[Samba] Replacing WinNT 4 PDC with Samba PDC

John H Terpstra jht at samba.org
Thu May 8 15:14:45 GMT 2003 

On Thu, 8 May 2003, Collins, Kevin wrote:

> OK, just so were all on the same page.... :)
>
> As it stands right now, using Samba 2.2.x I can not do a "drop-in"
> replacement for my WinNT PDC, I need to build a new domain with the Samba
> PDC at the core.  As I don't have the time to wait on Samba 3.x, I must move
> on knowing the limitations and requirements of doing so.

As a matter of fact, Samba-2.2.x can be a drop-in replacement for NT4
PDC but you need to jump through hoops to mirate the SAM to LDAP (only
back end that will approach your needs).

Your best choice at this time is to work with Samba-3 (it should be in
official Beta soon and your feedback might actually help accellerate it's
maturation). I would still use LDAP, but note that there will be a schema
change for samba-3, which is why I'd put myself through the pain barrier
once - not twice (NT4 -> Samba-2.2..x -> Samba-3).

> I understand the problem with Exchange 2000 requiring Active Directory.  I
> have no intention of moving to Exchange 2000, so that's a non issue.  I'm
> *seriously* looking for an open source solution to completely replace
> Exchange anyway.  But that's another fish for another day.

Ok.

> My current domain design has three independent domains with established
> two-ways trusts.  I understand that Samba 2.2.x doesn't do trusts either, so
> while I'm designing the new Samba domain, I'm probably going to be building
> *one* domain with at least two BDCs to replace the PDCs in the other domains
> I have now.

I'd shoot for one sinlge domain. It is administratively more manageable,

> Because this is a three-site setup that is connected by 128k Frame-Relay
> lines to form the WAN (hence the three NT domains), I probably need the
> robustness of an LDAP backend.  This (I think) will allow me to create
> "replicated" copies of the LDAP database in each of the three sites (on the
> Samba BDCs), so that they each can function independently of each other if
> the WAN goes down.  It also should allow me to keep authentication traffic
> isolated to each site as well.

Yep.

> Because I'm maintaining an NT style setup with Samba 2.2.x, I should be able
> to have my existing Exchange 5.5 server authenticate against the Samba
> PDC/BDCs.  I haven't tested this, but from David Chait's comments I'm
> assuming this is the case.  I was planning on building a Samba PDC in my lab
> today to test this, but if anyone can give me a definite answer....

Should be Ok.

> Do those with greater Samba experience than I agree with the statements
> above?

Experts are experts because they never agree with each other! :-)

> BTW John T.:  I appreciate the offer to call you if I need help.  Before
> it's all over, I'm certain I'll do just that!  Does 3:00 am on Saturday work
> for you?  :-)

3:00am my time or yours? If mine, can you afford tthe fee? :-)

>
> Again thanks to all,  I'm off to do more reading...now where is that LDAP
> HOWTO?

Cheers,
John T.

>
> --
> Kevin L. Collins, MCSE
> Systems Manager
> Nesbitt Engineering, Inc.
>
>
>
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Wednesday, May 07, 2003 10:19 PM
> > To: tech mail
> > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> >
> >
> > On Wed, 7 May 2003, tech mail wrote:
> >
> > > Hey John..thanks for that..I think many of us (probably
> > wrongfully) term BDC
> > > as authentication, and then just leave it at that...which
> > samba, as you
> > > stated,  does do.
> >
> > Samba-3 does MUCH more than that - it allows you to build an NT4 style
> > domain controller that has the robustness and scalability of Active
> > Directory. But the design implementation will be VERY
> > different from the
> > way that ADS does it.
> >
> > I firmly believe that we have an alternative solution that
> > for some people
> > (many) will be a better solution than ADS. It has it's own
> > unique features
> > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To
> > say otherwise
> > will earn us a scorn we will deserve.
> >
> > We need to get the message out that Samba offers and
> > alternative that may
> > be better, may be no better, and may not suit every site. But
> > for those it
> > does suit it is a sweet and dandy solution.
> >
> > - John T.
> >
> > >
> > > I guess the way I look at it is, if you have a NT PDC, then
> > you probably
> > > have at least one other NT BDC...the SAMBA machine is used
> > for a remote site
> > > and authenticating..
> > >
> > > If the PDC poo-poo's out, you have that other BDC which you
> > can promote.  I
> > > couldn't imagine having a NT PDC with a bunch of samba machines
> > > authenticating, because then, why not just take the plunge
> > fully and go a
> > > full samba controlled backend?
> > >
> > > So, as you said..it doesnt do all the bells and whistles
> > that define an NT
> > > BDC...but it does do the important part and lets you logon!
> > >
> > > ;)
> > >
> > > > -----Original Message-----
> > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > Sent: Wednesday, May 07, 2003 8:46 PM
> > > > To: tech mail
> > > > Cc: David Chait; samba at lists.samba.org; Dan Gapinski;
> > Collins, Kevin
> > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > On Wed, 7 May 2003, tech mail wrote:
> > > >
> > > > > bit baffeld as to your statement about:
> > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC
> > > > >
> > > > > maybe we are just on a different page, but with winbind,
> > > > arent you able to
> > > > > grab the user database from a remote NT4 PDC?? and then
> > > > authenticate off
> > > > > that?  which would then be a BDC (for authentication
> > > > puposes at least)
> > > >
> > > > Aparently we are on a different page!
> > > >
> > > > You really will need to read the new Samba-HOWTO-Collection
> > > > some time (not
> > > > released yet). This document is a work in progress.
> > > >
> > > > > please correct me where I am wrong, or where there may be
> > > > miscommunication
> > > >
> > > > Wrong. Winbind does not do SAM replication! If it does then
> > > > point me to
> > > > the code that makes that happen. :)
> > > >
> > > > Full BDC functionality requires that the BDC will NOT ONLY
> > > > authenticate
> > > > domain logons, but also that it will partake fully in
> > > > replication of the
> > > > MS Windows NT4 domain security files (these are the files
> > > > located on NT4
> > > > in C:\WinNT\System32\config), the files that partake in
> > > > Domain Security
> > > > are SAM and Security. Trust me, Samba does NOT have a Windows
> > > > NT4 style
> > > > Registry, even though Samba-3 does emulate some parts of it.
> > > >
> > > > But replication of all this data and the protocols needed
> > to make that
> > > > happen is NOT supported in Samba. This means Samba also does
> > > > NOT have the
> > > > protocols that trigger Domain Security account synchronisation.
> > > >
> > > > One more feature that the BDC/PDC code functionality premits
> > > > is for BDCs
> > > > to be promoted to PDCs which will cause a PDC to be demoted
> > > > to BDC. Again,
> > > > Samba does NOT support this functionality.
> > > >
> > > > In effect therefore we can not and must not claim that Samba
> > > > CAN be a BDC
> > > > to an NT4 PDC. That type of claim will cause trouble and
> > disenchanted
> > > > users.
> > > >
> > > > What should be noted though, is that Samba can do distributed
> > > > authentication. There are a number of ways that can be done.
> > > > Winbind is
> > > > just one of them. But with winbind, if the PDC goes down,
> > > > your BDC is out
> > > > of operation (if that is what you are dependant on in your
> > > > "BDC" design).
> > > >
> > > > I hope my answer is totally clear now. More so, I hope this
> > > > brings us all
> > > > onto the one page again. :)
> > > >
> > > > Cheers,
> > > > John T.
> > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > > > Sent: Wednesday, May 07, 2003 4:22 PM
> > > > > > To: David Chait
> > > > > > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > >
> > > > > >
> > > > > > On Wed, 7 May 2003, David Chait wrote:
> > > > > >
> > > > > > > Samba cannot act as a BDC, at least it couldn't
> > last I checked.
> > > > > >
> > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and
> > > > > > Samba-3.0.0
> > > > > > can not act as a BDC to an NT4 PDC.
> > > > > >
> > > > > > Samba-3.0.0 will offer a facility to migrate all accounts
> > > > off an NT4
> > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0
> > > > > > transparently replace
> > > > > > your PDC without having to reconfigure all workstations.
> > > > > > Samba-3.0.0 is
> > > > > > nearing going into Beta (and out of Alpha) soon. We are
> > > > > > working hard to
> > > > > > document this release VERY thouroughly.
> > > > > >
> > > > > > - John T.
> > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Dan Gapinski" <DanGapinski at qsi-r2.com>
> > > > > > > To: "Collins, Kevin" <KCollins at nesbittengineering.com>;
> > > > > > > <samba at lists.samba.org>
> > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM
> > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > > >
> > > > > > >
> > > > > > > > BTW,
> > > > > > > >
> > > > > > > > were you looking for a drop-in replacement for your
> > > > > > current PDC? That
> > > > > > > might
> > > > > > > > require some doing. Like making it slave as a BDC before
> > > > > > promoting it to a
> > > > > > > > PDC, and I have not tried that, & don't know if its
> > > > > > possible. The docs
> > > > > > > might
> > > > > > > > though.
> > > > > > > >
> > > > > > > > Dan
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Collins, Kevin" <KCollins at nesbittengineering.com>
> > > > > > > > To: <samba at lists.samba.org>
> > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM
> > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > > > >
> > > > > > > >
> > > > > > > > > Hi All!
> > > > > > > > >
> > > > > > > > > Thanks to all of you that responded to my previous
> > > > > > posts.  I've gotten a
> > > > > > > > lot
> > > > > > > > > more info now than I used to have!
> > > > > > > > >
> > > > > > > > > But I still have questions.  The biggest right now is:
> > > > > > Is there a way
> > > > > > > > build
> > > > > > > > > up a Samba PDC as a direct replacement for an existing
> > > > > > Windows NT 4.0
> > > > > > > PDC?
> > > > > > > > >
> > > > > > > > > All the material I've found to date is written from a
> > > > > > standpoint of
> > > > > > > > creating
> > > > > > > > > a new domain as you create the Samba machine.  This
> > > > > > maybe what I have to
> > > > > > > > do
> > > > > > > > > in the end, but I would like to avoid it if possible.
> > > > > > > > >
> > > > > > > > > If there is a way, can someone point me to the right
> > > > > > place for the
> > > > > > > > > HOWTO/Documentation?  As of right now, I'm not looking
> > > > > > for an LDAP
> > > > > > > > solution,
> > > > > > > > > but if that's what it takes, then that's where I'll go.
> > > > > >  For what it's
> > > > > > > > > worth, the setup will be on Red Hat's "ES" Server (with
> > > > > > I think is RH
> > > > > > > 7.3
> > > > > > > > > based) and Samba 2.2.8.
> > > > > > > > >
> > > > > > > > > Why do I need this?  Because I have an existing
> > > > > > Exchange Server with a
> > > > > > > 4GB
> > > > > > > > > Information Store that I would have to rebuild as well
> > > > > > - not a pretty
> > > > > > > > > picture.  If I can build the Samba PDC as a replacement
> > > > > > for the existing
> > > > > > > > > PDC, that's would what I'd like to do.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Kevin L. Collins, MCSE
> > > > > > > > > Systems Manager
> > > > > > > > > Nesbitt Engineering, Inc.
> > > > > > > > >
> > > > > > > > > (859) 233-3111 x24
> > > > > > > > > --
> > > > > > > > > To unsubscribe from this list go to the following URL
> > > > > > and read the
> > > > > > > > > instructions:
> http://lists.samba.org/mailman/listinfo/samba
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > To unsubscribe from this list go to the following URL
> > > and read the
> > > > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > John H Terpstra
> > > > > Email: jht at samba.org
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > >
> > >
> > > --
> > > John H Terpstra
> > > Email: jht at samba.org
> > >
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list