[Samba] Antwort: Re: central PDC + remote BDCs: LDAP strategy, my lack of comprehension

Fri Aug 21 02:33:56 MDT 2009

Hello Sven,
How about using multiple password servers?

A copy-paste from man:
Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *

This way you could have two password servers in two locations. If one
fails the other will take over (it sounds easy, but make sure you read
it carefully in the manual as there are some restrictions regarding
this behavior).

Regards,
Michal

2009/8/21  <sven.ehret at comdok.de>:
> Thanks Michael, this did advance my progress. With “domain master = no”,
> “password server” set to the central server and “passdb backend” pointing
> to the local LDAP replica, my XP client now contacts the central SAMBA
> server when joining the domain. But now it is always logging on to the
> central server and not using the other, remote samba server at all (which
> honestly is in the same LAN in my testing environment). This is unwanted,
> partly because the logon script resides on the remote system and to reduce
> network traffic between client and central server (which would be fragile
> WAN traffic once rolled out).
>
> Is there any way I can influence to which server the client logs on to?
>
> I tried changing the central server's option “domain logons” to “no”, but
> this had the strange effect of the central server creating a second LDAP
> sambaDomainName entry with its NetBIOS name as domain name. Clients could
> not log on to the domain anymore because of conflicting domain portions
> (SID trouble). I had to change it back.
>
> Best regards
> Sven Ehret
>
>
>
>
> Von:
> Michal Dobroczynski <michal.dobroczynski at gmail.com>
> An:
> sven.ehret at comdok.de
> Kopie:
> samba at lists.samba.org
> Datum:
> 20.08.2009 14:50
> Betreff:
> Re: [Samba] central PDC + remote BDCs: LDAP strategy, my lack of
> comprehension
>
>
>
> Hello Sven,
> I have the following structure here:
> - one PDC talking to RW OpenLDAP
> - three BDCs talking to RO OpenLDAP replica
>
> Basically I am using additional BDCs as file servers - and so far it
> works fine. Please take a look on "password server" and "passdb
> backend" (here you specify the RO replica). Think also about
> "ldapsam:trusted = yes" (large performance gain).
>
> One of the BDCs is located 500km from where I am right now - and there
> is also a replica out there (accessed by Samba running out there to
> get all user/group info - but "password server" is located here).
>
> According to a much older e-mail (when I had a question about BDCs) -
> a copy-paste from Volker's reply:
> --- copy paste ---
> On Fri, Oct 05, 2007 at 10:15:02PM +0200, Michal Dobroczynski wrote:
>> Well - what I have discovered is that setting
>>
>> domain logons = Yes
>> domain master = No
>>
>> seems to solve the problem.
>
> ... because this *is* the only way to tell Samba to be a
> BDC. This must be somewhere in the docs.
>
> Volker
> --- copy paste ---
>
> I hope this helps a bit.
>
> Regards,
> Michal
>
> 2009/8/20  <sven.ehret at comdok.de>:
>> Hello, I am trying to figure out how to implement a samba domain in a
>> number of remote offices around the world with partly bad and often
>> interrupted WAN connections/VPNs. The goal is to administer the
> directory
>> from the central data center.
>>
>> My obvious choice would be to set up a central server with
>> SAMBA+OpenLDAP+smbldap-tools and in each remote office a SAMBA server
> with
>> OpenLDAP as a read-only slave from the central master.
>>
>> Although I seem to make progress, it seems that the more time I invest
> in
>> this project, the more questions emerge. My latest issue made me create
>> this mailman account.
>>
>> My question is: When the remote SAMBA server only talks to its own
> local,
>> read-only LDAP slave, how is it going to change user/machine passwords
> or
>> add machine accounts (when joining the domain)?
>>
>> In my test setup an XP client inisisted on trying to join the BDC,
> failing
>> because a) smbldap-tools is not installed or b) it could not write to
> the
>> slave LDAP directory.
>>
>> I surely could configure the remote SAMBA to talk to the central
> OpenLDAP
>> service, but then I would not need LDAP replication and would not have a
>> failover in case the WAN link goes down.
>>
>> There was the SAMBA option to have multiple tdbsam backends but this is
>> not supported anymore.
>>
>> I hope that my explanation does enable somebody to give me a hint
>> understanding what can/should/must be done.
>>
>> Kind regards
>> Sven Ehret
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba