[Samba] some question about BDCs

samba at terpstra-world.org samba at terpstra-world.org
Fri Apr 24 12:09:34 GMT 2009 

> Hi,
>
> I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but
> don't
> understand something:
>
>>Samba-3 cannot participate in true SAM replication and is therefore not
> able to employ
>>precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will
>> not
> create
>>SAM update delta files.
>
> Ok, I understand until that, but:
>
>>It will not interoperate with a PDC (NT4 or Samba) to synchronize
>>the SAM from delta files that are held by BDCs.

Samba3 BDCs can not do SAM sync with a Windows NT4 PDC.  Samba3 BDCs passe
update requests to the Samba3 PDC - and the PDC will then apply the update
to the LDAP directory.  It is possible to configure a Samba3 BDC to update
LDAP directly - the choice is yours.

>>The BDC is said to hold a read-only of the SAM from which it is able to
> process network
>>logon requests and authenticate users. The BDC can continue to provide
>> this
> service,
>>particularly while, for example, the wide-area network link to the PDC is
> down.
>
> So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP),
> can
> BDC update machine and/or user information or not?

Yes, when a BDC receives an update request it will pass it to the PDC.

> As I understood, only
> the
> LDAP solution is suitable for a PDC-BDC setup, because "domain member
> servers and workstations periodically change the Machine Trust Account
> password", so BDC has to update some data.
> As I understood, BDC can change at least Machine Trust Account passwords.
> Additional question: can a user change his/her login password, when he/she
> connected to the BDC (in case PDC is available and in case PDC is
> temporarily unavailable)?

It depends on how the BDC is configured to integrate with LDAP.  It is
possible to configure a Samba3 BDC to directly write to the LDAP master. 
This may not be an optimum solution, but it does work.

> I read in TOSHARG2 too that in the BDC's smb.conf,
> I don't need user/group modification scripts, so I guess, I cannot
> add/modify them from the BDC.

You can - IF the BDC is given direct write access to the LDAP directory.

- John T.

More information about the samba mailing list