[Samba] Antwort: Re: central PDC + remote BDCs: LDAP strategy, my lack of comprehension

Fri Aug 21 02:22:04 MDT 2009

Thanks Michael, this did advance my progress. With “domain master = no”, 
“password server” set to the central server and “passdb backend” pointing 
to the local LDAP replica, my XP client now contacts the central SAMBA 
server when joining the domain. But now it is always logging on to the 
central server and not using the other, remote samba server at all (which 
honestly is in the same LAN in my testing environment). This is unwanted, 
partly because the logon script resides on the remote system and to reduce 
network traffic between client and central server (which would be fragile 
WAN traffic once rolled out).

Is there any way I can influence to which server the client logs on to?

I tried changing the central server's option “domain logons” to “no”, but 
this had the strange effect of the central server creating a second LDAP 
sambaDomainName entry with its NetBIOS name as domain name. Clients could 
not log on to the domain anymore because of conflicting domain portions 
(SID trouble). I had to change it back.

Best regards
Sven Ehret

Von:
Michal Dobroczynski <michal.dobroczynski at gmail.com>
An:
sven.ehret at comdok.de
Kopie:
samba at lists.samba.org
Datum:
20.08.2009 14:50
Betreff:
Re: [Samba] central PDC + remote BDCs: LDAP strategy, my lack of 
comprehension

Hello Sven,
I have the following structure here:
- one PDC talking to RW OpenLDAP
- three BDCs talking to RO OpenLDAP replica

Basically I am using additional BDCs as file servers - and so far it
works fine. Please take a look on "password server" and "passdb
backend" (here you specify the RO replica). Think also about
"ldapsam:trusted = yes" (large performance gain).

One of the BDCs is located 500km from where I am right now - and there
is also a replica out there (accessed by Samba running out there to
get all user/group info - but "password server" is located here).

According to a much older e-mail (when I had a question about BDCs) -
a copy-paste from Volker's reply:
--- copy paste ---
On Fri, Oct 05, 2007 at 10:15:02PM +0200, Michal Dobroczynski wrote:
> Well - what I have discovered is that setting
>
> domain logons = Yes
> domain master = No
>
> seems to solve the problem.

... because this *is* the only way to tell Samba to be a
BDC. This must be somewhere in the docs.

Volker
--- copy paste ---

I hope this helps a bit.

Regards,
Michal

2009/8/20  <sven.ehret at comdok.de>:
> Hello, I am trying to figure out how to implement a samba domain in a
> number of remote offices around the world with partly bad and often
> interrupted WAN connections/VPNs. The goal is to administer the 
directory
> from the central data center.
>
> My obvious choice would be to set up a central server with
> SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server 
with
> OpenLDAP as a read-only slave from the central master.
>
> Although I seem to make progress, it seems that the more time I invest 
in
> this project, the more questions emerge. My latest issue made me create
> this mailman account.
>
> My question is: When the remote SAMBA server only talks to its own 
local,
> read-only LDAP slave, how is it going to change user/machine passwords 
or
> add machine accounts (when joining the domain)?
>
> In my test setup an XP client inisisted on trying to join the BDC, 
failing
> because a) smbldap-tools is not installed or b) it could not write to 
the
> slave LDAP directory.
>
> I surely could configure the remote SAMBA to talk to the central 
OpenLDAP
> service, but then I would not need LDAP replication and would not have a
> failover in case the WAN link goes down.
>
> There was the SAMBA option to have multiple tdbsam backends but this is
> not supported anymore.
>
> I hope that my explanation does enable somebody to give me a hint
> understanding what can/should/must be done.
>
> Kind regards
> Sven Ehret
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>