[Samba] Re: Transfering Machine Accounts / MACHINE.SID

Andrew Bartlett abartlet at samba.org
Mon Dec 29 10:52:20 GMT 2003


On Mon, Dec 29, 2003 at 04:34:02PM +0700, Beast wrote:
> Saturday, December 27, 2003, 1:45:33 PM, Andrew wrote:
> 
> > On Sat, 2003-12-27 at 15:51, Beast wrote:
> >> Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote:
> 
> >> If I put PDC in slave ldap, is this means that it will update the
> >> slave (because samaba will bind as ldap-root which has authority of
> >> updating this replica)?
> >> No way to prevent samba to using other ldap account to update the
> >> directory?
> 
> > You should never list the Manager account as the replicator.  Instead,
> > create a new account, and use it only for the replication.  That way,
> > everybody who is not the replicator account will be forced to talk to
> > the master.
> 
> This is expected behaviour :-)
> as long as openldap did not support multimaster or samba can not
> chasing update referral, i have to live with un-synch sambapassword
> attributes in ldap :-(

Have you actually tried this?  Really, we are not in the buisness of
creating solutions that simply don't work.  Many production sites
(mind included) rely on our LDAP code, including the bahaviour that
allows DCs to bind to slave ldap servers, rebinding to the mster when
required.  Indeed, we recently intergrated the 'ldap replication
sleep' parmaeter to assist in this process.

Andrew Bartlet


More information about the samba mailing list