diff options
Diffstat (limited to 'docs/htmldocs/samba-bdc.html')
| -rw-r--r-- | docs/htmldocs/samba-bdc.html | 375 |
1 files changed, 243 insertions, 132 deletions
diff --git a/docs/htmldocs/samba-bdc.html b/docs/htmldocs/samba-bdc.html index 0a8a8fa2e1..4c2045642d 100644 --- a/docs/htmldocs/samba-bdc.html +++ b/docs/htmldocs/samba-bdc.html @@ -1,148 +1,259 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. -Samba Backup Domain Controller to Samba Domain Control -</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. -Samba as an NT4 or Win2k Primary Domain Controller -"><link rel="next" href="ADS.html" title="Chapter 7. Samba as a ADS domain member"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. -Samba Backup Domain Controller to Samba Domain Control -</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="ADS.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. -Samba Backup Domain Controller to Samba Domain Control -</h2></div><div><div class="author"><h3 class="author">Volker Lendecke</h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></tt></p></div></div></div></div><div><p class="pubdate"> (26 Apr 2001) </p></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2807541">Prerequisite Reading</a></dt><dt><a href="samba-bdc.html#id2877190">Background</a></dt><dt><a href="samba-bdc.html#id2879061">What qualifies a Domain Controller on the network?</a></dt><dd><dl><dt><a href="samba-bdc.html#id2879083">How does a Workstation find its domain controller?</a></dt><dt><a href="samba-bdc.html#id2879107">When is the PDC needed?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2879127">Can Samba be a Backup Domain Controller to an NT PDC?</a></dt><dt><a href="samba-bdc.html#id2879160">How do I set up a Samba BDC?</a></dt><dd><dl><dt><a href="samba-bdc.html#id2879257">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2879286">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2807541"></a>Prerequisite Reading</h2></div></div><p> -Before you continue reading in this chapter, please make sure -that you are comfortable with configuring a Samba PDC -as described in the <a href="Samba-PDC-HOWTO.html" target="_top">Samba-PDC-HOWTO</a>. -</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2877190"></a>Background</h2></div></div><p> -What is a Domain Controller? It is a machine that is able to answer -logon requests from workstations in a Windows NT Domain. Whenever a -user logs into a Windows NT Workstation, the workstation connects to a -Domain Controller and asks him whether the username and password the -user typed in is correct. The Domain Controller replies with a lot of -information about the user, for example the place where the users -profile is stored, the users full name of the user. All this -information is stored in the NT user database, the so-called SAM. +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2896028">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2896201">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896230">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2896450">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2896471">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2896497">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896542">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896645">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2896706">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2896719">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2896750">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2896783">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2896828">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p> +Before you continue reading in this section, please make sure that you are comfortable +with configuring a Samba Domain Controller as described in the +<a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a> chapter. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896028"></a>Features And Benefits</h2></div></div><div></div></div><p> +This is one of the most difficult chapters to summarise. It does not matter what we say here +for someone will still draw conclusions and / or approach the Samba-Team with expectations +that are either not yet capable of being delivered, or that can be achieved far more +effectively using a totally different approach. Since this HOWTO is already so large and +extensive, we have taken the decision to provide sufficient (but not comprehensive) +information regarding Backup Domain Control. In the event that you should have a persistent +concern that is not addressed in this HOWTO document then please email +<a href="mailto:jht@samba.org" target="_top">John H Terpstra</a> clearly setting out your requirements +and / or question and we will do our best to provide a solution. </p><p> -There are two kinds of Domain Controller in a NT 4 compatible Domain: -A Primary Domain Controller (PDC) and one or more Backup Domain -Controllers (BDC). The PDC contains the master copy of the -SAM. Whenever the SAM has to change, for example when a user changes -his password, this change has to be done on the PDC. A Backup Domain -Controller is a machine that maintains a read-only copy of the -SAM. This way it is able to reply to logon requests and authenticate -users in case the PDC is not available. During this time no changes to -the SAM are possible. Whenever changes to the SAM are done on the PDC, -all BDC receive the changes from the PDC. +Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain +Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can +operate with a slave LDAP server for the Account backend. This effectively gives samba a high +degree of scalability. This is a very sweet (nice) solution for large organisations. </p><p> -Since version 2.2 Samba officially supports domain logons for all -current Windows Clients, including Windows 2000 and XP. This text -assumes the domain to be named SAMBA. To be able to act as a PDC, some -parameters in the [global]-section of the smb.conf have to be set: +While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will +need to figure out precisely what is the best way to replicate (copy / distribute) the +user and machine Accounts backend. +</p><p> +The use of a non-LDAP backend SAM database is particularly problematic because Domain member +servers and workstations periodically change the machine trust account password. The new +password is then stored only locally. This means that in the absence of a centrally stored +accounts database (such as that provided with an LDAP based solution) if Samba-3 is running +as a BDC, the BDC instance of the Domain member trust account password will not reach the +PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in +overwriting of the SAM that contains the updated (changed) trust account password with resulting +breakage of the domain trust. +</p><p> +Considering the number of comments and questions raised concerning how to configure a BDC +lets consider each possible option and look at the pro's and con's for each theoretical solution: +</p><div class="itemizedlist"><p class="title"><b>Backup Domain Backend Account Distribution Options</b></p><ul type="disc"><li><p> + Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server + </p><p> + Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam) + is constantly kept up to date. + </p><p> + Arguments Against: Complexity + </p></li><li><p> + Passdb Backend is tdbsam based, BDCs use cron based "net rpc vampire" to + suck down the Accounts database from the PDC + </p><p> + Arguments For: It would be a nice solution + </p><p> + Arguments Against: It does not work because Samba-3 does not support the required + protocols. This may become a later feature but is not available today. + </p></li><li><p> + Make use of rsync to replicate (pull down) copies of the essential account files + </p><p> + Arguments For: It is a simple solution, easy to set up as a scheduled job + </p><p> + Arguments Against: This will over-write the locally changed machine trust account + passwords. This is a broken and flawed solution. Do NOT do this. + </p></li><li><p> + Operate with an entirely local accounts database (not recommended) + </p><p> + Arguments For: Simple, easy to maintain + </p><p> + Arguments Against: All machine trust accounts and user accounts will be locally + maintained. Domain users will NOT be able to roam from office to office. This is + a broken and flawed solution. Do NOT do this. + </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896201"></a>Essential Background Information</h2></div></div><div></div></div><p> +A Domain Controller is a machine that is able to answer logon requests from network +workstations. Microsoft LanManager and IBM LanServer were two early products that +provided this capability. The technology has become known as the LanMan Netlogon service. +</p><p> +When MS Windows NT3.10 was first released, it supported an new style of Domain Control +and with it a new form of the network logon service that has extended functionality. +This service became known as the NT NetLogon Service. The nature of this service has +changed with the evolution of MS Windows NT and today provides a very complex array of +services that are implemented over a complex spectrum of technologies. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896230"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p> +Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation, +the workstation connects to a Domain Controller (authentication server) to validate +the username and password that the user entered are valid. If the information entered +does not validate against the account information that has been stored in the Domain +Control database (the SAM, or Security Account Manager database) then a set of error +codes is returned to the workstation that has made the authentication request. +</p><p> +When the username / password pair has been validated, the Domain Controller +(authentication server) will respond with full enumeration of the account information +that has been stored regarding that user in the User and Machine Accounts database +for that Domain. This information contains a complete network access profile for +the user but excludes any information that is particular to the user's desktop profile, +or for that matter it excludes all desktop profiles for groups that the user may +belong to. It does include password time limits, password uniqueness controls, +network access time limits, account validity information, machine names from which the +user may access the network, and much more. All this information was stored in the SAM +in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0). +</p><p> +The account information (user and machine) on Domain Controllers is stored in two files, +one containing the Security information and the other the SAM. These are stored in files +by the same name in the <tt class="filename">C:\WinNT\System32\config</tt> directory. These +are the files that are involved in replication of the SAM database where Backup Domain +Controllers are present on the network. +</p><p> +There are two situations in which it is desirable to install Backup Domain Controllers: +</p><div class="itemizedlist"><ul type="disc"><li><p> + On the local network that the Primary Domain Controller is on, if there are many + workstations and/or where the PDC is generally very busy. In this case the BDCs + will pick up network logon requests and help to add robustness to network services. + </p></li><li><p> + At each remote site, to reduce wide area network traffic and to add stability to + remote network operations. The design of the network, the strategic placement of + Backup Domain Controllers, together with an implementation that localises as much + of network to client interchange as possible will help to minimise wide area network + bandwidth needs (and thus costs). + </p></li></ul></div><p> +The PDC contains the master copy of the SAM. In the event that an administrator makes a +change to the user account database while physically present on the local network that +has the PDC, the change will likely be made directly to the PDC instance of the master +copy of the SAM. In the event that this update may be performed in a branch office the +change will likely be stored in a delta file on the local BDC. The BDC will then send +a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then +request the delta from the BDC and apply it to the master SAM. The PDC will then contact +all the BDCs in the Domain and trigger them to obtain the update and then apply that to +their own copy of the SAM. +</p><p> +Thus the BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which +it is able to process network logon requests and to authenticate users. The BDC can +continue to provide this service, particularly while, for example, the wide area +network link to the PDC is down. Thus a BDC plays a very important role in both +maintenance of Domain security as well as in network integrity. +</p><p> +In the event that the PDC should need to be taken out of service, or if it dies, then +one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on +line then it is automatically demoted to a BDC. This is an important aspect of Domain +Controller management. The tool that is used to affect a promotion or a demotion is the +Server Manager for Domains. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2896379"></a>Example PDC Configuration</h4></div></div><div></div></div><p> +Since version 2.2 Samba officially supports domain logons for all current Windows Clients, +including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some +parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set: </p><pre class="programlisting"> workgroup = SAMBA domain master = yes domain logons = yes </pre><p> -Several other things like a [homes] and a [netlogon] share also may be -set along with settings for the profile path, the users home drive and -others. This will not be covered in this document. -</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2879061"></a>What qualifies a Domain Controller on the network?</h2></div></div><p> -Every machine that is a Domain Controller for the domain SAMBA has to -register the NetBIOS group name SAMBA#1c with the WINS server and/or -by broadcast on the local network. The PDC also registers the unique -NetBIOS name SAMBA#1b with the WINS server. The name type #1b is -normally reserved for the domain master browser, a role that has -nothing to do with anything related to authentication, but the -Microsoft Domain implementation requires the domain master browser to -be on the same machine as the PDC. -</p><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2879083"></a>How does a Workstation find its domain controller?</h3></div></div><p> -A NT workstation in the domain SAMBA that wants a local user to be -authenticated has to find the domain controller for SAMBA. It does -this by doing a NetBIOS name query for the group name SAMBA#1c. It -assumes that each of the machines it gets back from the queries is a -domain controller and can answer logon requests. To not open security -holes both the workstation and the selected (TODO: How is the DC -chosen) domain controller authenticate each other. After that the -workstation sends the user's credentials (his name and password) to -the domain controller, asking for approval. -</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2879107"></a>When is the PDC needed?</h3></div></div><p> -Whenever a user wants to change his password, this has to be done on -the PDC. To find the PDC, the workstation does a NetBIOS name query -for SAMBA#1b, assuming this machine maintains the master copy of the -SAM. The workstation contacts the PDC, both mutually authenticate and -the password change is done. -</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2879127"></a>Can Samba be a Backup Domain Controller to an NT PDC?</h2></div></div><p> -With version 2.2, no. The native NT SAM replication protocols have -not yet been fully implemented. The Samba Team is working on -understanding and implementing the protocols, but this work has not -been finished for version 2.2. -</p><p> -With version 3.0, the work on both the replication protocols and a -suitable storage mechanism has progressed, and some form of NT4 BDC -support is expected soon. -</p><p> -Can I get the benefits of a BDC with Samba? Yes. The main reason for -implementing a BDC is availability. If the PDC is a Samba machine, -a second Samba machine can be set up to -service logon requests whenever the PDC is down. -</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2879160"></a>How do I set up a Samba BDC?</h2></div></div><p> +Several other things like a <i class="parameter"><tt>[homes]</tt></i> and a <i class="parameter"><tt>[netlogon]</tt></i> share also need to be set along with +settings for the profile path, the users home drive, etc.. This will not be covered in this +chapter, for more information please refer to the chapter on <a href="samba-pdc.html" title="Chapter 5. Domain Control">Domain Control</a>. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896450"></a>Active Directory Domain Control</h3></div></div><div></div></div><p> +As of the release of MS Windows 2000 and Active Directory, this information is now stored +in a directory that can be replicated and for which partial or full administrative control +can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory +tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT +act as a Backup Domain Controller to an Active Directory Domain Controller. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896471"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p> +Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS +group name SAMBA<#1c> with the WINS server and/or by broadcast on the local network. +The PDC also registers the unique NetBIOS name SAMBA<#1b> with the WINS server. +The name type <#1b> name is normally reserved for the Domain Master Browser, a role +that has nothing to do with anything related to authentication, but the Microsoft Domain +implementation requires the domain master browser to be on the same machine as the PDC. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896497"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p> +An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a +local user to be authenticated has to find the domain controller for SAMBA. It does this +by doing a NetBIOS name query for the group name SAMBA<#1c>. It assumes that each +of the machines it gets back from the queries is a domain controller and can answer logon +requests. To not open security holes both the workstation and the selected domain controller +authenticate each other. After that the workstation sends the user's credentials (name and +password) to the local Domain Controller, for validation. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896542"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p> Several things have to be done: </p><div class="itemizedlist"><ul type="disc"><li><p> -The domain SID has to be the same on the PDC and the BDC. This used to -be stored in the file private/MACHINE.SID. This file is not created -anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is -stored in the file private/secrets.tdb. Simply copying the secrets.tdb -from the PDC to the BDC does not work, as the BDC would -generate a new SID for itself and override the domain SID with this -new BDC SID.</p><p> -To retrieve the domain SID from the PDC or an existing BDC and store it in the -secrets.tdb, execute 'net rpc getsid' on the BDC. -</p></li><li><p> -The Unix user database has to be synchronized from the PDC to the -BDC. This means that both the /etc/passwd and /etc/group have to be -replicated from the PDC to the BDC. This can be done manually -whenever changes are made, or the PDC is set up as a NIS master -server and the BDC as a NIS slave server. To set up the BDC as a -mere NIS client would not be enough, as the BDC would not be able to -access its user database in case of a PDC failure. -</p></li><li><p> -The Samba password database in the file private/smbpasswd has to be -replicated from the PDC to the BDC. This is a bit tricky, see the -next section. -</p></li><li><p> -Any netlogon share has to be replicated from the PDC to the -BDC. This can be done manually whenever login scripts are changed, -or it can be done automatically together with the smbpasswd -synchronization. -</p></li></ul></div><p> -Finally, the BDC has to be found by the workstations. This can be done -by setting + The domain SID has to be the same on the PDC and the BDC. This used to + be stored in the file private/MACHINE.SID. This file is not created + anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is + stored in the file private/secrets.tdb. Simply copying the secrets.tdb + from the PDC to the BDC does not work, as the BDC would + generate a new SID for itself and override the domain SID with this + new BDC SID.</p><p> + To retrieve the domain SID from the PDC or an existing BDC and store it in the + secrets.tdb, execute: + </p><pre class="screen"> + <tt class="prompt">root# </tt><b class="userinput"><tt>net rpc getsid</tt></b> + </pre></li><li><p> + The Unix user database has to be synchronized from the PDC to the + BDC. This means that both the /etc/passwd and /etc/group have to be + replicated from the PDC to the BDC. This can be done manually + whenever changes are made, or the PDC is set up as a NIS master + server and the BDC as a NIS slave server. To set up the BDC as a + mere NIS client would not be enough, as the BDC would not be able to + access its user database in case of a PDC failure. NIS is by no means + the only method to synchronize passwords. An LDAP solution would work + as well. + </p></li><li><p> + The Samba password database has to be replicated from the PDC to the BDC. + As said above, though possible to synchronise the <tt class="filename">smbpasswd</tt> + file with rsync and ssh, this method is broken and flawed, and is + therefore not recommended. A better solution is to set up slave LDAP + servers for each BDC and a master LDAP server for the PDC. + </p></li><li><p> + Any netlogon share has to be replicated from the PDC to the + BDC. This can be done manually whenever login scripts are changed, + or it can be done automatically together with the smbpasswd + synchronization. + </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896645"></a>Example Configuration</h3></div></div><div></div></div><p> +Finally, the BDC has to be found by the workstations. This can be done by setting: </p><pre class="programlisting"> - workgroup = samba + workgroup = SAMBA domain master = no domain logons = yes </pre><p> -in the [global]-section of the smb.conf of the BDC. This makes the BDC -only register the name SAMBA#1c with the WINS server. This is no -problem as the name SAMBA#1c is a NetBIOS group name that is meant to +in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> of the BDC. This makes the BDC +only register the name SAMBA<#1c> with the WINS server. This is no +problem as the name SAMBA<#1c> is a NetBIOS group name that is meant to be registered by more than one machine. The parameter 'domain master = -no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS +no' forces the BDC not to register SAMBA<#1b> which as a unique NetBIOS name is reserved for the Primary Domain Controller. -</p><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2879257"></a>How do I replicate the smbpasswd file?</h3></div></div><p> -Replication of the smbpasswd file is sensitive. It has to be done -whenever changes to the SAM are made. Every user's password change is -done in the smbpasswd file and has to be replicated to the BDC. So -replicating the smbpasswd file very often is necessary. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2896706"></a>Common Errors</h2></div></div><div></div></div><p> +As this is a rather new area for Samba there are not many examples that we may refer to. Keep +watching for updates to this section. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896719"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p> +This problem will occur when occur when the passdb (SAM) files are copied from a central +server but the local Backup Domain Controllers. Local machine trust account password updates +are not copied back to the central server. The newer machine account password is then over +written when the SAM is copied from the PDC. The result is that the Domain member machine +on start up will find that it's passwords does not match the one now in the database and +since the startup security check will now fail, this machine will not allow logon attempts +to proceed and the account expiry error will be reported. +</p><p> +The solution: use a more robust passdb backend, such as the ldapsam backend, setting up +an slave LDAP server for each BDC, and a master LDAP server for the PDC. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896750"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p> +With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully +implemented. The Samba Team is working on understanding and implementing the protocols, +but this work has not been finished for version 2.2. +</p><p> +With version 3.0, the work on both the replication protocols and a suitable storage +mechanism has progressed, and some form of NT4 BDC support is expected soon. +</p><p> +Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a +BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to +service logon requests whenever the PDC is down. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896783"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p> +Replication of the smbpasswd file is sensitive. It has to be done whenever changes +to the SAM are made. Every user's password change is done in the smbpasswd file and +has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary. +</p><p> +As the smbpasswd file contains plain text password equivalents, it must not be +sent unencrypted over the wire. The best way to set up smbpasswd replication from +the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport. +Ssh itself can be set up to accept <span class="emphasis"><em>only</em></span> rsync transfer without requiring the user +to type a password. </p><p> -As the smbpasswd file contains plain text password equivalents, it -must not be sent unencrypted over the wire. The best way to set up -smbpasswd replication from the PDC to the BDC is to use the utility -rsync. rsync can use ssh as a transport. ssh itself can be set up to -accept *only* rsync transfer without requiring the user to type a -password. -</p></div><div class="sect2" lang="en"><div class="titlepage"><div><h3 class="title"><a name="id2879286"></a>Can I do this all with LDAP?</h3></div></div><p>The simple answer is YES. Samba's pdb_ldap code supports -binding to a replica LDAP server, and will also follow referrals and -rebind to the master if it ever needs to make a modification to the -database. (Normally BDCs are read only, so this will not occur -often). -</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ADS.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. -Samba as an NT4 or Win2k Primary Domain Controller - </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Samba as a ADS domain member</td></tr></table></div></body></html> +As said a few times before, use of this method is broken and flawed. Machine trust +accounts will go out of sync, resulting in a very broken domain. This method is +<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2896828"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p> +The simple answer is YES. Samba's pdb_ldap code supports binding to a replica +LDAP server, and will also follow referrals and rebind to the master if it ever +needs to make a modification to the database. (Normally BDCs are read only, so +this will not occur often). +</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Domain Membership</td></tr></table></div></body></html> |