[Samba] Replacing WinNT 4 PDC with Samba PDC

John H Terpstra jht at samba.org
Thu May 8 02:18:40 GMT 2003


On Wed, 7 May 2003, tech mail wrote:

> Hey John..thanks for that..I think many of us (probably wrongfully) term BDC
> as authentication, and then just leave it at that...which samba, as you
> stated,  does do.

Samba-3 does MUCH more than that - it allows you to build an NT4 style
domain controller that has the robustness and scalability of Active
Directory. But the design implementation will be VERY different from the
way that ADS does it.

I firmly believe that we have an alternative solution that for some people
(many) will be a better solution than ADS. It has it's own unique features
and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To say otherwise
will earn us a scorn we will deserve.

We need to get the message out that Samba offers and alternative that may
be better, may be no better, and may not suit every site. But for those it
does suit it is a sweet and dandy solution.

- John T.

>
> I guess the way I look at it is, if you have a NT PDC, then you probably
> have at least one other NT BDC...the SAMBA machine is used for a remote site
> and authenticating..
>
> If the PDC poo-poo's out, you have that other BDC which you can promote.  I
> couldn't imagine having a NT PDC with a bunch of samba machines
> authenticating, because then, why not just take the plunge fully and go a
> full samba controlled backend?
>
> So, as you said..it doesnt do all the bells and whistles that define an NT
> BDC...but it does do the important part and lets you logon!
>
> ;)
>
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Wednesday, May 07, 2003 8:46 PM
> > To: tech mail
> > Cc: David Chait; samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> >
> >
> > On Wed, 7 May 2003, tech mail wrote:
> >
> > > bit baffeld as to your statement about:
> > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC
> > >
> > > maybe we are just on a different page, but with winbind,
> > arent you able to
> > > grab the user database from a remote NT4 PDC?? and then
> > authenticate off
> > > that?  which would then be a BDC (for authentication
> > puposes at least)
> >
> > Aparently we are on a different page!
> >
> > You really will need to read the new Samba-HOWTO-Collection
> > some time (not
> > released yet). This document is a work in progress.
> >
> > > please correct me where I am wrong, or where there may be
> > miscommunication
> >
> > Wrong. Winbind does not do SAM replication! If it does then
> > point me to
> > the code that makes that happen. :)
> >
> > Full BDC functionality requires that the BDC will NOT ONLY
> > authenticate
> > domain logons, but also that it will partake fully in
> > replication of the
> > MS Windows NT4 domain security files (these are the files
> > located on NT4
> > in C:\WinNT\System32\config), the files that partake in
> > Domain Security
> > are SAM and Security. Trust me, Samba does NOT have a Windows
> > NT4 style
> > Registry, even though Samba-3 does emulate some parts of it.
> >
> > But replication of all this data and the protocols needed to make that
> > happen is NOT supported in Samba. This means Samba also does
> > NOT have the
> > protocols that trigger Domain Security account synchronisation.
> >
> > One more feature that the BDC/PDC code functionality premits
> > is for BDCs
> > to be promoted to PDCs which will cause a PDC to be demoted
> > to BDC. Again,
> > Samba does NOT support this functionality.
> >
> > In effect therefore we can not and must not claim that Samba
> > CAN be a BDC
> > to an NT4 PDC. That type of claim will cause trouble and disenchanted
> > users.
> >
> > What should be noted though, is that Samba can do distributed
> > authentication. There are a number of ways that can be done.
> > Winbind is
> > just one of them. But with winbind, if the PDC goes down,
> > your BDC is out
> > of operation (if that is what you are dependant on in your
> > "BDC" design).
> >
> > I hope my answer is totally clear now. More so, I hope this
> > brings us all
> > onto the one page again. :)
> >
> > Cheers,
> > John T.
> >
> > >
> > > > -----Original Message-----
> > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > Sent: Wednesday, May 07, 2003 4:22 PM
> > > > To: David Chait
> > > > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > On Wed, 7 May 2003, David Chait wrote:
> > > >
> > > > > Samba cannot act as a BDC, at least it couldn't last I checked.
> > > >
> > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and
> > > > Samba-3.0.0
> > > > can not act as a BDC to an NT4 PDC.
> > > >
> > > > Samba-3.0.0 will offer a facility to migrate all accounts
> > off an NT4
> > > > Domain to a Samba Domain. You CAN with Samba-3.0.0
> > > > transparently replace
> > > > your PDC without having to reconfigure all workstations.
> > > > Samba-3.0.0 is
> > > > nearing going into Beta (and out of Alpha) soon. We are
> > > > working hard to
> > > > document this release VERY thouroughly.
> > > >
> > > > - John T.
> > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Dan Gapinski" <DanGapinski at qsi-r2.com>
> > > > > To: "Collins, Kevin" <KCollins at nesbittengineering.com>;
> > > > > <samba at lists.samba.org>
> > > > > Sent: Wednesday, May 07, 2003 2:00 PM
> > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > >
> > > > >
> > > > > > BTW,
> > > > > >
> > > > > > were you looking for a drop-in replacement for your
> > > > current PDC? That
> > > > > might
> > > > > > require some doing. Like making it slave as a BDC before
> > > > promoting it to a
> > > > > > PDC, and I have not tried that, & don't know if its
> > > > possible. The docs
> > > > > might
> > > > > > though.
> > > > > >
> > > > > > Dan
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Collins, Kevin" <KCollins at nesbittengineering.com>
> > > > > > To: <samba at lists.samba.org>
> > > > > > Sent: Wednesday, May 07, 2003 3:33 PM
> > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > >
> > > > > >
> > > > > > > Hi All!
> > > > > > >
> > > > > > > Thanks to all of you that responded to my previous
> > > > posts.  I've gotten a
> > > > > > lot
> > > > > > > more info now than I used to have!
> > > > > > >
> > > > > > > But I still have questions.  The biggest right now is:
> > > > Is there a way
> > > > > > build
> > > > > > > up a Samba PDC as a direct replacement for an existing
> > > > Windows NT 4.0
> > > > > PDC?
> > > > > > >
> > > > > > > All the material I've found to date is written from a
> > > > standpoint of
> > > > > > creating
> > > > > > > a new domain as you create the Samba machine.  This
> > > > maybe what I have to
> > > > > > do
> > > > > > > in the end, but I would like to avoid it if possible.
> > > > > > >
> > > > > > > If there is a way, can someone point me to the right
> > > > place for the
> > > > > > > HOWTO/Documentation?  As of right now, I'm not looking
> > > > for an LDAP
> > > > > > solution,
> > > > > > > but if that's what it takes, then that's where I'll go.
> > > >  For what it's
> > > > > > > worth, the setup will be on Red Hat's "ES" Server (with
> > > > I think is RH
> > > > > 7.3
> > > > > > > based) and Samba 2.2.8.
> > > > > > >
> > > > > > > Why do I need this?  Because I have an existing
> > > > Exchange Server with a
> > > > > 4GB
> > > > > > > Information Store that I would have to rebuild as well
> > > > - not a pretty
> > > > > > > picture.  If I can build the Samba PDC as a replacement
> > > > for the existing
> > > > > > > PDC, that's would what I'd like to do.
> > > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Kevin L. Collins, MCSE
> > > > > > > Systems Manager
> > > > > > > Nesbitt Engineering, Inc.
> > > > > > >
> > > > > > > (859) 233-3111 x24
> > > > > > > --
> > > > > > > To unsubscribe from this list go to the following URL
> > > > and read the
> > > > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe from this list go to the following URL
> > and read the
> > > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > > --
> > > > John H Terpstra
> > > > Email: jht at samba.org
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > >
> > >
> >
> > --
> > John H Terpstra
> > Email: jht at samba.org
> >
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list