[Samba] Antwort: Re: central PDC + remote BDCs: LDAP strategy, my lack of comprehension
sven.ehret at comdok.de
sven.ehret at comdok.de
Fri Aug 21 02:22:04 MDT 2009
Thanks Michael, this did advance my progress. With “domain master = no”,
“password server” set to the central server and “passdb backend” pointing
to the local LDAP replica, my XP client now contacts the central SAMBA
server when joining the domain. But now it is always logging on to the
central server and not using the other, remote samba server at all (which
honestly is in the same LAN in my testing environment). This is unwanted,
partly because the logon script resides on the remote system and to reduce
network traffic between client and central server (which would be fragile
WAN traffic once rolled out).
Is there any way I can influence to which server the client logs on to?
I tried changing the central server's option “domain logons” to “no”, but
this had the strange effect of the central server creating a second LDAP
sambaDomainName entry with its NetBIOS name as domain name. Clients could
not log on to the domain anymore because of conflicting domain portions
(SID trouble). I had to change it back.
Best regards
Sven Ehret
Von:
Michal Dobroczynski <michal.dobroczynski at gmail.com>
An:
sven.ehret at comdok.de
Kopie:
samba at lists.samba.org
Datum:
20.08.2009 14:50
Betreff:
Re: [Samba] central PDC + remote BDCs: LDAP strategy, my lack of
comprehension
Hello Sven,
I have the following structure here:
- one PDC talking to RW OpenLDAP
- three BDCs talking to RO OpenLDAP replica
Basically I am using additional BDCs as file servers - and so far it
works fine. Please take a look on "password server" and "passdb
backend" (here you specify the RO replica). Think also about
"ldapsam:trusted = yes" (large performance gain).
One of the BDCs is located 500km from where I am right now - and there
is also a replica out there (accessed by Samba running out there to
get all user/group info - but "password server" is located here).
According to a much older e-mail (when I had a question about BDCs) -
a copy-paste from Volker's reply:
--- copy paste ---
On Fri, Oct 05, 2007 at 10:15:02PM +0200, Michal Dobroczynski wrote:
> Well - what I have discovered is that setting
>
> domain logons = Yes
> domain master = No
>
> seems to solve the problem.
... because this *is* the only way to tell Samba to be a
BDC. This must be somewhere in the docs.
Volker
--- copy paste ---
I hope this helps a bit.
Regards,
Michal
2009/8/20 <sven.ehret at comdok.de>:
> Hello, I am trying to figure out how to implement a samba domain in a
> number of remote offices around the world with partly bad and often
> interrupted WAN connections/VPNs. The goal is to administer the
directory
> from the central data center.
>
> My obvious choice would be to set up a central server with
> SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server
with
> OpenLDAP as a read-only slave from the central master.
>
> Although I seem to make progress, it seems that the more time I invest
in
> this project, the more questions emerge. My latest issue made me create
> this mailman account.
>
> My question is: When the remote SAMBA server only talks to its own
local,
> read-only LDAP slave, how is it going to change user/machine passwords
or
> add machine accounts (when joining the domain)?
>
> In my test setup an XP client inisisted on trying to join the BDC,
failing
> because a) smbldap-tools is not installed or b) it could not write to
the
> slave LDAP directory.
>
> I surely could configure the remote SAMBA to talk to the central
OpenLDAP
> service, but then I would not need LDAP replication and would not have a
> failover in case the WAN link goes down.
>
> There was the SAMBA option to have multiple tdbsam backends but this is
> not supported anymore.
>
> I hope that my explanation does enable somebody to give me a hint
> understanding what can/should/must be done.
>
> Kind regards
> Sven Ehret
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list