[Samba] central PDC + remote BDCs: LDAP strategy, my lack of comprehension

[sven.ehret at comdok.de]

Hello, I am trying to figure out how to implement a samba domain in a 
number of remote offices around the world with partly bad and often 
interrupted WAN connections/VPNs. The goal is to administer the directory 
from the central data center.

My obvious choice would be to set up a central server with 
SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server with 
OpenLDAP as a read-only slave from the central master.

Although I seem to make progress, it seems that the more time I invest in 
this project, the more questions emerge. My latest issue made me create 
this mailman account.

My question is: When the remote SAMBA server only talks to its own local, 
read-only LDAP slave, how is it going to change user/machine passwords or 
add machine accounts (when joining the domain)?

In my test setup an XP client inisisted on trying to join the BDC, failing 
because a) smbldap-tools is not installed or b) it could not write to the 
slave LDAP directory.

I surely could configure the remote SAMBA to talk to the central OpenLDAP 
service, but then I would not need LDAP replication and would not have a 
failover in case the WAN link goes down.

There was the SAMBA option to have multiple tdbsam backends but this is 
not supported anymore.

I hope that my explanation does enable somebody to give me a hint 
understanding what can/should/must be done.

Kind regards
Sven Ehret