[Samba] Replacing WinNT 4 PDC with Samba PDC

John H Terpstra jht at samba.org
Mon May 12 15:31:05 GMT 2003 

On Mon, 12 May 2003, Collins, Kevin wrote:

> Ok, I'm confused now.....
>
> Let me try to explain the way I see it and someone PLEASE correct me if I'm
> wrong.  I'm in the early planning stages and now is the time to change
> something if I need to.

You might want to check the new HOWTO. Note that this is a work in
progress, it is being added to regularly and will be complete before
Samba-3 ships.

http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf

> The way I understand it, IF I have Samba configured to use an LDAP backend,
> then I can create a Samba PDC in my local office and two Samba BDCs in my
> remote offices.

Do not set "security = domain" unless you want these servers to join a
domain that already exists (ie: You are NOT a PDC and you are NOT a BDC).
To be a domain controller you need to be in "security = user", which is
the default.


> For this setup to work, the PDC will have the following "[global]" config
> options:
> domain logons = yes
> domain master = yes
> security = domain

security = user

> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
>
> The BDCs will have these:
> domain logons = yes
> domain master = no
> security = domain

security = user

> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
>
> Note:  The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security"
> directive and when I built my PDC in the lab on Friday I didn't have it in
> there, so Samba defaulted to "security = user".  If I change this as shown
> above, will that have an adverse impact on my setup?

Do NOT change from what you had. You want user level security and not
domain membership. The default is correct.

> Each BDC will be an LDAP slave to the PDC which will be the LDAP master.

Correct. You need to configure LDAP so that the BDCs are slaves off the
LDAP master.

> This (I think) will allow each of the BDCs to authenticate the logon
> attempts of the local subnets and not pass the logon attempt on the PDC over
> the WAN lines.  The LDAP database will be synced via the WAN lines to allow
> everyone to logon from anywhere.

A BDC MUST run the netlogon service. That means it will handle all local
authentication traffic/requests.

> If I read the information presented by portion of the thread by Richard
> correctly, then we're not really talking about the same setup.  The web link
> pointed out the normal Samba method of authentication is being used (i.e.
> smbpasswd, shadow and passwd files).  But this does bring up a good point:
> Does Samba depend on a PDC for ALL authentication attempts?  or (as I read

Ultimately, YES, but you will have a local copy of the LDAP database and
you will have local network logon processing, there should be minimal WAN
traffic.

> it) Does the "domain logon" directive control whether the Samba server can
> or can't authenticate by itself?

Correct.

>
> If I have to depend on a PDC (even with LDAP) then that does me no good.  I
> need to keep the logon attempts on each local subnet (i.e. at the BDC)
> unless something is broken.  Sending the request to the PDC should be a
> "last resort" kinda thing.

Correct.

>
> Someone please straighten me out.... :-)

Is that the answer you were looking for?

- John T.

>
> Kevin L. Collins, MCSE
> Systems Manager
> Nesbitt Engineering, Inc.
>
> On Saturday, May 10, 2003 6:30 AM, richard wrote:
> > My question was simply to make you aware of possible bottle-necks in
> > your network design. Make sure you read Skippys doc carefully. I'm not
> > sure his auth "trick" still works with current samba.
> >
> > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote:
> > > when you refer to PDC, what global attributes are you
> > referring to and thier
> > > value ???
> > >
> > > local master ?
> > > domain master  ?
> > > domain logons ?
> > > security ?
> > >
> > > lets get on the same page with and go from there...everyone
> > defines PDC
> > > slightly different with respect to thier overall design.
> > >
> > > from this artice: http://www.skippy.net/linux/smb-howto.html
> > > it mentions that his scheme falls back to user if the line
> > goes down.
> > >
> > > from my test with security=user domain logons=yes, I had an
> > entire office
> > > complain that they couldn''t log in one morning .. reason:
> > I hadn't synced
> > > the databases yet .. there was an NT BDC in that subnet but
> > for those
> > > machines that found the Linux bdc, it used it for the logon
> > authentication
> > > .. these are win98 machines .. tests with XP arent till next week
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > Sent: Saturday, May 10, 2003 3:01 AM
> > > > To: Chris McKeever
> > > > Cc: samba at lists.samba.org
> > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > >
> > > >
> > > > My question relates to your network design. With one only
> > pdc all your
> > > > logon traffic (profile stuff) will be routed across your
> > frame relay
> > > > links.( I don't believe samba can be configured as a logon
> > > > server if it
> > > > isn't a pdc.) I hope i'm wrong here? Which means the
> > logon traffic for
> > > > even a small no of users will probably saturate your wan
> > > > links, leading
> > > > to slow logon-logoff times.
> > > > Richard Coates.
> > > >
> > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote:
> > > > > I am using ldap for user database replication..
> > > > > security=user
> > > > >
> > > > > so far it seems to be working great
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > > > Sent: Friday, May 09, 2003 5:02 AM
> > > > > > To: Chris McKeever
> > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > >
> > > > > >
> > > > > > re your proposed network design....1 samba pdc linked to
> > > > samba bdcs
> > > > > > across wan links.
> > > > > > correct me if i'm wrong here, but I didn't think samba could
> > > > > > be a logon
> > > > > > server without acting as pdc also? (didn't work in my tests).
> > > > > > This means all your logon traffic routes across frame relay
> > > > > > links, which
> > > > > > is why we used local office pdcs.
> > > > > > Richard Coates.
> > > > > >
> > > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list