diff options
Diffstat (limited to 'docs/docbook/projdoc/Samba-BDC-HOWTO.xml')
-rw-r--r-- | docs/docbook/projdoc/Samba-BDC-HOWTO.xml | 133 |
1 files changed, 95 insertions, 38 deletions
diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml index 8b72c8e28f..5d62902487 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml @@ -17,9 +17,50 @@ with configuring a Samba Domain Controller as described in the <title>Features And Benefits</title> <para> -Stuff goees here +This is one of the most difficult chapters to summarise. It matters not what we say here +for someone will still draw conclusions and / or approach the Samba-Team with expectations +that are either not yet capable of being delivered, or that can be achieved for more +effectively using a totally different approach. Since this HOWTO is already so large and +extensive, we have taken the decision to provide sufficient (but not comprehensive) +information regarding Backup Domain Control. In the event that you should have a persistent +concern that is not addressed in this HOWTO document then please email +<ulink url="mailto:jht@samba.org">John H Terpstra</ulink> clearly setting out your requirements +and / or question and we will do our best to provide a solution. </para> +<para> +Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain +Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can +operate with a slave LDAP server for the Account backend. This effectively gives samba a high +degree of scalability. This is a very sweet (nice) solution for large organisations. +</para> + +<para> +While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will +need to figure out precisely what is the best way to replicate (copy / distribute) the +user and machine Accounts backend. Again, Samba-3 provides a number of possibilities: +</para> + +<itemizedlist> +<title>Backup Domain Backend Account Distribution Options</title> + <listitem><para> + Passwd Backend is LDAP based, BDCs use a slave LDAP server + </para></listitem> + + <listitem><para> + Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to + suck down the Accounts database from the PDC + </para></listitem> + + <listitem><para> + Make use of rsync to replicate (pull down) copies of the essential account files + </para></listitem> + + <listitem><para> + Operate with an entirely local accounts database (not recommended) + </para></listitem> +</itemizedlist> + </sect1> <sect1> @@ -203,29 +244,6 @@ mutually authenticate and the password change is done. <sect1> -<title>Can Samba be a Backup Domain Controller to an NT4 PDC?</title> - -<para> -With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully -implemented. The Samba Team is working on understanding and implementing the protocols, -but this work has not been finished for version 2.2. -</para> - -<para> -With version 3.0, the work on both the replication protocols and a suitable storage -mechanism has progressed, and some form of NT4 BDC support is expected soon. -</para> - -<para> -Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a -BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to -service logon requests whenever the PDC is down. -</para> - -</sect1> - - -<sect1> <title>Backup Domain Controller Configuration</title> <para> @@ -273,11 +291,15 @@ Several things have to be done: </itemizedlist> +<sect2> +<title>Example Configuration</title> + <para> Finally, the BDC has to be found by the workstations. This can be done by setting: </para> <para><programlisting> +<title>Essential Parameters for BDC Operation</title> workgroup = SAMBA domain master = no domain logons = yes @@ -285,13 +307,58 @@ Finally, the BDC has to be found by the workstations. This can be done by settin <para> in the [global]-section of the smb.conf of the BDC. This makes the BDC -only register the name SAMBA#1c with the WINS server. This is no -problem as the name SAMBA#1c is a NetBIOS group name that is meant to +only register the name SAMBA<#1c> with the WINS server. This is no +problem as the name SAMBA<#1c> is a NetBIOS group name that is meant to be registered by more than one machine. The parameter 'domain master = -no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS +no' forces the BDC not to register SAMBA<#1b> which as a unique NetBIOS name is reserved for the Primary Domain Controller. </para> +</sect2> +</sect1> + +<sect1> +<title>Common Errors</title> + +<para> +As this is a rather new area for Samba there are not many examples thta we may refer to. Keep +watching for updates to this section. +</para> + +<sect2> +<title>Machine Accounts keep expiring, what can I do?</title> + +<para> +This problem will occur when occur when the account files are replicated from a central +server but the local Domain Controllers are not forwarding machine account password updates +back to the central server, or where there is an excessive delay in replication of the centrally +changed machine account password to the local Domain Controller. +</para> + +</sect2> + +<sect2> +<title>Can Samba be a Backup Domain Controller to an NT4 PDC?</title> + +<para> +With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully +implemented. The Samba Team is working on understanding and implementing the protocols, +but this work has not been finished for version 2.2. +</para> + +<para> +With version 3.0, the work on both the replication protocols and a suitable storage +mechanism has progressed, and some form of NT4 BDC support is expected soon. +</para> + +<para> +Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a +BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to +service logon requests whenever the PDC is down. +</para> + +</sect2> + <sect2> <title>How do I replicate the smbpasswd file?</title> @@ -309,7 +376,6 @@ Ssh itself can be set up to accept *only* rsync transfer without requiring the u to type a password. </para> - </sect2> <sect2> @@ -321,16 +387,7 @@ LDAP server, and will also follow referrals and rebind to the master if it ever needs to make a modification to the database. (Normally BDCs are read only, so this will not occur often). </para> -</sect2> - -</sect1> - -<sect1> -<title>Common Errors</title> - -<para> -Stuff goes here -</para> +</sect2> </sect1> </chapter> |