- Regenerate docs

- Fix db2latex (it depended on the $Id$ tags)
- Fix CUPS-Printing syntax
- Update instructions in docbook.txt
(This used to be commit 8d7c96a4e267c5546518d097edbe03e27b1ad073)

1 files changed, 245 insertions, 347 deletions

diff --git a/docs/htmldocs/samba-bdc.html b/docs/htmldocs/samba-bdc.html
index ef06a89416..95d1cc4e5f 100644
--- a/docs/htmldocs/samba-bdc.html
+++ b/docs/htmldocs/samba-bdc.html
@@ -1,348 +1,246 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
-"><LINK
-REL="HOME"
-TITLE="SAMBA Project Documentation"
-HREF="samba-howto-collection.html"><LINK
-REL="UP"
-TITLE="Type of installation"
-HREF="type.html"><LINK
-REL="PREVIOUS"
-TITLE="How to Configure Samba as a NT4 Primary Domain Controller"
-HREF="samba-pdc.html"><LINK
-REL="NEXT"
-TITLE="Samba as a ADS domain member"
-HREF="ads.html"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->SAMBA Project Documentation</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="samba-pdc.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="ads.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="SAMBA-BDC">Chapter 7. How to Act as a Backup Domain Controller in a Purely Samba Controlled Domain</H1
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1127">7.1. Prerequisite Reading</H1
-><P
->Before you continue reading in this chapter, please make sure
-that you are comfortable with configuring a Samba PDC
-as described in the <A
-HREF="Samba-PDC-HOWTO.html"
-TARGET="_top"
->Samba-PDC-HOWTO</A
->.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1131">7.2. Background</H1
-><P
->What is a Domain Controller? It is a machine that is able to answer
-logon requests from workstations in a Windows NT Domain. Whenever a
-user logs into a Windows NT Workstation, the workstation connects to a
-Domain Controller and asks him whether the username and password the
-user typed in is correct.  The Domain Controller replies with a lot of
-information about the user, for example the place where the users
-profile is stored, the users full name of the user. All this
-information is stored in the NT user database, the so-called SAM.</P
-><P
->There are two kinds of Domain Controller in a NT 4 compatible Domain:
-A Primary Domain Controller (PDC) and one or more Backup Domain
-Controllers (BDC). The PDC contains the master copy of the
-SAM. Whenever the SAM has to change, for example when a user changes
-his password, this change has to be done on the PDC. A Backup Domain
-Controller is a machine that maintains a read-only copy of the
-SAM. This way it is able to reply to logon requests and authenticate
-users in case the PDC is not available. During this time no changes to
-the SAM are possible. Whenever changes to the SAM are done on the PDC,
-all BDC receive the changes from the PDC.</P
-><P
->Since version 2.2 Samba officially supports domain logons for all
-current Windows Clients, including Windows 2000 and XP. This text
-assumes the domain to be named SAMBA. To be able to act as a PDC, some
-parameters in the [global]-section of the smb.conf have to be set:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->workgroup = SAMBA
-domain master = yes
-domain logons = yes</PRE
-></P
-><P
->Several other things like a [homes] and a [netlogon] share also may be
-set along with settings for the profile path, the users home drive and
-others. This will not be covered in this document.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1139">7.3. What qualifies a Domain Controller on the network?</H1
-><P
->Every machine that is a Domain Controller for the domain SAMBA has to
-register the NetBIOS group name SAMBA#1c with the WINS server and/or
-by broadcast on the local network. The PDC also registers the unique
-NetBIOS name SAMBA#1b with the WINS server. The name type #1b is
-normally reserved for the domain master browser, a role that has
-nothing to do with anything related to authentication, but the
-Microsoft Domain implementation requires the domain master browser to
-be on the same machine as the PDC.</P
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1142">7.3.1. How does a Workstation find its domain controller?</H2
-><P
->A NT workstation in the domain SAMBA that wants a local user to be
-authenticated has to find the domain controller for SAMBA. It does
-this by doing a NetBIOS name query for the group name SAMBA#1c. It
-assumes that each of the machines it gets back from the queries is a
-domain controller and can answer logon requests. To not open security
-holes both the workstation and the selected (TODO: How is the DC
-chosen) domain controller authenticate each other. After that the
-workstation sends the user's credentials (his name and password) to
-the domain controller, asking for approval.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1145">7.3.2. When is the PDC needed?</H2
-><P
->Whenever a user wants to change his password, this has to be done on
-the PDC. To find the PDC, the workstation does a NetBIOS name query
-for SAMBA#1b, assuming this machine maintains the master copy of the
-SAM. The workstation contacts the PDC, both mutually authenticate and
-the password change is done.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1148">7.4. Can Samba be a Backup Domain Controller?</H1
-><P
->With version 2.2, no. The native NT SAM replication protocols have
-not yet been fully implemented. The Samba Team is working on
-understanding and implementing the protocols, but this work has not
-been finished for version 2.2.</P
-><P
->Can I get the benefits of a BDC with Samba?  Yes. The main reason for
-implementing a BDC is availability. If the PDC is a Samba machine,
-a second Samba machine can be set up to
-service logon requests whenever the PDC is down.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1152">7.5. How do I set up a Samba BDC?</H1
-><P
->Several things have to be done:</P
-><P
-></P
-><UL
-><LI
-><P
->The domain SID has to be the same on the PDC and the BDC. This used to
-be stored in the file private/MACHINE.SID. This file is not created
-anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is
-stored in the file private/secrets.tdb. Simply copying the secrets.tdb
-from the PDC to the BDC does not work, as the BDC would
-generate a new SID for itself and override the domain SID with this
-new BDC SID.</P
-><P
->To retrieve the domain SID from the PDC or an existing BDC and store it in the
-secrets.tdb, execute 'net rpc getsid' on the BDC.</P
-></LI
-><LI
-><P
->The Unix user database has to be synchronized from the PDC to the
-BDC. This means that both the /etc/passwd and /etc/group have to be
-replicated from the PDC to the BDC. This can be done manually
-whenever changes are made, or the PDC is set up as a NIS master
-server and the BDC as a NIS slave server. To set up the BDC as a
-mere NIS client would not be enough, as the BDC would not be able to
-access its user database in case of a PDC failure.</P
-></LI
-><LI
-><P
->The Samba password database in the file private/smbpasswd has to be
-replicated from the PDC to the BDC. This is a bit tricky, see the
-next section.</P
-></LI
-><LI
-><P
->Any netlogon share has to be replicated from the PDC to the
-BDC. This can be done manually whenever login scripts are changed,
-or it can be done automatically together with the smbpasswd
-synchronization.</P
-></LI
-></UL
-><P
->Finally, the BDC has to be found by the workstations. This can be done
-by setting</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->workgroup = samba
-domain master = no
-domain logons = yes</PRE
-></P
-><P
->in the [global]-section of the smb.conf of the BDC. This makes the BDC
-only register the name SAMBA#1c with the WINS server. This is no
-problem as the name SAMBA#1c is a NetBIOS group name that is meant to
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2895956">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896128">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896156">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896368">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896390">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896416">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896462">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896532">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896591">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896605">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896630">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896663">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896692">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p>
+Before you continue reading in this section, please make sure that you are comfortable
+with configuring a Samba Domain Controller as described in the
+<a href="Samba-PDC-HOWTO.html" target="_top">Domain Control Chapter</a>.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2895956"></a>Features And Benefits</h2></div></div><div></div></div><p>
+This is one of the most difficult chapters to summarise. It matters not what we say here
+for someone will still draw conclusions and / or approach the Samba-Team with expectations
+that are either not yet capable of being delivered, or that can be achieved for more
+effectively using a totally different approach. Since this HOWTO is already so large and
+extensive, we have taken the decision to provide sufficient (but not comprehensive)
+information regarding Backup Domain Control. In the event that you should have a persistent
+concern that is not addressed in this HOWTO document then please email 
+<a href="mailto:jht@samba.org" target="_top">John H Terpstra</a> clearly setting out your requirements
+and / or question and we will do our best to provide a solution.
+</p><p>
+Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain
+Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can
+operate with a slave LDAP server for the Account backend. This effectively gives samba a high
+degree of scalability. This is a very sweet (nice) solution for large organisations.
+</p><p>
+While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will
+need to figure out precisely what is the best way to replicate (copy / distribute) the
+user and machine Accounts backend.
+</p><p>
+The use of a non-LDAP backend SAM database is particularly problematic because Domain member
+servers and workstations periodically change the machine trust account password. The new
+password is then stored only locally. This means that in the absence of a centrally stored
+accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
+as a BDC, the PDC instance of the Domain member trust account password will not reach the
+PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in 
+overwriting of the SAM that contains the updated (changed) trust account password with resulting
+breakage of the domain trust.
+</p><p>
+Considering the number of comments and questions raised concerning how to configure a BDC
+lets consider each possible option and look at the pro's and con's for each theoretical solution:
+</p><div class="itemizedlist"><p class="title"><b>Backup Domain Backend Account Distribution Options</b></p><ul type="disc"><li><p>
+	Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server
+	</p><p>
+	Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam)
+	is constantly kept up to date.
+	</p><p>
+	Arguments Against: Complexity
+	</p></li><li><p>
+	Passdb Backend is tdbsam based, BDCs use cron based &quot;net rcp vampire&quot; to
+	suck down the Accounts database from the PDC
+	</p><p>
+	Arguments For: It would be a nice solution
+	</p><p>
+	Arguments Against: It does not work because Samba-3 does not support the required
+	protocols. This may become a later feature but is not available today.
+	</p></li><li><p>
+	Make use of rsync to replicate (pull down) copies of the essential account files
+	</p><p>
+	Arguments For: It is a simple solution, easy to set up as a scheduled job
+	</p><p>
+	Arguments Against: This will over-write the locally changed machine trust account
+	passwords. This is a broken and flawed solution. Do NOT do this.
+	</p></li><li><p>
+	Operate with an entirely local accounts database (not recommended)
+	</p><p>
+	Arguments For: Simple, easy to maintain
+	</p><p>
+	Arguments Against: All machine trust accounts and user accounts will be locally
+	maintained. Domain users will NOT be able to roam from office to office. This is
+	a broken and flawed solution. Do NOT do this.
+	</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896128"></a>Essential Background Information</h2></div></div><div></div></div><p>
+A Domain Controller is a machine that is able to answer logon requests from network
+workstations. Microsoft LanManager and IBM LanServer were two early products that
+provided this capability. The technology has become known as the LanMan Netlogon service.
+</p><p>
+When MS Windows NT3.10 was first released it supported an new style of Domain Control
+and with it a new form of the network logon service that has extended functionality.
+This service became known as the NT NetLogon Service. The nature of this service has
+changed with the evolution of MS Windows NT and today provides a very complex array of
+services that are implemented over a complex spectrum of technologies.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896156"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p>
+Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation,
+the workstation connects to a Domain Controller (authentication server) to validate
+the username and password that the user entered are valid. If the information entered
+does not validate against the account information that has been stored in the Domain
+Control database (the SAM, or Security Accounts Manager database) then a set of error
+codes is returned to the workstation that has made the authentication request.
+</p><p>
+When the username / password pair has been validated, the Domain Controller
+(authentication server) will respond with full enumeration of the account information
+that has been stored regarding that user in the User and Machine Accounts database
+for that Domain. This information contains a complete network access profile for
+the user but excludes any information that is particular to the user's desktop profile,
+or for that matter it excludes all desktop profiles for groups that the user may
+belong to. It does include password time limits, password uniqueness controls,
+network access time limits, account validity information, machine names from which the
+user may access the network, and much more. All this information was stored in the SAM
+in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
+</p><p>
+The account information (user and machine) on Domain Controllers is stored in two files,
+one containing the Security information and the other the SAM. These are stored in files
+by the same name in the <tt class="filename">C:\WinNT\System32\config</tt> directory. These
+are the files that are involved in replication of the SAM database where Backup Domain
+Controllers are present on the network.
+</p><p>
+There are two situations in which it is desirable to install Backup Domain Controllers:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+	On the local network that the Primary Domain Controller is on if there are many
+	workstations and/or where the PDC is generally very busy. In this case the BDCs
+	will pick up network logon requests and help to add robustness to network services.
+	</p></li><li><p>
+	At each remote site, to reduce wide area network traffic and to add stability to
+	remote network operations. The design of the network, the strategic placement of
+	Backup Domain Controllers, together with an implementation that localises as much
+	of network to client interchange as possible will help to minimise wide area network
+	bandwidth needs (and thus costs).
+	</p></li></ul></div><p>
+The PDC contains the master copy of the SAM. In the event that an administrator makes a
+change to the user account database while physically present on the local network that
+has the PDC, the change will likely be made directly to the PDC instance of the master
+copy of the SAM. In the event that this update may be performed in a branch office the
+change will likely be stored in a delta file on the local BDC. The BDC will then send
+a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
+request the delta from the BDC and apply it to the master SAM. THe PDC will then contact
+all the BDCs in the Domain and trigger them to obtain the update and then apply that to
+their own copy of the SAM.
+</p><p>
+Thus the BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which
+it is able to process network logon requests and to authenticate users. The BDC can
+continue to provide this service, particularly while, for example, the wide area
+network link to the PDC is down. Thus a BDC plays a very important role in both
+maintenance of Domain security as well as in network integrity.
+</p><p>
+In the event that the PDC should need to be taken out of service, or if it dies, then
+one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on
+line then it is automatically demoted to a BDC. This is an important aspect of Domain
+Controller management. The tool that is used to affect a promotion or a demotion is the
+Server Manager for Domains.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2896305"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
+Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
+including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
+parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set:
+</p><pre class="programlisting">
+	workgroup = SAMBA
+	domain master = yes
+	domain logons = yes
+</pre><p>
+Several other things like a <i class="parameter"><tt>[homes]</tt></i> and a <i class="parameter"><tt>[netlogon]</tt></i> share also need to be set along with
+settings for the profile path, the users home drive, etc.. This will not be covered in this
+chapter, for more information please refer to the chapter on Domain Control.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896368"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
+As of the release of MS Windows 2000 and Active Directory, this information is now stored
+in a directory that can be replicated and for which partial or full administrative control
+can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
+tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
+act as a Backup Domain Contoller to an Active Directory Domain Controller.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896390"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p>
+Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS
+group name SAMBA&lt;#1c&gt; with the WINS server and/or by broadcast on the local network.
+The PDC also registers the unique NetBIOS name SAMBA&lt;#1b&gt; with the WINS server.
+The name type &lt;#1b&gt; name is normally reserved for the Domain Master Browser, a role
+that has nothing to do with anything related to authentication, but the Microsoft Domain
+implementation requires the domain master browser to be on the same machine as the PDC.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896416"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p>
+An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a
+local user to be authenticated has to find the domain controller for SAMBA. It does this
+by doing a NetBIOS name query for the group name SAMBA&lt;#1c&gt;. It assumes that each
+of the machines it gets back from the queries is a domain controller and can answer logon
+requests. To not open security holes both the workstation and the selected domain controller
+authenticate each other. After that the workstation sends the user's credentials (name and
+password) to the local Domain Controller, for valdation.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896462"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
+Several things have to be done:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+	The domain SID has to be the same on the PDC and the BDC. This used to
+	be stored in the file private/MACHINE.SID. This file is not created
+	anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is
+	stored in the file private/secrets.tdb. Simply copying the secrets.tdb
+	from the PDC to the BDC does not work, as the BDC would
+	generate a new SID for itself and override the domain SID with this
+	new BDC SID.</p><p>
+	To retrieve the domain SID from the PDC or an existing BDC and store it in the
+	secrets.tdb, execute 'net rpc getsid' on the BDC.
+	</p></li><li><p>
+	The Unix user database has to be synchronized from the PDC to the
+	BDC. This means that both the /etc/passwd and /etc/group have to be
+	replicated from the PDC to the BDC. This can be done manually
+	whenever changes are made, or the PDC is set up as a NIS master
+	server and the BDC as a NIS slave server. To set up the BDC as a
+	mere NIS client would not be enough, as the BDC would not be able to
+	access its user database in case of a PDC failure.
+	</p></li><li><p>
+	The Samba password database in the file private/smbpasswd has to be
+	replicated from the PDC to the BDC. This is a bit tricky, see the
+	next section.
+	</p></li><li><p>
+	Any netlogon share has to be replicated from the PDC to the
+	BDC. This can be done manually whenever login scripts are changed,
+	or it can be done automatically together with the smbpasswd
+	synchronization.
+	</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896532"></a>Example Configuration</h3></div></div><div></div></div><p>
+Finally, the BDC has to be found by the workstations. This can be done by setting:
+</p><pre class="programlisting">
+	workgroup = SAMBA
+	domain master = no
+	domain logons = yes
+</pre><p>
+in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> of the BDC. This makes the BDC
+only register the name SAMBA&lt;#1c&gt; with the WINS server. This is no
+problem as the name SAMBA&lt;#1c&gt; is a NetBIOS group name that is meant to
 be registered by more than one machine. The parameter 'domain master =
-no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS
-name is reserved for the Primary Domain Controller.</P
-><DIV
-CLASS="SECT2"
-><H2
-CLASS="SECT2"
-><A
-NAME="AEN1169">7.5.1. How do I replicate the smbpasswd file?</H2
-><P
->Replication of the smbpasswd file is sensitive. It has to be done
-whenever changes to the SAM are made. Every user's password change is
-done in the smbpasswd file and has to be replicated to the BDC. So
-replicating the smbpasswd file very often is necessary.</P
-><P
->As the smbpasswd file contains plain text password equivalents, it
-must not be sent unencrypted over the wire. The best way to set up
-smbpasswd replication from the PDC to the BDC is to use the utility
-rsync. rsync can use ssh as a transport. ssh itself can be set up to
-accept *only* rsync transfer without requiring the user to type a
-password.</P
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="samba-pdc.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="samba-howto-collection.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="ads.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->How to Configure Samba as a NT4 Primary Domain Controller</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="type.html"
-ACCESSKEY="U"
->Up</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Samba as a ADS domain member</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
+no' forces the BDC not to register SAMBA&lt;#1b&gt; which as a unique NetBIOS
+name is reserved for the Primary Domain Controller.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896591"></a>Common Errors</h2></div></div><div></div></div><p>
+As this is a rather new area for Samba there are not many examples that we may refer to. Keep
+watching for updates to this section.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896605"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p>
+This problem will occur when occur when the passdb (SAM) files are copied  from a central
+server but the local Backup Domain Controllers.  Local machine trust account password updates
+are not copied back to the central server. The newer machine account password is then over
+written when the SAM is copied from the PDC. The result is that the Domain member machine
+on start up will find that it's passwords does not match the one now in the database and
+since the startup security check will now fail, this machine will not allow logon attempts
+to procede and the account expiry error will be reported.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896630"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
+With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully
+implemented. The Samba Team is working on understanding and implementing the protocols,
+but this work has not been finished for version 2.2.
+</p><p>
+With version 3.0, the work on both the replication protocols and a suitable storage
+mechanism has progressed, and some form of NT4 BDC support is expected soon.
+</p><p>
+Can I get the benefits of a BDC with Samba?  Yes. The main reason for implementing a
+BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to
+service logon requests whenever the PDC is down.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896663"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p>
+Replication of the smbpasswd file is sensitive. It has to be done whenever changes
+to the SAM are made. Every user's password change is done in the smbpasswd file and
+has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
+</p><p>
+As the smbpasswd file contains plain text password equivalents, it must not be
+sent unencrypted over the wire. The best way to set up smbpasswd replication from
+the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
+Ssh itself can be set up to accept *only* rsync transfer without requiring the user
+to type a password.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896692"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p>
+The simple answer is YES.  Samba's pdb_ldap code supports binding to a replica
+LDAP server, and will also follow referrals and rebind to the master if it ever
+needs to make a modification to the database. (Normally BDCs are read only, so
+this will not occur often).
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Domain Membership</td></tr></table></div></body></html>