[Samba] Replacing WinNT 4 PDC with Samba PDC

John H Terpstra jht at samba.org
Thu May 8 01:46:11 GMT 2003


On Wed, 7 May 2003, tech mail wrote:

> bit baffeld as to your statement about:
> Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC
>
> maybe we are just on a different page, but with winbind, arent you able to
> grab the user database from a remote NT4 PDC?? and then authenticate off
> that?  which would then be a BDC (for authentication puposes at least)

Aparently we are on a different page!

You really will need to read the new Samba-HOWTO-Collection some time (not
released yet). This document is a work in progress.

> please correct me where I am wrong, or where there may be miscommunication

Wrong. Winbind does not do SAM replication! If it does then point me to
the code that makes that happen. :)

Full BDC functionality requires that the BDC will NOT ONLY authenticate
domain logons, but also that it will partake fully in replication of the
MS Windows NT4 domain security files (these are the files located on NT4
in C:\WinNT\System32\config), the files that partake in Domain Security
are SAM and Security. Trust me, Samba does NOT have a Windows NT4 style
Registry, even though Samba-3 does emulate some parts of it.

But replication of all this data and the protocols needed to make that
happen is NOT supported in Samba. This means Samba also does NOT have the
protocols that trigger Domain Security account synchronisation.

One more feature that the BDC/PDC code functionality premits is for BDCs
to be promoted to PDCs which will cause a PDC to be demoted to BDC. Again,
Samba does NOT support this functionality.

In effect therefore we can not and must not claim that Samba CAN be a BDC
to an NT4 PDC. That type of claim will cause trouble and disenchanted
users.

What should be noted though, is that Samba can do distributed
authentication. There are a number of ways that can be done. Winbind is
just one of them. But with winbind, if the PDC goes down, your BDC is out
of operation (if that is what you are dependant on in your "BDC" design).

I hope my answer is totally clear now. More so, I hope this brings us all
onto the one page again. :)

Cheers,
John T.

>
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Wednesday, May 07, 2003 4:22 PM
> > To: David Chait
> > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> >
> >
> > On Wed, 7 May 2003, David Chait wrote:
> >
> > > Samba cannot act as a BDC, at least it couldn't last I checked.
> >
> > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and
> > Samba-3.0.0
> > can not act as a BDC to an NT4 PDC.
> >
> > Samba-3.0.0 will offer a facility to migrate all accounts off an NT4
> > Domain to a Samba Domain. You CAN with Samba-3.0.0
> > transparently replace
> > your PDC without having to reconfigure all workstations.
> > Samba-3.0.0 is
> > nearing going into Beta (and out of Alpha) soon. We are
> > working hard to
> > document this release VERY thouroughly.
> >
> > - John T.
> >
> > >
> > > ----- Original Message -----
> > > From: "Dan Gapinski" <DanGapinski at qsi-r2.com>
> > > To: "Collins, Kevin" <KCollins at nesbittengineering.com>;
> > > <samba at lists.samba.org>
> > > Sent: Wednesday, May 07, 2003 2:00 PM
> > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > >
> > >
> > > > BTW,
> > > >
> > > > were you looking for a drop-in replacement for your
> > current PDC? That
> > > might
> > > > require some doing. Like making it slave as a BDC before
> > promoting it to a
> > > > PDC, and I have not tried that, & don't know if its
> > possible. The docs
> > > might
> > > > though.
> > > >
> > > > Dan
> > > >
> > > > ----- Original Message -----
> > > > From: "Collins, Kevin" <KCollins at nesbittengineering.com>
> > > > To: <samba at lists.samba.org>
> > > > Sent: Wednesday, May 07, 2003 3:33 PM
> > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > > Hi All!
> > > > >
> > > > > Thanks to all of you that responded to my previous
> > posts.  I've gotten a
> > > > lot
> > > > > more info now than I used to have!
> > > > >
> > > > > But I still have questions.  The biggest right now is:
> > Is there a way
> > > > build
> > > > > up a Samba PDC as a direct replacement for an existing
> > Windows NT 4.0
> > > PDC?
> > > > >
> > > > > All the material I've found to date is written from a
> > standpoint of
> > > > creating
> > > > > a new domain as you create the Samba machine.  This
> > maybe what I have to
> > > > do
> > > > > in the end, but I would like to avoid it if possible.
> > > > >
> > > > > If there is a way, can someone point me to the right
> > place for the
> > > > > HOWTO/Documentation?  As of right now, I'm not looking
> > for an LDAP
> > > > solution,
> > > > > but if that's what it takes, then that's where I'll go.
> >  For what it's
> > > > > worth, the setup will be on Red Hat's "ES" Server (with
> > I think is RH
> > > 7.3
> > > > > based) and Samba 2.2.8.
> > > > >
> > > > > Why do I need this?  Because I have an existing
> > Exchange Server with a
> > > 4GB
> > > > > Information Store that I would have to rebuild as well
> > - not a pretty
> > > > > picture.  If I can build the Samba PDC as a replacement
> > for the existing
> > > > > PDC, that's would what I'd like to do.
> > > > >
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Kevin L. Collins, MCSE
> > > > > Systems Manager
> > > > > Nesbitt Engineering, Inc.
> > > > >
> > > > > (859) 233-3111 x24
> > > > > --
> > > > > To unsubscribe from this list go to the following URL
> > and read the
> > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > >
> > > >
> > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list