[Samba] BDC, documentation, Machine Accounts Keep Expiring

Dmitry Melekhov dm at belkam.com
Wed May 4 08:39:29 GMT 2005


>Samba-3 does not at this time have this infrastructure. Samba-3 BDCs try to 
>contact the LDAP server directly. So long as the master LDAP server can be 
>contacted by the BDC the machine password change can be written, but if it is 
>down, or can not be contacted the change will fail.
>In other words, in the absence of the PDC, the BDC can deal with machine 
>account password changes so long as it can contact the master LDAP server.
If my PDC will fail, this mean that master ldap is down too ;-) And 
master ldap is single point of failure ......
IMHO, main question is does Samba BDC allow password change for domain 
machines. AFAIK, this is not fatal for domain machines to not change 
their passwords, i.e. it is possible to have SAM (or smbpasswd ;-) ) on 
BDC read-only.
I just want  to know does following comment 

       /* if this next call fails, then give up.  We can't do
           password changes on BDC's  --jerry */
in change_trust_pw.c
mean that machine password will not be changed on BDC?
Does somebody know answer to this , imho, simple question?
Certanly,  it is easy enough to add configuration parameter to smb.conf, 
something like bdc=yes/no and return NT_STATUS_UNSUCCESSFUL in this 
function, but should I? :-)

More information about the samba mailing list