[Samba] WINT-NT is working as PDC and Redhat Linux Samba BDC and how to use rsync?

John H Terpstra jht at samba.org
Wed May 28 19:19:50 GMT 2003 

On Wed, 28 May 2003, Yeri Swamy wrote:

> John H Terpstra wrote:
>
> >On Wed, 28 May 2003, Yeri Swamy wrote:
> >
> >
> >
> >>Thanks a lot! for ur speedy reply...
> >>The link u sent i looked at it very closely... i am still confused what
> >>to do...
> >>
> >>It is not explained anywhere howto setup LDAP for Linux Samba BDC..
> >>
> >>
> >
> >If you implement a Samba based solution you need a Samba SAM (Security
> >Account Managment) database. The soon to be released Samba-3 fully
> >supports two SAM solutions that will store the extended security
> >information needed to implement a true replacement for MS Windows NT.
> >These are tdbsam and ldapsam.
> >
> >See chapter on "Account Information Database", sub-section on LDAP back
> >end.
> >
> >Samba-3 ldapsam is the only passdb backend that allows scalability across
> >Samba PDC/BDC configurations. See Chapter on "Backup Domain Control" for
> >information about how this works.
> >
>      Thanks a ton...
>
>     Please bear with me coz before coming to you i did search tons of
> links with no proper clear cut details...
>
>      This means NT PDC and Samba BDC to work like(NT PDC & NT BDC i.e if
> PDC fails BDC will take over)

No read my reply carefully:

	Samba CAN NOT be a BDC to an NT PDC!

>      we have to wait till we get a tool/utility  tdbsam which will
> gather all the machine account. users and groups info from NT will
> convert into meaningfull format that Samba BDC can understand then Samba
> BDC will work like a horse as BDC when NT PDC fails...

No. You can migrate your NT PDC SAM account information to a Samba PDC
using the "vampire" tool. Then you will need to replace your NT PDC with a
Samba PDC, if you want a Samba BDC to work correctly.

You should NOT use tdbsam for ANY Samba PDC/BDC combination. The tdbsam is
only intended for sites that do NOT need a BDC.

>  And with ldapsam we can only have Samba PDC and Samba BDC and this case
> if Samba PDC fails then Samba BDC will take over

With Samba-3 using ldapsam you can have a Samba PDC and as many Samba BDCs
are you like. The real benefit of this is that machine account password
changes will be stored in a common LDAP backend.


- John T.


> >
> >>that means do i have to setup Linux Samba BDC as LDAP server or client
> >>or ???
> >>I believe if i setup Linux Samba BDC as a LDAP server then do i have to
> >>setup WIN-NT PDC as LDAP client and how to transfer all the machine
> >>accounts, users, groups and passwords from NT to Linux..
> >>So that when WIN-NT PDC fails then Linux SAMBA BDC can takeover the
> >>network...
> >>
> >>
> >
> >Ok. I looked at your original question more closely. Sad to say, but Samba
> >can NOT be a true BDC to an MS Windows PDC. There is NO facility for using
> >rsync to replicate an MS Windows NT PDC SAM to a Samba server (not with
> >Samba-2 nor with soon to be released Samba-3).
> >
> >Samba-3 has a facility to suck MS Windows NT4 SAM accounts into it's own
> >tdbsam or into an ldapsam database. This is a new facility that is not
> >available with Samba-2.2.x.
> >
> >In the strict definition of the terms:
> >
> >	1. Samba can not be a BDC to an NT PDC
> >	2. Samba can not do what you have described
> >
> >You can replace your Windows NT PDC with a Samba server, in which case you
> >CAN run a Samba BDC (so long as you use an LDAP accounts database
> >backend).
> >
> >The old solution involved using a flat text based file called smbpasswd in
> >which Samba stored the Microsoft encrypted passwords. This file could be
> >replicated using rsync. The problem with that method is that domain member
> >workstations do change their trust account password periodically. This
> >will happen locally with the old method - this breaks machine trusts.
> >
> >That is what I was referring to.
> >
> >- John T.
> >
> >
> >
> >>with Best Regards
> >>YS
> >>
> >>John H Terpstra wrote:
> >>
> >>
> >>
> >>>Yeri,
> >>>
> >>>The dogma to use rsync to replicate the password database is bad karma.
> >>>	"It's a bit like your karma runs over your dogma."
> >>>
> >>>MS Windows NT Domain member machines change their password at certain
> >>>intervals. If they do so on a local copy of the database nad it gets
> >>>over-written by the rsync'd copy then your local workstation trusts get
> >>>broken.
> >>>
> >>>A better solution is to use LDAP, and follow the guidelines available from
> >>>several sources on how to set up a PDC/BDC using an LDAP backend.
> >>>
> >>>The following reference might help you:
> >>>
> >>>	http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf
> >>>
> >>>- John T.
> >>>
> >>>On Wed, 28 May 2003, Yeri Swamy wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>Can anybody give me a hint how to set up Samba BDC(RedHat 9.0) with
> >>>>rsync-ing WIN-NT PDC so that if WIN-NT PDC is down all the clients can
> >>>>still get Authentication service from Samba BDC(RedHat 9.0). i have seen
> >>>>in Samba documentation that it can be done using rsync but nowhwere it
> >>>>is clearly explained howto do it.. I ran out of gas by looking through
> >>>>google also... :-(
> >>>>
> >>>>
> >>>>With Best Regards
> >>>>YS
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list