summaryrefslogtreecommitdiff
path: root/docs/htmldocs/samba-bdc.html
blob: c3be7504e268f3c272b13bffcd1420a72a9df775 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. Backup Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="samba-pdc.html" title="Chapter 5. Domain Control"><link rel="next" href="domain-member.html" title="Chapter 7. Domain Membership"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. Backup Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-bdc"></a>Chapter 6. Backup Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-bdc.html#id2889347">Features And Benefits</a></dt><dt><a href="samba-bdc.html#id2889536">Essential Background Information</a></dt><dd><dl><dt><a href="samba-bdc.html#id2889565">MS Windows NT4 Style Domain Control</a></dt><dt><a href="samba-bdc.html#id2889816">Active Directory Domain Control</a></dt><dt><a href="samba-bdc.html#id2889836">What qualifies a Domain Controller on the network?</a></dt><dt><a href="samba-bdc.html#id2889863">How does a Workstation find its domain controller?</a></dt></dl></dd><dt><a href="samba-bdc.html#id2889908">Backup Domain Controller Configuration</a></dt><dd><dl><dt><a href="samba-bdc.html#id2890011">Example Configuration</a></dt></dl></dd><dt><a href="samba-bdc.html#id2890167">Common Errors</a></dt><dd><dl><dt><a href="samba-bdc.html#id2890181">Machine Accounts keep expiring, what can I do?</a></dt><dt><a href="samba-bdc.html#id2890212">Can Samba be a Backup Domain Controller to an NT4 PDC?</a></dt><dt><a href="samba-bdc.html#id2890238">How do I replicate the smbpasswd file?</a></dt><dt><a href="samba-bdc.html#id2890283">Can I do this all with LDAP?</a></dt></dl></dd></dl></div><p>
Before you continue reading in this section, please make sure that you are comfortable
with configuring a Samba Domain Controller as described in <a href="samba-pdc.html" title="Chapter 5. Domain Control">chapter on setting up Samba as a PDC</a>.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889347"></a>Features And Benefits</h2></div></div><div></div></div><p>
This is one of the most difficult chapters to summarise. It does not matter what we say here
for someone will still draw conclusions and / or approach the Samba-Team with expectations
that are either not yet capable of being delivered, or that can be achieved far more
effectively using a totally different approach. In the event that you should have a persistent
concern that is not addressed in this book then please email
<a href="mailto:jht@samba.org" target="_top">John H Terpstra</a> clearly setting out your requirements
and / or question and we will do our best to provide a solution.
</p><p>
Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain
Controller. A Samba-3 PDC can operate with an LDAP Account backend. The LDAP backend can be
either a common master LDAP server, or a slave server. The use of a slave LDAP server has the
benefit that when the master is down clients may still be able to log onto the network.
This effectively gives samba a high degree of scalability iand is a very sweet (nice) solution
for large organisations.
</p><p>
While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will
need to figure out precisely what is the best way to replicate (copy / distribute) the
user and machine Accounts backend.
</p><p>
The use of a non-LDAP backend SAM database is particularly problematic because Domain member
servers and workstations periodically change the machine trust account password. The new
password is then stored only locally. This means that in the absence of a centrally stored
accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
as a BDC, the BDC instance of the Domain member trust account password will not reach the
PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in 
overwriting of the SAM that contains the updated (changed) trust account password with resulting
breakage of the domain trust.
</p><p>
Considering the number of comments and questions raised concerning how to configure a BDC
lets consider each possible option and look at the pro's and con's for each theoretical solution:
</p><div class="itemizedlist"><p class="title"><b>Backup Domain Backend Account Distribution Options</b></p><ul type="disc"><li><p>
	Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server
	</p><p>
	Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam)
	is constantly kept up to date.
	</p><p>
	Arguments Against: Complexity
	</p></li><li><p>
	Passdb Backend is tdbsam based, BDCs use cron based <span class="emphasis"><em>net rpc vampire</em></span> to
	obtain the Accounts database from the PDC and place them into the Samba SAM.
	<span class="emphasis"><em>net rpc vampire</em></span> is a Samba function of the &quot;net&quot; command.
	</p><p>
	Arguments For: It would be a nice solution
	</p><p>
	Arguments Against: It does not work because Samba-3 does not support the required
	protocols. This may become a later feature but is not available today.
	</p></li><li><p>
	Make use of rsync to replicate (pull down) copies of the essential account files
	</p><p>
	Arguments For: It is a simple solution, easy to set up as a scheduled job
	</p><p>
	Arguments Against: This will over-write the locally changed machine trust account
	passwords. This is a broken and flawed solution. Do NOT do this.
	</p></li><li><p>
	Operate with an entirely local accounts database (not recommended)
	</p><p>
	Arguments For: Simple, easy to maintain
	</p><p>
	Arguments Against: All machine trust accounts and user accounts will be locally
	maintained. Domain users will NOT be able to roam from office to office. This is
	a broken and flawed solution. Do NOT do this.
	</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889536"></a>Essential Background Information</h2></div></div><div></div></div><p>
A Domain Controller is a machine that is able to answer logon requests from network
workstations. Microsoft LanManager and IBM LanServer were two early products that
provided this capability. The technology has become known as the LanMan Netlogon service.
</p><p>
When MS Windows NT3.10 was first released, it supported an new style of Domain Control
and with it a new form of the network logon service that has extended functionality.
This service became known as the NT NetLogon Service. The nature of this service has
changed with the evolution of MS Windows NT and today provides a very complex array of
services that are implemented over a complex spectrum of technologies.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889565"></a>MS Windows NT4 Style Domain Control</h3></div></div><div></div></div><p>
Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
the workstation connects to a Domain Controller (authentication server) to validate
the username and password that the user entered are valid. If the information entered
does not validate against the account information that has been stored in the Domain
Control database (the SAM, or Security Account Manager database) then a set of error
codes is returned to the workstation that has made the authentication request.
</p><p>
When the username / password pair has been validated, the Domain Controller
(authentication server) will respond with full enumeration of the account information
that has been stored regarding that user in the User and Machine Accounts database
for that Domain. This information contains a complete network access profile for
the user but excludes any information that is particular to the user's desktop profile,
or for that matter it excludes all desktop profiles for groups that the user may
belong to. It does include password time limits, password uniqueness controls,
network access time limits, account validity information, machine names from which the
user may access the network, and much more. All this information was stored in the SAM
in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
</p><p>
The account information (user and machine) on Domain Controllers is stored in two files,
one containing the Security information and the other the SAM. These are stored in files
by the same name in the <tt class="filename">C:\WinNT\System32\config</tt> directory. These
are the files that are involved in replication of the SAM database where Backup Domain
Controllers are present on the network.
</p><p>
There are two situations in which it is desirable to install Backup Domain Controllers:
</p><div class="itemizedlist"><ul type="disc"><li><p>
	On the local network that the Primary Domain Controller is on, if there are many
	workstations and/or where the PDC is generally very busy. In this case the BDCs
	will pick up network logon requests and help to add robustness to network services.
	</p></li><li><p>
	At each remote site, to reduce wide area network traffic and to add stability to
	remote network operations. The design of the network, the strategic placement of
	Backup Domain Controllers, together with an implementation that localises as much
	of network to client interchange as possible will help to minimise wide area network
	bandwidth needs (and thus costs).
	</p></li></ul></div><p>
The PDC contains the master copy of the SAM. In the event that an administrator makes a
change to the user account database while physically present on the local network that
has the PDC, the change will likely be made directly to the PDC instance of the master
copy of the SAM. In the event that this update may be performed in a branch office the
change will likely be stored in a delta file on the local BDC. The BDC will then send
a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
request the delta from the BDC and apply it to the master SAM. The PDC will then contact
all the BDCs in the Domain and trigger them to obtain the update and then apply that to
their own copy of the SAM.
</p><p>
Thus the BDC is said to hold a <span class="emphasis"><em>read-only</em></span> of the SAM from which
it is able to process network logon requests and to authenticate users. The BDC can
continue to provide this service, particularly while, for example, the wide area
network link to the PDC is down. Thus a BDC plays a very important role in both
maintenance of Domain security as well as in network integrity.
</p><p>
In the event that the PDC should need to be taken out of service, or if it dies, then
one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on
line then it is automatically demoted to a BDC. This is an important aspect of Domain
Controller management. The tool that is used to affect a promotion or a demotion is the
Server Manager for Domains.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2889716"></a>Example PDC Configuration</h4></div></div><div></div></div><p>
Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
parameters in the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> have to be set:
</p><div class="example"><a name="id2889747"></a><p class="title"><b>Example 6.1. Minimal smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr></table></div><p>
Several other things like a <i class="parameter"><tt>[homes]</tt></i> and a
<i class="parameter"><tt>[netlogon]</tt></i> share also need to be set along with
settings for the profile path, the users home drive, etc.. This will not be covered in this
chapter, for more information please refer to <a href="samba-pdc.html" title="Chapter 5. Domain Control">the chapter about samba as a PDC</a>.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889816"></a>Active Directory Domain Control</h3></div></div><div></div></div><p>
As of the release of MS Windows 2000 and Active Directory, this information is now stored
in a directory that can be replicated and for which partial or full administrative control
can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
act as a Backup Domain Controller to an Active Directory Domain Controller.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889836"></a>What qualifies a Domain Controller on the network?</h3></div></div><div></div></div><p>
Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS
group name SAMBA&lt;#1c&gt; with the WINS server and/or by broadcast on the local network.
The PDC also registers the unique NetBIOS name SAMBA&lt;#1b&gt; with the WINS server.
The name type &lt;#1b&gt; name is normally reserved for the Domain Master Browser, a role
that has nothing to do with anything related to authentication, but the Microsoft Domain
implementation requires the domain master browser to be on the same machine as the PDC.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889863"></a>How does a Workstation find its domain controller?</h3></div></div><div></div></div><p>
An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a
local user to be authenticated has to find the domain controller for SAMBA. It does this
by doing a NetBIOS name query for the group name SAMBA&lt;#1c&gt;. It assumes that each
of the machines it gets back from the queries is a domain controller and can answer logon
requests. To not open security holes both the workstation and the selected domain controller
authenticate each other. After that the workstation sends the user's credentials (name and
password) to the local Domain Controller, for validation.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2889908"></a>Backup Domain Controller Configuration</h2></div></div><div></div></div><p>
Several things have to be done:
</p><div class="itemizedlist"><ul type="disc"><li><p>
	The domain SID has to be the same on the PDC and the BDC. This used to
	be stored in the file private/MACHINE.SID. This file is not created
	since Samba 2.2.5. Nowadays the domain SID is stored in the file
	private/secrets.tdb. Simply copying the secrets.tdb
	from the PDC to the BDC does not work, as the BDC would
	generate a new SID for itself and override the domain SID with this
	new BDC SID.</p><p>
	To retrieve the domain SID from the PDC or an existing BDC and store it in the
	secrets.tdb, execute:
	</p><pre class="screen">
<tt class="prompt">root# </tt><b class="userinput"><tt>net rpc getsid</tt></b>
</pre></li><li><p>
	The UNIX user database has to be synchronized from the PDC to the
	BDC. This means that both the /etc/passwd and /etc/group have to be
	replicated from the PDC to the BDC. This can be done manually
	whenever changes are made, or the PDC is set up as a NIS master
	server and the BDC as a NIS slave server. To set up the BDC as a
	mere NIS client would not be enough, as the BDC would not be able to
	access its user database in case of a PDC failure. NIS is by no means
	the only method to synchronize passwords. An LDAP solution would work
	as well.
	</p></li><li><p>
	The Samba password database has to be replicated from the PDC to the BDC.
	As said above, though possible to synchronise the <tt class="filename">smbpasswd</tt>
	file with rsync and ssh, this method is	broken and flawed, and is 
	therefore not recommended. A better solution is to set up slave LDAP
	servers for each BDC and a master LDAP server for the PDC.
	</p></li><li><p>
	Any netlogon share has to be replicated from the PDC to the
	BDC. This can be done manually whenever login scripts are changed,
	or it can be done automatically together with the smbpasswd
	synchronization.
	</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890011"></a>Example Configuration</h3></div></div><div></div></div><p>
Finally, the BDC has to be found by the workstations. This can be done by setting:
</p><div class="example"><a name="id2890026"></a><p class="title"><b>Example 6.2. Minimal setup for being a BDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = no</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>idmap backend = ldapsam://slave-ldap.quenya.org</tt></i></td></tr></table></div><p>
In the <i class="parameter"><tt>[global]</tt></i>-section of the <tt class="filename">smb.conf</tt> of the BDC. This makes the BDC
only register the name SAMBA&lt;#1c&gt; with the WINS server. This is no
problem as the name SAMBA&lt;#1c&gt; is a NetBIOS group name that is meant to
be registered by more than one machine. The parameter
<a class="indexterm" name="id2890094"></a><i class="parameter"><tt>domain master</tt></i> = no
forces the BDC not to register SAMBA&lt;#1b&gt; which as a unique NetBIOS
name is reserved for the Primary Domain Controller.
</p><p>
The <i class="parameter"><tt>idmap backend</tt></i> will redirect the <b class="command">winbindd</b> utility to
use the LDAP database to resolve all UIDs and GIDs for UNIX accounts.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Samba-3 has introduced a new ID mapping facility. One of the features of this facility is that it
allows greater flexibility in how user and group IDs are handled in respect of NT Domain User and Group
SIDs. One of the new facilities provides for explicitly ensuring that UNIX / Linux UID and GID values
will be consistent on the PDC, all BDCs and all Domain Member servers. The parameter that controls this
is called <i class="parameter"><tt>idmap backend</tt></i>. Please refer to the man page for <tt class="filename">smb.conf</tt> for more information
regarding it's behaviour. Do NOT set this parameter except where an LDAP backend (ldapsam) is in use.
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2890167"></a>Common Errors</h2></div></div><div></div></div><p>
As this is a rather new area for Samba there are not many examples that we may refer to. Keep
watching for updates to this section.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890181"></a>Machine Accounts keep expiring, what can I do?</h3></div></div><div></div></div><p>
This problem will occur when occur when the passdb (SAM) files are copied  from a central
server but the local Backup Domain Controllers.  Local machine trust account password updates
are not copied back to the central server. The newer machine account password is then over
written when the SAM is copied from the PDC. The result is that the Domain member machine
on start up will find that it's passwords does not match the one now in the database and
since the startup security check will now fail, this machine will not allow logon attempts
to proceed and the account expiry error will be reported.
</p><p>
The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
an slave LDAP server for each BDC, and a master LDAP server for the PDC.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890212"></a>Can Samba be a Backup Domain Controller to an NT4 PDC?</h3></div></div><div></div></div><p>
With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully
implemented. The Samba Team is working on understanding and implementing the protocols,
but this work has not been finished for Samba-3.
</p><p>
Can I get the benefits of a BDC with Samba?  Yes, but only to a Samba PDC. The main reason for implementing a
BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to
service logon requests whenever the PDC is down.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890238"></a>How do I replicate the smbpasswd file?</h3></div></div><div></div></div><p>
Replication of the smbpasswd file is sensitive. It has to be done whenever changes
to the SAM are made. Every user's password change is done in the smbpasswd file and
has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
</p><p>
As the smbpasswd file contains plain text password equivalents, it must not be
sent unencrypted over the wire. The best way to set up smbpasswd replication from
the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
Ssh itself can be set up to accept <span class="emphasis"><em>only</em></span> rsync transfer without requiring the user
to type a password.
</p><p>
As said a few times before, use of this method is broken and flawed. Machine trust 
accounts will go out of sync, resulting in a very broken domain. This method is
<span class="emphasis"><em>not</em></span> recommended. Try using LDAP instead.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2890283"></a>Can I do this all with LDAP?</h3></div></div><div></div></div><p>
The simple answer is YES.  Samba's pdb_ldap code supports binding to a replica
LDAP server, and will also follow referrals and rebind to the master if it ever
needs to make a modification to the database. (Normally BDCs are read only, so
this will not occur often).
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="samba-pdc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="domain-member.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Domain Control </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. Domain Membership</td></tr></table></div></body></html>