[Samba] Samba PDC / BDC with ldapsam

Andrew Bartlett abartlet at samba.org
Mon Feb 23 07:18:00 GMT 2004

On Mon, 2004-02-23 at 12:35, Cybr0t McWhulf wrote:
> OS / Software:
> PDC / Master LDAP store:
> 	- Redhat 9
> 	- OpenLDAP 2.1.25
> 	- Samba 3.0.0
> BDC / Slave LDAP store:
> 	- Redat 9
> 	- OpenLDAP 2.0.27-8
> 	- Samba 3.0.2
> >From the Samba HOWTO Collection on www.samba.org:  (Backup Domain Control)
> "Can I Do This All with LDAP?
> The simple answer is yes. Samba's pdb_ldap code supports binding to a 
> replica LDAP server, and will also follow referrals and re-bind to 
> the master if it ever needs to make a modification to the database. 
> (Normally BDCs are read only, so this will not occur often)."
> That's a little vague and misleading.. as referrals are merely 
> pointers to subtrees in an ldap directory that are stored on 
> different ldap servers, whereas the "updateref" directive in 
> slapd.conf for a slave ldap server tells connecting clients 
> to connect to the master to make updates.

Whatever.  Feel free to provide a better paragraph, but I've always
heard it referred to as generating a referral.  (Watch out that the
average admin doesn't know nor care about the semantic difference, and
we should not baffle them in the quest for perfect correctness).

> Recently I set up a BDC on a slave ldap server on a remote 
> network connected to the local network via wan.  Authentication 
> works great, however, in testing I tried to change my password 
> on a remote windows client, and got a return error of "Unable 
> to change password: <MYDOMAINNAME> Domain is unavailable", or something to that degree.

The windows client is trying to find the PDC (in netbios)

> Upon reviewing the slave ldap logs, I saw samba searching 
> for "objectClass=referral", then "objectClass=*", before 
> returning the failure error to the client.

I think this is just the ldap libs, and unrelated.  For password
changes, the BDC is not contacted.

> Now, admittedly, I have the BDC configured as a BDC, when due
> to the wan, it is unable to find the PDC.  (I have read a 
> couple methods of making this possible without fully allowing
> netbios to broadcast through network segments, but have yet to 
> test or impliment).

You should configure your remote server as a netbios PDC.  

> However, I would think that if it were trying to contact 
> the PDC, it would not be searching it's local backend for 
> "referrals".

I think this is unrelated.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040223/636cbfd3/attachment.bin

More information about the samba mailing list