[Samba] Replacing WinNT 4 PDC with Samba PDC

Thu May 8 01:57:37 GMT 2003

Hey John..thanks for that..I think many of us (probably wrongfully) term BDC
as authentication, and then just leave it at that...which samba, as you
stated,  does do.

I guess the way I look at it is, if you have a NT PDC, then you probably
have at least one other NT BDC...the SAMBA machine is used for a remote site
and authenticating..

If the PDC poo-poo's out, you have that other BDC which you can promote.  I
couldn't imagine having a NT PDC with a bunch of samba machines
authenticating, because then, why not just take the plunge fully and go a
full samba controlled backend?

So, as you said..it doesnt do all the bells and whistles that define an NT
BDC...but it does do the important part and lets you logon!

;)

> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Wednesday, May 07, 2003 8:46 PM
> To: tech mail
> Cc: David Chait; samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> 
> 
> On Wed, 7 May 2003, tech mail wrote:
> 
> > bit baffeld as to your statement about:
> > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC
> >
> > maybe we are just on a different page, but with winbind, 
> arent you able to
> > grab the user database from a remote NT4 PDC?? and then 
> authenticate off
> > that?  which would then be a BDC (for authentication 
> puposes at least)
> 
> Aparently we are on a different page!
> 
> You really will need to read the new Samba-HOWTO-Collection 
> some time (not
> released yet). This document is a work in progress.
> 
> > please correct me where I am wrong, or where there may be 
> miscommunication
> 
> Wrong. Winbind does not do SAM replication! If it does then 
> point me to
> the code that makes that happen. :)
> 
> Full BDC functionality requires that the BDC will NOT ONLY 
> authenticate
> domain logons, but also that it will partake fully in 
> replication of the
> MS Windows NT4 domain security files (these are the files 
> located on NT4
> in C:\WinNT\System32\config), the files that partake in 
> Domain Security
> are SAM and Security. Trust me, Samba does NOT have a Windows 
> NT4 style
> Registry, even though Samba-3 does emulate some parts of it.
> 
> But replication of all this data and the protocols needed to make that
> happen is NOT supported in Samba. This means Samba also does 
> NOT have the
> protocols that trigger Domain Security account synchronisation.
> 
> One more feature that the BDC/PDC code functionality premits 
> is for BDCs
> to be promoted to PDCs which will cause a PDC to be demoted 
> to BDC. Again,
> Samba does NOT support this functionality.
> 
> In effect therefore we can not and must not claim that Samba 
> CAN be a BDC
> to an NT4 PDC. That type of claim will cause trouble and disenchanted
> users.
> 
> What should be noted though, is that Samba can do distributed
> authentication. There are a number of ways that can be done. 
> Winbind is
> just one of them. But with winbind, if the PDC goes down, 
> your BDC is out
> of operation (if that is what you are dependant on in your 
> "BDC" design).
> 
> I hope my answer is totally clear now. More so, I hope this 
> brings us all
> onto the one page again. :)
> 
> Cheers,
> John T.
> 
> >
> > > -----Original Message-----
> > > From: John H Terpstra [mailto:jht at samba.org]
> > > Sent: Wednesday, May 07, 2003 4:22 PM
> > > To: David Chait
> > > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > >
> > >
> > > On Wed, 7 May 2003, David Chait wrote:
> > >
> > > > Samba cannot act as a BDC, at least it couldn't last I checked.
> > >
> > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and
> > > Samba-3.0.0
> > > can not act as a BDC to an NT4 PDC.
> > >
> > > Samba-3.0.0 will offer a facility to migrate all accounts 
> off an NT4
> > > Domain to a Samba Domain. You CAN with Samba-3.0.0
> > > transparently replace
> > > your PDC without having to reconfigure all workstations.
> > > Samba-3.0.0 is
> > > nearing going into Beta (and out of Alpha) soon. We are
> > > working hard to
> > > document this release VERY thouroughly.
> > >
> > > - John T.
> > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Dan Gapinski" <DanGapinski at qsi-r2.com>
> > > > To: "Collins, Kevin" <KCollins at nesbittengineering.com>;
> > > > <samba at lists.samba.org>
> > > > Sent: Wednesday, May 07, 2003 2:00 PM
> > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > > BTW,
> > > > >
> > > > > were you looking for a drop-in replacement for your
> > > current PDC? That
> > > > might
> > > > > require some doing. Like making it slave as a BDC before
> > > promoting it to a
> > > > > PDC, and I have not tried that, & don't know if its
> > > possible. The docs
> > > > might
> > > > > though.
> > > > >
> > > > > Dan
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Collins, Kevin" <KCollins at nesbittengineering.com>
> > > > > To: <samba at lists.samba.org>
> > > > > Sent: Wednesday, May 07, 2003 3:33 PM
> > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > >
> > > > >
> > > > > > Hi All!
> > > > > >
> > > > > > Thanks to all of you that responded to my previous
> > > posts.  I've gotten a
> > > > > lot
> > > > > > more info now than I used to have!
> > > > > >
> > > > > > But I still have questions.  The biggest right now is:
> > > Is there a way
> > > > > build
> > > > > > up a Samba PDC as a direct replacement for an existing
> > > Windows NT 4.0
> > > > PDC?
> > > > > >
> > > > > > All the material I've found to date is written from a
> > > standpoint of
> > > > > creating
> > > > > > a new domain as you create the Samba machine.  This
> > > maybe what I have to
> > > > > do
> > > > > > in the end, but I would like to avoid it if possible.
> > > > > >
> > > > > > If there is a way, can someone point me to the right
> > > place for the
> > > > > > HOWTO/Documentation?  As of right now, I'm not looking
> > > for an LDAP
> > > > > solution,
> > > > > > but if that's what it takes, then that's where I'll go.
> > >  For what it's
> > > > > > worth, the setup will be on Red Hat's "ES" Server (with
> > > I think is RH
> > > > 7.3
> > > > > > based) and Samba 2.2.8.
> > > > > >
> > > > > > Why do I need this?  Because I have an existing
> > > Exchange Server with a
> > > > 4GB
> > > > > > Information Store that I would have to rebuild as well
> > > - not a pretty
> > > > > > picture.  If I can build the Samba PDC as a replacement
> > > for the existing
> > > > > > PDC, that's would what I'd like to do.
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Kevin L. Collins, MCSE
> > > > > > Systems Manager
> > > > > > Nesbitt Engineering, Inc.
> > > > > >
> > > > > > (859) 233-3111 x24
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL
> > > and read the
> > > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL 
> and read the
> > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > > >
> > > >
> > > >
> > >
> > > --
> > > John H Terpstra
> > > Email: jht at samba.org
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
> 
> -- 
> John H Terpstra
> Email: jht at samba.org
> 