it scheduled to include these in the Samba schema? I think
> that is useful (no local
> Secrets.tdb and group_mapping.tdb to replicate via rsync)
We are activly looking at these issues, and the best way to solve them
in both the long and short term.
> 2) About BDC, could I update the user accounts when the PDC is
> down? Is the BDC read-only like NT for the SAM?
Yes, the BDC is considerd read-only. If you really have a mulimaster
replication scheme, then you could 'flip' the BDC up to a PDC for that
period, but windows clients won't attempt to send updates to a BDC.
pdbedit/smbpasswd etc don't actually know about this, so would attempt
to update regardless.
> 3) We have dumped the Sam database from the AS/U server to
> fully migrate our environment to Samba. We've seen that some machine
> accounts and interdomain trust account have the lanman password length = 0,
> lm password null and ntpasswd not null.
This is correct. Samba only sets both for historical reasons. It sets
them to the same value too...
> How the Samba would interpret that behaviors? That means we
> should put "NO PASSWORDxxx...", or "disabled" for those accounts? I have
> also found that after removing lmPassword from the SAMBA LDAP interdomain
> trust account (with ldapmodify ) the trust seems to work but is this the
> right thing to do ?
In Samba 3.0, this should be fine. I put a bit of work into ensuring
that 'magic' tests on the value on the LM password no longer apply.
> 4) What does mean the acctFlag for "MNS logon account" ?
> We hope you could kindly give us some suggestion. At the end of our project
> we'll like to public our experiences if could be contribute to the Samba
I look forward to hearing how you go.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical