[Samba] Multiple Samba PDCs doubt

[Gaiseric Vandal]

You should only have one PDC for a domain.  You can have multiple 
"Domain Controllers."  But you can have only one "Primary Domain 
Controller."  Any other domain controllers must be "Backup Domain 
Controllers."

All domain controllers provide logon functionality to clients.  All DC's 
use the same account backend.  Only a PDC can change the account 
database (e.g. when accounts are added, or password are changed.)

With true Windows "NT4" domain controllers, a readonly copy of account 
database is replicated to the BDC's from PDC's.

With Samba DC's, you have a common LDAP backend (this can be a single 
LDAP server or multiple LDAP servers configured for replication.)

The samba BDC should have "domain logons=yes"  but other masters should 
be no.

In terms of master browsers etc, the PDC should be the master browser.  
I would also configure the PDC as a WINS server-  that makes a lot of 
those issues go away.

By default, XP clients will prefer to logon to a BDC over a PDC.    In 
most cases this is fine.





On 09/03/2010 09:20 AM, Marc Franquesa wrote:
> First, excuse me because I don't speak english very well (perhaps this
> is the reason that I mess up something when reading the documentation).
> I have read the Howto, some Examples and the book and I have some doubts
> which I like to solve. Excuse me for the big post, too ;)
>
> My starting point:
> - 3 Debian Linux Samba Servers
> - 1 Windows XP SP3 Professional
> - 1 OpenLDAP Server (on another Debian Linux Server)
> - All hosts in the same network
>
> Software that I'm using:
> - Debian Stable (Lenny) 5.0
> - Samba 3.2.5
> - OpenLDAP 2.4
> - Samba LDAP tools from IDEALX
> - PAM-LDAP
> - NSS-LDAP
>
> I verfied it all and with a simple configuration for Samba (Simple
> Workgroup), the LDAP backend works well for all uses (authentication,
> authorization, NSS resolving, etc.) meaning that all LDAP packages are
> well configured. (But this question is more about Samba than Samba
> +LDAP).
>
> WHAT I AM TRYING TO DO:
>
> - Configure *ALL* 3 Linux Samba Servers as PDC for a NT4 Domain (for
> redundancy/fault tolerance).
> - Use the same LDAP backend for all Samba servers (centralized authn
> +authz)
> - Include the Windows XP SP3 as a Domain Member.
>
> I want that if one of the Samba Servers goes down (any of them) the
> Domain will not be affected.
>
> MY DOUBTS:
>
> - Following the documentation I must configure all Samba Servers with at
> least:
>
> [global]
> workgroup = MYWORKGROUP
> passdb backend = ldapsam:ldap://my.ldap.server
> os level = 33
> preferred master = yes
> domain master = yes
> local master = yes
> security = user
> domain logons = yes
>
> My big doubts appear when I read 'Security Mode and Master Browsers'
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564901
>
>    
>> Configuring a Samba box as a domain controller for a domain that
>>      
> already by definition has
>    
>> a PDC is asking for trouble.
>>      
> I understand that probably the problem gets fixed by the fact that all
> PDCs will use the same backend (LDAP), but I want to be sure that I
> don't have problems in the network nor broadcasts storms.
>
> If the problem is related to the Master Browser election can I solve it
> simply configuring different values for os level en each server?
>
> Please, if I don't explain well are do you have any question don't
> hesitate to ask me again.
>
>
> Thanks for the help and for this killapp
>
>
>