[Samba] WINT-NT is working as PDC and Redhat Linux Samba BDC and how to use rsync?

John H Terpstra jht at samba.org
Wed May 28 18:33:31 GMT 2003

On Wed, 28 May 2003, Yeri Swamy wrote:

> Thanks a lot! for ur speedy reply...
> The link u sent i looked at it very closely... i am still confused what
> to do...
> It is not explained anywhere howto setup LDAP for Linux Samba BDC..

If you implement a Samba based solution you need a Samba SAM (Security
Account Managment) database. The soon to be released Samba-3 fully
supports two SAM solutions that will store the extended security
information needed to implement a true replacement for MS Windows NT.
These are tdbsam and ldapsam.

See chapter on "Account Information Database", sub-section on LDAP back

Samba-3 ldapsam is the only passdb backend that allows scalability across
Samba PDC/BDC configurations. See Chapter on "Backup Domain Control" for
information about how this works.

> that means do i have to setup Linux Samba BDC as LDAP server or client
> or ???
> I believe if i setup Linux Samba BDC as a LDAP server then do i have to
> setup WIN-NT PDC as LDAP client and how to transfer all the machine
> accounts, users, groups and passwords from NT to Linux..
> So that when WIN-NT PDC fails then Linux SAMBA BDC can takeover the
> network...

Ok. I looked at your original question more closely. Sad to say, but Samba
can NOT be a true BDC to an MS Windows PDC. There is NO facility for using
rsync to replicate an MS Windows NT PDC SAM to a Samba server (not with
Samba-2 nor with soon to be released Samba-3).

Samba-3 has a facility to suck MS Windows NT4 SAM accounts into it's own
tdbsam or into an ldapsam database. This is a new facility that is not
available with Samba-2.2.x.

In the strict definition of the terms:

	1. Samba can not be a BDC to an NT PDC
	2. Samba can not do what you have described

You can replace your Windows NT PDC with a Samba server, in which case you
CAN run a Samba BDC (so long as you use an LDAP accounts database

The old solution involved using a flat text based file called smbpasswd in
which Samba stored the Microsoft encrypted passwords. This file could be
replicated using rsync. The problem with that method is that domain member
workstations do change their trust account password periodically. This
will happen locally with the old method - this breaks machine trusts.

That is what I was referring to.

- John T.

> with Best Regards
> YS
> John H Terpstra wrote:
> >Yeri,
> >
> >The dogma to use rsync to replicate the password database is bad karma.
> >	"It's a bit like your karma runs over your dogma."
> >
> >MS Windows NT Domain member machines change their password at certain
> >intervals. If they do so on a local copy of the database nad it gets
> >over-written by the rsync'd copy then your local workstation trusts get
> >broken.
> >
> >A better solution is to use LDAP, and follow the guidelines available from
> >several sources on how to set up a PDC/BDC using an LDAP backend.
> >
> >The following reference might help you:
> >
> >	http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf
> >
> >- John T.
> >
> >On Wed, 28 May 2003, Yeri Swamy wrote:
> >
> >
> >
> >>Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with
> >>rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients can
> >>still get Authentication service from Samba BDC(RedHat 9.0). i have seen
> >>in Samba documentation that it can be done using rsync but nowhwere it
> >>is clearly explained howto do it.. I ran out of gas by looking through
> >>google also... :-(
> >>
> >>
> >>With Best Regards
> >>YS
> >>
> >>
> >>
> >>
> >
> >
> >

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list