Samba PDC/BDC

Ben Scott dragonhawk at gmail.com
Mon Jan 16 13:13:01 EST 2006 

On 1/16/06, Thomas Charron <twaffle at gmail.com> wrote:
>   His primary question, however, is if he can have 2 Samba servers providing
> authentication for one single Active Directory domains.  This way both sites
> would acknowledge the users authentication within the domain.

  A point which appears to be a source of confusion in this
discussion: Samba cannot act as an Active Directory Domain Controller.
 Period.[1][2]

  Samba can act as an NTLM Domain Controller.  It act as a PDC
(Primary Domain Controller).  It can also act as a BDC (Backup Domain
Controller) for purposes of providing authentication to domain
members.  However, Samba does not implement Microsoft's PDC/BDC
replication protocols.  You have to use LDAP to provide the backend
for authentication data storage and replication.

  Corollary: If you are using Samba as a DC, you are running things as
an NTLM domain, *NOT* an Active Directory domain, with all the
limitations and consequences thereof.  In particular, the domain
members will all be using NetBIOS and MS RPC, and will have no
awareness of LDAP for purposes of the Windows domain.

  I know next to nothing about LDAP, so I haven't had anything much of
useful to add to this discussion, but this appears to be a point of
confusion, so I thought I would clarify it.

  My understanding (which, again, is woefully incomplete) is that
Kenny will have to store all authentication information[3] in LDAP,
and point all his Samba DCs at LDAP.  One of the Samba DCs will need
to be designated the PDC; all the rest will be designated BDCs. 
Everything really goes back to LDAP, of course, but the NTLM protocol
is built around a master/slave model, and Samba has to be configured
to match.

  In this scenario, the domain members speak NTLM to Samba, and don't
know anything about LDAP.  The LDAP server(s) speak LDAP to Samba, and
don't know anything about NTLM.  Samba acts as a sort of "gateway"
between the two worlds.

  NTLM password changes would have to go to the Samba PDC, which would
presumably push them to LDAP, which would then provide updated answers
to all the Samba BDCs.

  Hope this helps,

Footnotes
---------
[1] To the best of my knowledge, anyway.  If someone know of a
working, stable Samba AD DC implementation, please let me know!
[2] I understand work is underway to add AD control eventually, but
until then, for stable releases of Samba, the only AD support is for
Samba as an AD member (AD client).
[3] I expect that would include keeping the NTLM password hashes in
LDAP, but I don't really know.

More information about the gnhlug-discuss mailing list