[Samba] BDC & passwd changes

Andrew Bartlett abartlet at samba.org
Sat Feb 6 15:55:19 MST 2010


On Sun, 2010-02-07 at 00:21 +1100, Mike Fabre wrote:
> On Sat, Feb 06, 2010 at 08:18:06PM +1100, Andrew Bartlett wrote:
> > On Fri, 2010-02-05 at 10:21 +1100, Mike Fabre wrote:
> > > Hello
> > > 
> > > I have a network setup with one Samba PDC and two Samba BDCs separated
> > > by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In
> > > this test environment the Samba servers all use the master OpenLDAP
> > > server on the PDC, but the production system will have OpenLDAP
> > > servers (using master-slave replication) on all Samba servers.
> > > 
> > > I can't get the Windows XP client to change a password or enroll on
> > > the domain when connected to either of the BDC's networks, however
> > > both functions work fine when connected directly to the PDC's network.
> > > If the XP client is enrolled onto the domain while connected to the
> > > PDC's network then it successfully authenticates against the domain on
> > > all three networks, incl after being relocated to either BDC network.
> > > 
> > > Anyone got any ideas what my problem might be?
> > 
> > What you need to do is either install a central WINS server, and point
> > the various networks at that single server,
> 
> I have got the PDC acting as the WINS server with the BDCs acting as a
> WINS proxy through to the PDC and then I have the clients use whatever
> samba server it is connected to as the WINS server. should that get
> the same result?

It's better to point the clients at the WINS server directly, but the
WINS proxy should work.

However, both methods give a single point of failure, unless you have a
replicating WINS server. 

Samba4 contains a replicating WINS server (see also the Samba4WINS
product), as does Windows. 

> > or (my preference) abuse the
> > separation of 'netbios name space' that your router has created, and
> > make all the Samba DCs PDCs of their own networks. 
> > 
> > That way, they will all be contacted for password changes, because on
> > each of their local networks, they hold the DOMAIN#1B name.  
> > 
> > (They need not be read-write OpenLDAP replicas, as Samba happily handles
> > the referral to the master for writes).
> 
> That could work, is there any downside to doing it this way?

As long as the replication between the master and slave LDAP servers is
rapid, no (see the smb.conf documentation for 'ldap replication sleep').
It also avoids the need for a replicating WINS server, as you just have
one per subnet, which reduces the single point of failure.  By setting
'dns proxy = yes', hosts on other networks can still be found, as long
as they are in DNS. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100207/5deef36a/attachment.pgp>


More information about the samba mailing list