[Samba] Replacing WinNT 4 PDC with Samba PDC

Collins, Kevin KCollins at nesbittengineering.com
Mon May 12 14:22:32 GMT 2003


Ok, I'm confused now.....

Let me try to explain the way I see it and someone PLEASE correct me if I'm
wrong.  I'm in the early planning stages and now is the time to change
something if I need to.

The way I understand it, IF I have Samba configured to use an LDAP backend,
then I can create a Samba PDC in my local office and two Samba BDCs in my
remote offices.

For this setup to work, the PDC will have the following "[global]" config
options:
domain logons = yes
domain master = yes
security = domain
ldap suffix = dc=nesbitt,dc=local
ldap admin dn = cn=manager,dc=nesbitt,dc=local
ldap port = 389
ldap server 127.0.0.1
ldap ssl = no

The BDCs will have these:
domain logons = yes
domain master = no
security = domain
ldap suffix = dc=nesbitt,dc=local
ldap admin dn = cn=manager,dc=nesbitt,dc=local
ldap port = 389
ldap server 127.0.0.1
ldap ssl = no

Note:  The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security"
directive and when I built my PDC in the lab on Friday I didn't have it in
there, so Samba defaulted to "security = user".  If I change this as shown
above, will that have an adverse impact on my setup?

Each BDC will be an LDAP slave to the PDC which will be the LDAP master.

This (I think) will allow each of the BDCs to authenticate the logon
attempts of the local subnets and not pass the logon attempt on the PDC over
the WAN lines.  The LDAP database will be synced via the WAN lines to allow
everyone to logon from anywhere.

If I read the information presented by portion of the thread by Richard
correctly, then we're not really talking about the same setup.  The web link
pointed out the normal Samba method of authentication is being used (i.e.
smbpasswd, shadow and passwd files).  But this does bring up a good point:
Does Samba depend on a PDC for ALL authentication attempts?  or (as I read
it) Does the "domain logon" directive control whether the Samba server can
or can't authenticate by itself?

If I have to depend on a PDC (even with LDAP) then that does me no good.  I
need to keep the logon attempts on each local subnet (i.e. at the BDC)
unless something is broken.  Sending the request to the PDC should be a
"last resort" kinda thing.

Someone please straighten me out.... :-)

Kevin L. Collins, MCSE
Systems Manager
Nesbitt Engineering, Inc.

On Saturday, May 10, 2003 6:30 AM, richard wrote:
> My question was simply to make you aware of possible bottle-necks in
> your network design. Make sure you read Skippys doc carefully. I'm not
> sure his auth "trick" still works with current samba.
> 
> On Sat, 2003-05-10 at 19:51, Chris McKeever wrote:
> > when you refer to PDC, what global attributes are you 
> referring to and thier
> > value ??? 
> > 
> > local master ?
> > domain master  ?
> > domain logons ?
> > security ?
> > 
> > lets get on the same page with and go from there...everyone 
> defines PDC
> > slightly different with respect to thier overall design.
> > 
> > from this artice: http://www.skippy.net/linux/smb-howto.html
> > it mentions that his scheme falls back to user if the line 
> goes down.
> > 
> > from my test with security=user domain logons=yes, I had an 
> entire office
> > complain that they couldn''t log in one morning .. reason: 
> I hadn't synced
> > the databases yet .. there was an NT BDC in that subnet but 
> for those
> > machines that found the Linux bdc, it used it for the logon 
> authentication
> > .. these are win98 machines .. tests with XP arent till next week
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: richard [mailto:rcoates at bigpond.net.au]
> > > Sent: Saturday, May 10, 2003 3:01 AM
> > > To: Chris McKeever
> > > Cc: samba at lists.samba.org
> > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > 
> > > 
> > > My question relates to your network design. With one only 
> pdc all your
> > > logon traffic (profile stuff) will be routed across your 
> frame relay
> > > links.( I don't believe samba can be configured as a logon 
> > > server if it
> > > isn't a pdc.) I hope i'm wrong here? Which means the 
> logon traffic for
> > > even a small no of users will probably saturate your wan 
> > > links, leading
> > > to slow logon-logoff times.
> > > Richard Coates.
> > > 
> > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote:
> > > > I am using ldap for user database replication..
> > > > security=user
> > > > 
> > > > so far it seems to be working great
> > > > 
> > > > 
> > > > > -----Original Message-----
> > > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > > Sent: Friday, May 09, 2003 5:02 AM
> > > > > To: Chris McKeever
> > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > 
> > > > > 
> > > > > re your proposed network design....1 samba pdc linked to 
> > > samba bdcs
> > > > > across wan links.
> > > > > correct me if i'm wrong here, but I didn't think samba could 
> > > > > be a logon
> > > > > server without acting as pdc also? (didn't work in my tests).
> > > > > This means all your logon traffic routes across frame relay 
> > > > > links, which
> > > > > is why we used local office pdcs.
> > > > > Richard Coates.
> > > > > 
> > > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 


More information about the samba mailing list