[Samba] Samba PDC / BDC with ldapsam
abartlet at samba.org
Mon Feb 23 07:18:00 GMT 2004
On Mon, 2004-02-23 at 12:35, Cybr0t McWhulf wrote:
> OS / Software:
> PDC / Master LDAP store:
> - Redhat 9
> - OpenLDAP 2.1.25
> - Samba 3.0.0
> BDC / Slave LDAP store:
> - Redat 9
> - OpenLDAP 2.0.27-8
> - Samba 3.0.2
> >From the Samba HOWTO Collection on www.samba.org: (Backup Domain Control)
> "Can I Do This All with LDAP?
> The simple answer is yes. Samba's pdb_ldap code supports binding to a
> replica LDAP server, and will also follow referrals and re-bind to
> the master if it ever needs to make a modification to the database.
> (Normally BDCs are read only, so this will not occur often)."
> That's a little vague and misleading.. as referrals are merely
> pointers to subtrees in an ldap directory that are stored on
> different ldap servers, whereas the "updateref" directive in
> slapd.conf for a slave ldap server tells connecting clients
> to connect to the master to make updates.
Whatever. Feel free to provide a better paragraph, but I've always
heard it referred to as generating a referral. (Watch out that the
average admin doesn't know nor care about the semantic difference, and
we should not baffle them in the quest for perfect correctness).
> Recently I set up a BDC on a slave ldap server on a remote
> network connected to the local network via wan. Authentication
> works great, however, in testing I tried to change my password
> on a remote windows client, and got a return error of "Unable
> to change password: <MYDOMAINNAME> Domain is unavailable", or something to that degree.
The windows client is trying to find the PDC (in netbios)
> Upon reviewing the slave ldap logs, I saw samba searching
> for "objectClass=referral", then "objectClass=*", before
> returning the failure error to the client.
I think this is just the ldap libs, and unrelated. For password
changes, the BDC is not contacted.
> Now, admittedly, I have the BDC configured as a BDC, when due
> to the wan, it is unable to find the PDC. (I have read a
> couple methods of making this possible without fully allowing
> netbios to broadcast through network segments, but have yet to
> test or impliment).
You should configure your remote server as a netbios PDC.
> However, I would think that if it were trying to contact
> the PDC, it would not be searching it's local backend for
I think this is unrelated.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040223/636cbfd3/attachment.bin
More information about the samba