[Samba] Replacing WinNT 4 PDC with Samba PDC
Chris McKeever
tech-mail at prupref.com
Thu May 8 23:44:49 GMT 2003
I had a dickens of a time with that as well, andfound this link useful:
http://samba.idealx.org/samba-ldap-howto.pdf
do a search for SPECS and it takes you right to the spot..which seems like
what you did, but there may be a missing little something that this will key
in on
> -----Original Message-----
> From: Collins, Kevin [mailto:KCollins at nesbittengineering.com]
> Sent: Thursday, May 08, 2003 1:08 PM
> To: samba at lists.samba.org
> Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
>
>
> OK, I've run aground on my first attempt at building my test
> Samba/LDAP
> PDC...surprise, surprise. ;-)
>
> I've been trying for about 3 hours to build Samba from the
> Source RPM that
> RedHat supplies with RedHat 8.0. Everytime I build the RPM
> it fails during
> the compile of SAMBA with: "--with-ldapsam Command not found."
>
> The process I've used to get to where I am is:
>
> Modified the "/usr/src/redhat/SPEC/samba.spec" file to
> include the line
> "--with-ldapsam" at the end of the configure options. I go
> to build the RPM
> with the command "rpmbuild -ba
> /usr/src/redhat/SPEC/samba.spec", and the
> machine begins to whir. After about 3 minutes of churning, I
> get the error
> I mentioned.
>
> I'm thinking this is because of the time differences between
> the HOWTOs I've
> looked at and the version of SAMBA that I'm using (2.2.5-10
> by RedHat).
> Maybe the "--with-ldapsam" option has changed or is built in?
> Can anyone
> give me a pointer?
>
> I'm using all stock RedHat 8 stuff:
> Samba 2.2.5-10
> OpenLDAP 2.0.25-xx
>
> I'm trying to build an RPM set from the Source RPM that
> RedHat provides.
> This way I can use the rebuilt RPM when I go to build my real
> server later
> on.
>
> Thanks in advance,
>
> Kevin L. Collins, MCSE
> Systems Manager
> Nesbitt Engineering, Inc.
>
>
> > -----Original Message-----
> > From: John H Terpstra [mailto:jht at samba.org]
> > Sent: Thursday, May 08, 2003 11:15 AM
> > To: Collins, Kevin
> > Cc: samba at lists.samba.org
> > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> >
> >
> > On Thu, 8 May 2003, Collins, Kevin wrote:
> >
> > > OK, just so were all on the same page.... :)
> > >
> > > As it stands right now, using Samba 2.2.x I can not do a "drop-in"
> > > replacement for my WinNT PDC, I need to build a new domain
> > with the Samba
> > > PDC at the core. As I don't have the time to wait on Samba
> > 3.x, I must move
> > > on knowing the limitations and requirements of doing so.
> >
> > As a matter of fact, Samba-2.2.x can be a drop-in
> replacement for NT4
> > PDC but you need to jump through hoops to mirate the SAM to
> LDAP (only
> > back end that will approach your needs).
> >
> > Your best choice at this time is to work with Samba-3 (it
> should be in
> > official Beta soon and your feedback might actually help
> > accellerate it's
> > maturation). I would still use LDAP, but note that there will
> > be a schema
> > change for samba-3, which is why I'd put myself through the
> > pain barrier
> > once - not twice (NT4 -> Samba-2.2..x -> Samba-3).
> >
> > > I understand the problem with Exchange 2000 requiring
> > Active Directory. I
> > > have no intention of moving to Exchange 2000, so that's a
> > non issue. I'm
> > > *seriously* looking for an open source solution to
> > completely replace
> > > Exchange anyway. But that's another fish for another day.
> >
> > Ok.
> >
> > > My current domain design has three independent domains with
> > established
> > > two-ways trusts. I understand that Samba 2.2.x doesn't do
> > trusts either, so
> > > while I'm designing the new Samba domain, I'm probably
> > going to be building
> > > *one* domain with at least two BDCs to replace the PDCs in
> > the other domains
> > > I have now.
> >
> > I'd shoot for one sinlge domain. It is administratively more
> > manageable,
> >
> > > Because this is a three-site setup that is connected by
> > 128k Frame-Relay
> > > lines to form the WAN (hence the three NT domains), I
> > probably need the
> > > robustness of an LDAP backend. This (I think) will allow
> > me to create
> > > "replicated" copies of the LDAP database in each of the
> > three sites (on the
> > > Samba BDCs), so that they each can function independently
> > of each other if
> > > the WAN goes down. It also should allow me to keep
> > authentication traffic
> > > isolated to each site as well.
> >
> > Yep.
> >
> > > Because I'm maintaining an NT style setup with Samba 2.2.x,
> > I should be able
> > > to have my existing Exchange 5.5 server authenticate
> > against the Samba
> > > PDC/BDCs. I haven't tested this, but from David Chait's
> > comments I'm
> > > assuming this is the case. I was planning on building a
> > Samba PDC in my lab
> > > today to test this, but if anyone can give me a definite
> answer....
> >
> > Should be Ok.
> >
> > > Do those with greater Samba experience than I agree with
> > the statements
> > > above?
> >
> > Experts are experts because they never agree with each other! :-)
> >
> > > BTW John T.: I appreciate the offer to call you if I need
> > help. Before
> > > it's all over, I'm certain I'll do just that! Does 3:00 am
> > on Saturday work
> > > for you? :-)
> >
> > 3:00am my time or yours? If mine, can you afford tthe fee? :-)
> >
> > >
> > > Again thanks to all, I'm off to do more reading...now
> > where is that LDAP
> > > HOWTO?
> >
> > Cheers,
> > John T.
> >
> > >
> > > --
> > > Kevin L. Collins, MCSE
> > > Systems Manager
> > > Nesbitt Engineering, Inc.
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > Sent: Wednesday, May 07, 2003 10:19 PM
> > > > To: tech mail
> > > > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > On Wed, 7 May 2003, tech mail wrote:
> > > >
> > > > > Hey John..thanks for that..I think many of us (probably
> > > > wrongfully) term BDC
> > > > > as authentication, and then just leave it at that...which
> > > > samba, as you
> > > > > stated, does do.
> > > >
> > > > Samba-3 does MUCH more than that - it allows you to build
> > an NT4 style
> > > > domain controller that has the robustness and scalability
> > of Active
> > > > Directory. But the design implementation will be VERY
> > > > different from the
> > > > way that ADS does it.
> > > >
> > > > I firmly believe that we have an alternative solution that
> > > > for some people
> > > > (many) will be a better solution than ADS. It has it's own
> > > > unique features
> > > > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To
> > > > say otherwise
> > > > will earn us a scorn we will deserve.
> > > >
> > > > We need to get the message out that Samba offers and
> > > > alternative that may
> > > > be better, may be no better, and may not suit every site. But
> > > > for those it
> > > > does suit it is a sweet and dandy solution.
> > > >
> > > > - John T.
> > > >
> > > > >
> > > > > I guess the way I look at it is, if you have a NT PDC, then
> > > > you probably
> > > > > have at least one other NT BDC...the SAMBA machine is used
> > > > for a remote site
> > > > > and authenticating..
> > > > >
> > > > > If the PDC poo-poo's out, you have that other BDC which you
> > > > can promote. I
> > > > > couldn't imagine having a NT PDC with a bunch of
> samba machines
> > > > > authenticating, because then, why not just take the plunge
> > > > fully and go a
> > > > > full samba controlled backend?
> > > > >
> > > > > So, as you said..it doesnt do all the bells and whistles
> > > > that define an NT
> > > > > BDC...but it does do the important part and lets you logon!
> > > > >
> > > > > ;)
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > > > Sent: Wednesday, May 07, 2003 8:46 PM
> > > > > > To: tech mail
> > > > > > Cc: David Chait; samba at lists.samba.org; Dan Gapinski;
> > > > Collins, Kevin
> > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > >
> > > > > >
> > > > > > On Wed, 7 May 2003, tech mail wrote:
> > > > > >
> > > > > > > bit baffeld as to your statement about:
> > > > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to
> > an NT4 PDC
> > > > > > >
> > > > > > > maybe we are just on a different page, but with winbind,
> > > > > > arent you able to
> > > > > > > grab the user database from a remote NT4 PDC?? and then
> > > > > > authenticate off
> > > > > > > that? which would then be a BDC (for authentication
> > > > > > puposes at least)
> > > > > >
> > > > > > Aparently we are on a different page!
> > > > > >
> > > > > > You really will need to read the new Samba-HOWTO-Collection
> > > > > > some time (not
> > > > > > released yet). This document is a work in progress.
> > > > > >
> > > > > > > please correct me where I am wrong, or where there may be
> > > > > > miscommunication
> > > > > >
> > > > > > Wrong. Winbind does not do SAM replication! If it does then
> > > > > > point me to
> > > > > > the code that makes that happen. :)
> > > > > >
> > > > > > Full BDC functionality requires that the BDC will NOT ONLY
> > > > > > authenticate
> > > > > > domain logons, but also that it will partake fully in
> > > > > > replication of the
> > > > > > MS Windows NT4 domain security files (these are the files
> > > > > > located on NT4
> > > > > > in C:\WinNT\System32\config), the files that partake in
> > > > > > Domain Security
> > > > > > are SAM and Security. Trust me, Samba does NOT have
> a Windows
> > > > > > NT4 style
> > > > > > Registry, even though Samba-3 does emulate some parts of it.
> > > > > >
> > > > > > But replication of all this data and the protocols needed
> > > > to make that
> > > > > > happen is NOT supported in Samba. This means Samba also does
> > > > > > NOT have the
> > > > > > protocols that trigger Domain Security account
> > synchronisation.
> > > > > >
> > > > > > One more feature that the BDC/PDC code functionality premits
> > > > > > is for BDCs
> > > > > > to be promoted to PDCs which will cause a PDC to be demoted
> > > > > > to BDC. Again,
> > > > > > Samba does NOT support this functionality.
> > > > > >
> > > > > > In effect therefore we can not and must not claim that Samba
> > > > > > CAN be a BDC
> > > > > > to an NT4 PDC. That type of claim will cause trouble and
> > > > disenchanted
> > > > > > users.
> > > > > >
> > > > > > What should be noted though, is that Samba can do
> distributed
> > > > > > authentication. There are a number of ways that can be done.
> > > > > > Winbind is
> > > > > > just one of them. But with winbind, if the PDC goes down,
> > > > > > your BDC is out
> > > > > > of operation (if that is what you are dependant on in your
> > > > > > "BDC" design).
> > > > > >
> > > > > > I hope my answer is totally clear now. More so, I hope this
> > > > > > brings us all
> > > > > > onto the one page again. :)
> > > > > >
> > > > > > Cheers,
> > > > > > John T.
> > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: John H Terpstra [mailto:jht at samba.org]
> > > > > > > > Sent: Wednesday, May 07, 2003 4:22 PM
> > > > > > > > To: David Chait
> > > > > > > > Cc: samba at lists.samba.org; Dan Gapinski; Collins, Kevin
> > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with
> Samba PDC
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, 7 May 2003, David Chait wrote:
> > > > > > > >
> > > > > > > > > Samba cannot act as a BDC, at least it couldn't
> > > > last I checked.
> > > > > > > >
> > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC.
> > Samba-2.2.x and
> > > > > > > > Samba-3.0.0
> > > > > > > > can not act as a BDC to an NT4 PDC.
> > > > > > > >
> > > > > > > > Samba-3.0.0 will offer a facility to migrate
> all accounts
> > > > > > off an NT4
> > > > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0
> > > > > > > > transparently replace
> > > > > > > > your PDC without having to reconfigure all workstations.
> > > > > > > > Samba-3.0.0 is
> > > > > > > > nearing going into Beta (and out of Alpha) soon. We are
> > > > > > > > working hard to
> > > > > > > > document this release VERY thouroughly.
> > > > > > > >
> > > > > > > > - John T.
> > > > > > > >
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Dan Gapinski" <DanGapinski at qsi-r2.com>
> > > > > > > > > To: "Collins, Kevin"
> <KCollins at nesbittengineering.com>;
> > > > > > > > > <samba at lists.samba.org>
> > > > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM
> > > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with
> > Samba PDC
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > BTW,
> > > > > > > > > >
> > > > > > > > > > were you looking for a drop-in replacement for your
> > > > > > > > current PDC? That
> > > > > > > > > might
> > > > > > > > > > require some doing. Like making it slave as a
> > BDC before
> > > > > > > > promoting it to a
> > > > > > > > > > PDC, and I have not tried that, & don't know if its
> > > > > > > > possible. The docs
> > > > > > > > > might
> > > > > > > > > > though.
> > > > > > > > > >
> > > > > > > > > > Dan
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Collins, Kevin"
> > <KCollins at nesbittengineering.com>
> > > > > > > > > > To: <samba at lists.samba.org>
> > > > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM
> > > > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with
> Samba PDC
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > Hi All!
> > > > > > > > > > >
> > > > > > > > > > > Thanks to all of you that responded to my previous
> > > > > > > > posts. I've gotten a
> > > > > > > > > > lot
> > > > > > > > > > > more info now than I used to have!
> > > > > > > > > > >
> > > > > > > > > > > But I still have questions. The biggest
> > right now is:
> > > > > > > > Is there a way
> > > > > > > > > > build
> > > > > > > > > > > up a Samba PDC as a direct replacement for
> > an existing
> > > > > > > > Windows NT 4.0
> > > > > > > > > PDC?
> > > > > > > > > > >
> > > > > > > > > > > All the material I've found to date is
> > written from a
> > > > > > > > standpoint of
> > > > > > > > > > creating
> > > > > > > > > > > a new domain as you create the Samba
> machine. This
> > > > > > > > maybe what I have to
> > > > > > > > > > do
> > > > > > > > > > > in the end, but I would like to avoid it if
> > possible.
> > > > > > > > > > >
> > > > > > > > > > > If there is a way, can someone point me
> to the right
> > > > > > > > place for the
> > > > > > > > > > > HOWTO/Documentation? As of right now, I'm
> > not looking
> > > > > > > > for an LDAP
> > > > > > > > > > solution,
> > > > > > > > > > > but if that's what it takes, then that's
> > where I'll go.
> > > > > > > > For what it's
> > > > > > > > > > > worth, the setup will be on Red Hat's "ES"
> > Server (with
> > > > > > > > I think is RH
> > > > > > > > > 7.3
> > > > > > > > > > > based) and Samba 2.2.8.
> > > > > > > > > > >
> > > > > > > > > > > Why do I need this? Because I have an existing
> > > > > > > > Exchange Server with a
> > > > > > > > > 4GB
> > > > > > > > > > > Information Store that I would have to
> > rebuild as well
> > > > > > > > - not a pretty
> > > > > > > > > > > picture. If I can build the Samba PDC as a
> > replacement
> > > > > > > > for the existing
> > > > > > > > > > > PDC, that's would what I'd like to do.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Kevin L. Collins, MCSE
> > > > > > > > > > > Systems Manager
> > > > > > > > > > > Nesbitt Engineering, Inc.
> > > > > > > > > > >
> > > > > > > > > > > (859) 233-3111 x24
> > > > > > > > > > > --
> > > > > > > > > > > To unsubscribe from this list go to the
> > following URL
> > > > > > > > and read the
> > > > > > > > > > > instructions:
> > > http://lists.samba.org/mailman/listinfo/samba
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > To unsubscribe from this list go to the following URL
> > > > > and read the
> > > > > > > > > instructions:
> http://lists.samba.org/mailman/listinfo/samba
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > John H Terpstra
> > > > > > Email: jht at samba.org
> > > > > > --
> > > > > > To unsubscribe from this list go to the following
> URL and read the
> > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba
> > > > > >
> > > > >
> > > >
> > > > --
> > > > John H Terpstra
> > > > Email: jht at samba.org
> > > >
> > >
> >
> >
>
> --
> John H Terpstra
> Email: jht at samba.org
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list