notes on HOWTO-Collection

Paul Kölle pkoelle at
Wed May 25 12:47:32 GMT 2005

First, are documentation suggestions better discussed at the users ml?

Just rereading chapter 5 of the HOWTO-Collection (backup domain
control). I'm refering to "Features and Benefits" second paragraph and
would rephrase it as follows (for reasons see at the end of this message):

Samba-3 is capable of acting as a Backup Domain Controller (BDC) to
another Samba Primary Domain Controller (PDC). As Samba-3 does not
implement the proprietary syncronization protocols Microsoft uses for
syncronizing the SAM between domain controllers it has to use external
mechanisms. The most prominent solution today is using a LDAP server to
store account information using Samba's ldapsam passdb backend.
Replication is a built-in feature of most modern LDAP servers and this
feature can be used to keep the account information in sync.
Unfortunately, there is still a limitation because many/some LDAP
servers can only do "one way" replication, that is, they replicate from
the master to slaves but not the other way. That means writing to the
slaves is not possible, instead they return a pointer to their master
the client should write to (this is called "referrals" in LDAP speak and
the client is responsible to handle them). <here it would be nice to
have a definite answer whether clients can logon if the master is down>

While it is possible to run a Samba-3 BDC with non-LDAP backend, that
backend must allow some form of 'two way' propagation, of changes from
the BDC to the master. As we have seen LDAP is capable of doing this to
at least some degree.

Problems I see with the current version:

After the first sentence, it jumps into LDAP without introducing why
LDAP at all (replication). It points out that when using a slave LDAP
server, clients *may* still be able to logon. So are they? AFAIK if
Samba needs to write to the SAM during logon it will fail since the
slave will return a referral to the master and boom! (unless there is
some background magic samba does to cache updates). Then a slave is just
loadbalancing, not redundancy. This is actually stated at the end of the
paragraph but "if the slave find it's master down at the wrong time you
will have stability and operational problems" doesn't sound very
promising and not stating what those problems might be makes it even
worse. How is one supposed to read "clients may still be able to logon",
after that sentence? And the reader has probably no clear understanding
about LDAP replication. Later on the text is interspersed with comments
about the (impossible) interop of Samba and NT4 PDCs/BDCs which I think
should all go into the "Features and Benefits". A see "Features and
Benefits" section as "this is what you (don't) get" if one finds a
showstopper here one would probably don't read further which saves a lot
of time ;)

comments? (Of course I'd be willing to refine this if useful)


More information about the samba-technical mailing list