notes on HOWTO-Collection

[John H Terpstra]

On Wednesday 25 May 2005 06:47, Paul Kölle wrote:
> First, are documentation suggestions better discussed at the users ml?

Yes. But for now, you can just email me directly since I maintain this 
documentation and I am currently working on pre-print preparations for the 
second edition of this book.

>
> Now:
> Just rereading chapter 5 of the HOWTO-Collection (backup domain
> control). I'm refering to "Features and Benefits" second paragraph and
> would rephrase it as follows (for reasons see at the end of this message):

I will respond further to this within 2 weeks. Right now I am working on 
getting the book "Samba-3 by Example" completed through copy edit.

Thank you for this suggestion and for the input.

Cheers,
John T.

> <suggestion>
> Samba-3 is capable of acting as a Backup Domain Controller (BDC) to
> another Samba Primary Domain Controller (PDC). As Samba-3 does not
> implement the proprietary syncronization protocols Microsoft uses for
> syncronizing the SAM between domain controllers it has to use external
> mechanisms. The most prominent solution today is using a LDAP server to
> store account information using Samba's ldapsam passdb backend.
> Replication is a built-in feature of most modern LDAP servers and this
> feature can be used to keep the account information in sync.
> Unfortunately, there is still a limitation because many/some LDAP
> servers can only do "one way" replication, that is, they replicate from
> the master to slaves but not the other way. That means writing to the
> slaves is not possible, instead they return a pointer to their master
> the client should write to (this is called "referrals" in LDAP speak and
> the client is responsible to handle them). <here it would be nice to
> have a definite answer whether clients can logon if the master is down>
>
> While it is possible to run a Samba-3 BDC with non-LDAP backend, that
> backend must allow some form of 'two way' propagation, of changes from
> the BDC to the master. As we have seen LDAP is capable of doing this to
> at least some degree.
> </suggestion>
>
>
> Problems I see with the current version:
>
> After the first sentence, it jumps into LDAP without introducing why
> LDAP at all (replication). It points out that when using a slave LDAP
> server, clients *may* still be able to logon. So are they? AFAIK if
> Samba needs to write to the SAM during logon it will fail since the
> slave will return a referral to the master and boom! (unless there is
> some background magic samba does to cache updates). Then a slave is just
> loadbalancing, not redundancy. This is actually stated at the end of the
> paragraph but "if the slave find it's master down at the wrong time you
> will have stability and operational problems" doesn't sound very
> promising and not stating what those problems might be makes it even
> worse. How is one supposed to read "clients may still be able to logon",
> after that sentence? And the reader has probably no clear understanding
> about LDAP replication. Later on the text is interspersed with comments
> about the (impossible) interop of Samba and NT4 PDCs/BDCs which I think
> should all go into the "Features and Benefits". A see "Features and
> Benefits" section as "this is what you (don't) get" if one finds a
> showstopper here one would probably don't read further which saves a lot
> of time ;)
>
>
> comments? (Of course I'd be willing to refine this if useful)
>
> greetings
>  Paul

-- 
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.