[Samba] some question about BDCs

Tamás Pisch pischta at gmail.com
Mon Apr 27 09:05:42 GMT 2009 

Hi,

>>It will not interoperate with a PDC (NT4 or Samba) to synchronize
> >>the SAM from delta files that are held by BDCs.
>
> Samba3 BDCs can not do SAM sync with a Windows NT4 PDC.  Samba3 BDCs passe
> update requests to the Samba3 PDC - and the PDC will then apply the update
> to the LDAP directory.  It is possible to configure a Samba3 BDC to update
> LDAP directly - the choice is yours.
>
> > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP),
> > can
> > BDC update machine and/or user information or not?
>
> Yes, when a BDC receives an update request it will pass it to the PDC.


>
> As I understood, only
>
 > the
> > LDAP solution is suitable for a PDC-BDC setup, because "domain member
> > servers and workstations periodically change the Machine Trust Account
> > password", so BDC has to update some data.
> > As I understood, BDC can change at least Machine Trust Account passwords.
> > Additional question: can a user change his/her login password, when
> he/she
> > connected to the BDC (in case PDC is available and in case PDC is
> > temporarily unavailable)?
>
> It depends on how the BDC is configured to integrate with LDAP.  It is
> possible to configure a Samba3 BDC to directly write to the LDAP master.
> This may not be an optimum solution, but it does work.
>

I would like to realize a configuration, where BDC can serve the network
even the PDC (with its master LDAP database) is temporarily unavailable.
Serving means at least password changes, but ideally the other user and
computer management tasks too. How can I do this? It is not good, when BDC
writes to the PDC's master LDAP, because the master LDAP will be on the PDC,
so, when SaMBa 3 PDC is out, the master LDAP is out too. Is multi-master
LDAP configuration the solution for this?


>
> > I read in TOSHARG2 too that in the BDC's smb.conf,
> > I don't need user/group modification scripts, so I guess, I cannot
> > add/modify them from the BDC.
>
> You can - IF the BDC is given direct write access to the LDAP directory.
>
> - John T.
>

To the master LDAP, so this is why I thinking about multi master setup, if
this scenario ensures the availability and consistency too.

Thanks, in advance

Tamas.

More information about the samba mailing list