[Samba] Samba PDC / BDC with ldapsam

Cybr0t McWhulf cybre at killcybre.org
Mon Feb 23 01:35:55 GMT 2004

OS / Software:

PDC / Master LDAP store:
	- Redhat 9
	- OpenLDAP 2.1.25
	- Samba 3.0.0

BDC / Slave LDAP store:
	- Redat 9
	- OpenLDAP 2.0.27-8
	- Samba 3.0.2

>From the Samba HOWTO Collection on www.samba.org:  (Backup Domain Control)

"Can I Do This All with LDAP?

The simple answer is yes. Samba's pdb_ldap code supports binding to a replica LDAP server, and will also follow referrals and re-bind to the master if it ever needs to make a modification to the database. (Normally BDCs are read only, so this will not occur often)."

That's a little vague and misleading.. as referrals are merely pointers to subtrees in an ldap directory that are stored on different ldap servers, whereas the "updateref" directive in slapd.conf for a slave ldap server tells connecting clients to connect to the master to make updates.

Recently I set up a BDC on a slave ldap server on a remote network connected to the local network via wan.  Authentication works great, however, in testing I tried to change my password on a remote windows client, and got a return error of "Unable to change password: <MYDOMAINNAME> Domain is unavailable", or something to that degree.

Upon reviewing the slave ldap logs, I saw samba searching for "objectClass=referral", then "objectClass=*", before returning the failure error to the client.

Now, admittedly, I have the BDC configured as a BDC, when due to the wan, it is unable to find the PDC.  (I have read a couple methods of making this possible without fully allowing netbios to broadcast through network segments, but have yet to test or impliment).

However, I would think that if it were trying to contact the PDC, it would not be searching it's local backend for "referrals".

Before I go digging through source code, perhaps someone could give me some insight on what's actually going on (or trying to go on for that matter).

As always, great thanks to the Samba team for allowing me to avoid dealing with AD, and great appreciation to any help given by you kind folks.


 -- Cy

More information about the samba mailing list