[Samba] Replacing WinNT 4 PDC with Samba PDC

Chris McKeever tech-mail at prupref.com
Mon May 12 16:04:27 GMT 2003


> -----Original Message-----
> From: Collins, Kevin [mailto:KCollins at nesbittengineering.com]
> Sent: Monday, May 12, 2003 9:23 AM
> To: 'samba at lists.samba.org'
> Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> 
> 
> Ok, I'm confused now.....
> 
> Let me try to explain the way I see it and someone PLEASE 
> correct me if I'm
> wrong.  I'm in the early planning stages and now is the time to change
> something if I need to.
> 
> The way I understand it, IF I have Samba configured to use an 
> LDAP backend,
> then I can create a Samba PDC in my local office and two 
> Samba BDCs in my
> remote offices.

perfect...works for me exactly as you define

> 
> For this setup to work, the PDC will have the following 
> "[global]" config
> options:
> domain logons = yes
> domain master = yes
> security = domain
> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
> 

I _think_ that you want user level for everything .  this allows the server
you are connecting to to authenitcate off it local userbase files...in this
case LDAP

I _think_ domain/server security level you then point to a password server
and therefore do not keep the concept of remote authentication...but instead
make it go to the PDC to authenticate.

However, I am a bit unclear at all this, but I just set everything to user
level

> The BDCs will have these:
> domain logons = yes
> domain master = no
> security = domain
> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
> 

same as above in terms of security = user

> Note:  The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security"
> directive and when I built my PDC in the lab on Friday I 
> didn't have it in
> there, so Samba defaulted to "security = user".  If I change 
> this as shown
> above, will that have an adverse impact on my setup?
> 
> Each BDC will be an LDAP slave to the PDC which will be the 
> LDAP master.
> 

I think you are all set with your current setup

> This (I think) will allow each of the BDCs to authenticate the logon
> attempts of the local subnets and not pass the logon attempt 
> on the PDC over
> the WAN lines.  The LDAP database will be synced via the WAN 
> lines to allow
> everyone to logon from anywhere.
> 
> If I read the information presented by portion of the thread 
> by Richard
> correctly, then we're not really talking about the same 
> setup.  The web link
> pointed out the normal Samba method of authentication is 
> being used (i.e.
> smbpasswd, shadow and passwd files).  But this does bring up 
> a good point:
> Does Samba depend on a PDC for ALL authentication attempts?  
> or (as I read
> it) Does the "domain logon" directive control whether the 
> Samba server can
> or can't authenticate by itself?
> 
> If I have to depend on a PDC (even with LDAP) then that does 
> me no good.  I
> need to keep the logon attempts on each local subnet (i.e. at the BDC)
> unless something is broken.  Sending the request to the PDC 
> should be a
> "last resort" kinda thing.
> 
> Someone please straighten me out.... :-)
> 

security=user then everything stays local, and considering that the _BDC_
has no idea wher ethe PDC is, it can't send requests anywhere...

I may be wrong, but this is working for me...

> Kevin L. Collins, MCSE
> Systems Manager
> Nesbitt Engineering, Inc.
> 
> On Saturday, May 10, 2003 6:30 AM, richard wrote:
> > My question was simply to make you aware of possible bottle-necks in
> > your network design. Make sure you read Skippys doc 
> carefully. I'm not
> > sure his auth "trick" still works with current samba.
> > 
> > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote:
> > > when you refer to PDC, what global attributes are you 
> > referring to and thier
> > > value ??? 
> > > 
> > > local master ?
> > > domain master  ?
> > > domain logons ?
> > > security ?
> > > 
> > > lets get on the same page with and go from there...everyone 
> > defines PDC
> > > slightly different with respect to thier overall design.
> > > 
> > > from this artice: http://www.skippy.net/linux/smb-howto.html
> > > it mentions that his scheme falls back to user if the line 
> > goes down.
> > > 
> > > from my test with security=user domain logons=yes, I had an 
> > entire office
> > > complain that they couldn''t log in one morning .. reason: 
> > I hadn't synced
> > > the databases yet .. there was an NT BDC in that subnet but 
> > for those
> > > machines that found the Linux bdc, it used it for the logon 
> > authentication
> > > .. these are win98 machines .. tests with XP arent till next week
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > Sent: Saturday, May 10, 2003 3:01 AM
> > > > To: Chris McKeever
> > > > Cc: samba at lists.samba.org
> > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > 
> > > > 
> > > > My question relates to your network design. With one only 
> > pdc all your
> > > > logon traffic (profile stuff) will be routed across your 
> > frame relay
> > > > links.( I don't believe samba can be configured as a logon 
> > > > server if it
> > > > isn't a pdc.) I hope i'm wrong here? Which means the 
> > logon traffic for
> > > > even a small no of users will probably saturate your wan 
> > > > links, leading
> > > > to slow logon-logoff times.
> > > > Richard Coates.
> > > > 
> > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote:
> > > > > I am using ldap for user database replication..
> > > > > security=user
> > > > > 
> > > > > so far it seems to be working great
> > > > > 
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > > > Sent: Friday, May 09, 2003 5:02 AM
> > > > > > To: Chris McKeever
> > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > > 
> > > > > > 
> > > > > > re your proposed network design....1 samba pdc linked to 
> > > > samba bdcs
> > > > > > across wan links.
> > > > > > correct me if i'm wrong here, but I didn't think 
> samba could 
> > > > > > be a logon
> > > > > > server without acting as pdc also? (didn't work in 
> my tests).
> > > > > > This means all your logon traffic routes across frame relay 
> > > > > > links, which
> > > > > > is why we used local office pdcs.
> > > > > > Richard Coates.
> > > > > > 
> > > > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 


More information about the samba mailing list