[Samba] [found something] Problems making use of 2K PDC

John H Terpstra jht at samba.org
Fri Jan 31 15:01:30 GMT 2003

On Fri, 31 Jan 2003, Andreas Hasenack wrote:

> Em Thu, Jan 30, 2003 at 10:14:47PM +0000, John H Terpstra escreveu:
> > If your Win2K DC is your authentication server for your domain, then DO
> > NOT set "domain logons = Yes" on samba - it can cripple your Win2K DC!
> >
> > Instead, in your smb.conf [globals] you want:
> > 	security = domain
> > 	password server = *
> >
> > Then join the domain by:
> > 	smbpasswd -r 'PDC_name' -j 'Domain_Name'
> >
> > This way your MS Windows clients should be domain members and will log
> > onto the Win2K DC and will be able to seemlessly access your samba server.
> The win2k machine is on the other side of a WAN link, a different
> subnet, but the windows clients will be accessing shares on the local samba server.
> Users will be created and managed in the win2k machine, that's why I need the
> samba server to check passwords against the remote win2k machine.

I would try to NOT use Samba for logon services atthei time. There are not
big issues with doing this over a WAN link so long as there are not too
many clients _and_ you have sufficient bandwidth.

> And, since the w2k server is on a different subnet, I don't think I can make it
> the logon server for my clients, or can I? I mean, broadcasts mean a lot in a
> MS network...

You must use WINS to avoid broadcast traffic. With WINS the important UDP
traffic will be unicast. WINS can reduce UDP broadcast traffic by up to
95%. Using WINS, you clients will readilly locate the logon server. I
would recommend not using file and print shares over the WAN link though.

> Should I then just make the clients authenticate against the remote w2k machine
> anyway? I know, in both scenarios, the w2k server will be contacted anyway, either
> by the samba server or by the linux client.

Correct. That's my recommendation.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list