[Samba] Questions on Backup Domain Control

Larry Liu larry.liu at Sun.COM
Thu Oct 30 01:58:39 GMT 2003

John, and the Samba community,

Thanks for all your previous help.

We are writing to clarify a couple of questions that arose from our
reading of Samba 3 Official Documentation - Chapter 6: Backup
Domain Control (see the quoted paragraphs below).

Question 1 / Scenario 1:
Trust Domain Account Relationships

PDC (functioning as centralized domain SAM)
Trust Domain Account Relationship
BDC (acting as PDC for local SAM)
CLIENTS (periodically updating machine account information to local SAM)

In this scenario, we interpret the documention to be stating that since
the local
SAM in Denver isn't sending its update information to the Houston PDC;
the Houston PDC rsyncs with the Denver BDC, the Denver BDC's SAM will
be overwritten with old machine account data and the result will be a
trust. The suggested improvement is to use a LDAP database rather than

Is this a correct interpretation?

Question 2 / Scenario 2:
PDC-BDC Fail Over

Our local network domain has no Trust Domain Relationships configured.
However, the above scenario does raise the question of the best way to
our domain in the event of a  fail over:

San Jose:
PDC (acting as PDC for local SAM)
rsync (PDC SAM rsyncs to BDC SAM)
BDC (acting as fail over BDC for the local domain)

We have been running various fail-over scenairos in our lab for the last

month. Our only password backend option is tdbsam (no LDAP backend
When we disconnected the PDC from the network, the BDC continued to
authenticate users, allow logons, run longon scripts, etc.

We were pleased to discover that tests to create/update/add/delete
user and machine accounts produced an error message and didn't allow
on the BDC's (read only) SAM (no rsync overwrite issues).

The remaining questions: are client systems also locked out of the BDC's
for updating their own machine account information until there is a PDC
on the domain again?

Worst Case Scenario:
Since rsync goes PDC->BDC, if there was a major hardware failure on the
and the BDC's role was changed to PDC until the original failed system
repaired,  would the new PDC's SAM then allow account updates?
- and -
woud it be a best practice to configure the old PDC to a BDC after it is
then bring in back online and rsync with the current PDC?

>From Samba 3 Official Documentation - Chapter 6: Backup Domain Control

Features and Benefits

          The use of a non-LDAP backend SAM database is particularly
problematic because Domain Member servers and workstations
          periodically change the Machine Trust Account password. The
new password is then stored only locally. This means that in the absence

          of a centrally stored accounts database (such as that provided
with an LDAP-based solution) if Samba-3 is running as a BDC, the BDC
          instance of the Domain Member trust account password will not
reach the PDC (master) copy of the SAM. If the PDC SAM is then
          replicated to BDCs, this results in overwriting the SAM that
contains the updated (changed) trust account password with resulting
          breakage of the domain trust.

Machine Accounts Keep Expiring

          This problem will occur when the passdb (SAM) files are copied
from a central server but the local Backup Domain Controller is acting
          a PDC. This results in the application of Local Machine Trust
Account password updates to the local SAM. Such updates are not copied
          back to the central server. The newer machine account password
is then over written when the SAM is re-copied from the PDC. The
          result is that the Domain Member machine on start up will find
that its passwords do not match the one now in the database and since
          startup security check will now fail, this machine will not
allow logon attempts to proceed and the account expiry error will be

          The solution is to use a more robust passdb backend, such as
the ldapsam backend, setting up a slave LDAP server for each BDC, and a
          master LDAP server for the PDC.


Larry Liu
Robert Inerbickler
Sun Microsystems

More information about the samba mailing list