[Samba] Replacing WinNT 4 PDC with Samba PDC

richard rcoates at bigpond.net.au
Tue May 13 10:32:03 GMT 2003


Kevin I can see some flaws in your setup below.....
your "Pdc" must have "security = user"

be aware if you set your "bdcs" with "security = domain" then ALL auth
with be referred to the "pdc". Not what you want. Remember samba2 cannot
at this time be a true windows like Bdc. You are emulating certain
behaviour to get what you want. Don't know if samba3 can/will?

sorry I cannot help you with ldap, last time I tried it was too much
trouble with conflicting docs, but others reply here announcing good
success. However please ask the samba group for config guide lines...or
perhaps the new docs with samba3 or Buchan Milnes site?

I was in your position a while back and opted for pdcs in each site,
mainly because of logon and or profile traffic across vpns. 
to repeat: I don't believe samba2 can be a logon server
   ie: domain logons = yes
without also pdc config ...
   ie: security = user
Unless samba3 can do this or i'm wrong, you may have to rethink your
layout.
SOMEONE PLEASE CORRECT ME IF I'M WRONG here because this is crucial to
your network design and traffic across your vpns.

There was discussion on samba a while back on setting up ldap as you
require...read only auth on all slave samba/ldap servers, pass change
only to master ldap server, slave ldap servers sync with master ldap
occasionally. try samba3 docs again or search the list archives.

I hope I have been some help, though many questions remain unanswered.
I cc this to the list so others may jump in too.
regards,
Richard Coates.


On Mon, 2003-05-12 at 23:38, Collins, Kevin wrote:
> Ok, I'm confused now.....
> 
> Let me try to explain the way I see it and someone PLEASE correct me if I'm
> wrong.  I'm in the early planning stages and now is the time to change
> something if I need to.
> 
> The way I understand it, IF I have Samba configured to use an LDAP backend,
> then I can create a Samba PDC in my local office and two Samba BDCs in my
> remote offices.
> 
> For this setup to work, the PDC will have the following "[global]" config
> options:
> domain logons = yes
> domain master = yes
> security = domain
> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
> 
> The BDCs will have these:
> domain logons = yes
> domain master = no
> security = domain
> ldap suffix = dc=nesbitt,dc=local
> ldap admin dn = cn=manager,dc=nesbitt,dc=local
> ldap port = 389
> ldap server 127.0.0.1
> ldap ssl = no
> 
> Note:  The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security"
> directive and when I built my PDC in the lab on Friday I didn't have it in
> there, so Samba defaulted to "security = user".  If I change this as shown
> above, will that have an adverse impact on my setup?
> 
> Each BDC will be an LDAP slave to the PDC which will be the LDAP master.
> 
> This (I think) will allow each of the BDCs to authenticate the logon
> attempts of the local subnets and not pass the logon attempt on the PDC over
> the WAN lines.  The LDAP database will be synced via the WAN lines to allow
> everyone to logon from anywhere.
> 
> If I read the information presented by portion of the thread by Richard
> correctly, then we're not really talking about the same setup.  The web link
> pointed out the normal Samba method of authentication is being used (i.e.
> smbpasswd, shadow and passwd files).  But this does bring up a good point:
> Does Samba depend on a PDC for ALL authentication attempts?  or (as I read
> it) Does the "domain logon" directive control whether the Samba server can
> or can't authenticate by itself?
> 
> If I have to depend on a PDC (even with LDAP) then that does me no good.  I
> need to keep the logon attempts on each local subnet (i.e. at the BDC)
> unless something is broken.  Sending the request to the PDC should be a
> "last resort" kinda thing.
> 
> Someone please straighten me out.... :-)
> 
> Kevin L. Collins, MCSE
> Systems Manager
> Nesbitt Engineering, Inc.
> 
> On Saturday, May 10, 2003 6:30 AM, richard wrote:
> > My question was simply to make you aware of possible bottle-necks in
> > your network design. Make sure you read Skippys doc carefully. I'm not
> > sure his auth "trick" still works with current samba.
> > 
> > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote:
> > > when you refer to PDC, what global attributes are you 
> > referring to and thier
> > > value ??? 
> > > 
> > > local master ?
> > > domain master  ?
> > > domain logons ?
> > > security ?
> > > 
> > > lets get on the same page with and go from there...everyone 
> > defines PDC
> > > slightly different with respect to thier overall design.
> > > 
> > > from this artice: http://www.skippy.net/linux/smb-howto.html
> > > it mentions that his scheme falls back to user if the line 
> > goes down.
> > > 
> > > from my test with security=user domain logons=yes, I had an 
> > entire office
> > > complain that they couldn''t log in one morning .. reason: 
> > I hadn't synced
> > > the databases yet .. there was an NT BDC in that subnet but 
> > for those
> > > machines that found the Linux bdc, it used it for the logon 
> > authentication
> > > .. these are win98 machines .. tests with XP arent till next week
> > > 
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > Sent: Saturday, May 10, 2003 3:01 AM
> > > > To: Chris McKeever
> > > > Cc: samba at lists.samba.org
> > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > 
> > > > 
> > > > My question relates to your network design. With one only 
> > pdc all your
> > > > logon traffic (profile stuff) will be routed across your 
> > frame relay
> > > > links.( I don't believe samba can be configured as a logon 
> > > > server if it
> > > > isn't a pdc.) I hope i'm wrong here? Which means the 
> > logon traffic for
> > > > even a small no of users will probably saturate your wan 
> > > > links, leading
> > > > to slow logon-logoff times.
> > > > Richard Coates.
> > > > 
> > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote:
> > > > > I am using ldap for user database replication..
> > > > > security=user
> > > > > 
> > > > > so far it seems to be working great
> > > > > 
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: richard [mailto:rcoates at bigpond.net.au]
> > > > > > Sent: Friday, May 09, 2003 5:02 AM
> > > > > > To: Chris McKeever
> > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC
> > > > > > 
> > > > > > 
> > > > > > re your proposed network design....1 samba pdc linked to 
> > > > samba bdcs
> > > > > > across wan links.
> > > > > > correct me if i'm wrong here, but I didn't think samba could 
> > > > > > be a logon
> > > > > > server without acting as pdc also? (didn't work in my tests).
> > > > > > This means all your logon traffic routes across frame relay 
> > > > > > links, which
> > > > > > is why we used local office pdcs.
> > > > > > Richard Coates.
> > > > > > 
> > > > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 



More information about the samba mailing list