Samba PDC/BDC

Ben Scott dragonhawk at gmail.com
Tue Jan 17 20:26:01 EST 2006 

On 1/17/06, klussier at comcast.net <klussier at comcast.net> wrote:
> I inherited a Windows server that is acting as an AD domain controller. It is a terrible
> POS and is constantly having problems.

  I've found a lot of Windows servers are that way.  I suspect that
reflects the quality of both Windows itself and your typical Windows
system operator.

> My question was originally "Can I have a Samba server over there act as a PDC for
> them using the same Windows Domain".

  Well, strictly speaking, you never asked *that*.  :)  The answer to
*that* is a firm "no".  You cannot have two Primary Domain Controllers
in the same NTLM domain.

  You *did* ask if you could have a single NTLM domain, with your
home-office Samba as the PDC, and the remote-office Samba act as a
BDC.  The short answer to that is "yes".  For the full treatment, see
the Samba HOWTO:

http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html

  As I've said, I've never really done anything much with LDAP, so
I've never done most of the stuff that talks about.  But heck, I can
at least RTFHOWTO, which is apparently more then most people around
here do.  ;-)

  In the case of a single NTLM domain, with a single Samba PDC at the
home office, and a Samba BDC at the remote site, regular user
authentication traffic at the remote site should use the BDC at that
site.  Password changes and account modifications (including machine
trust account auto-updates) will have to go to the PDC (over the WAN),
though.

> That question came about because it was brought to my attention that there will be
> traveling between here and there quite often, and re-configuring their laptops for a
> different windows domain is a PITA.

  As I mentioned, it should -- *in theory* -- be possible to have two
NTLM domains -- one for each site.  Each site's NTLM domain would have
the Samba PDC for that domain at that site.  You can optionally have a
BDC for either NTLM domain at either site as well.  Tie both NTLM
domains into a single LDAP domain using different LDAP contexts in
Samba.  Establish NTLM trust relationships between the two NTLM
domains.

  In that case, most of the traffic for a site stays at that site. 
The site's domain's PDC is local, so no cross-WAN traffic to update to
the PDC for the site's domain.

  LDAP would still have to replicate over the WAN, but I assume you
consider that acceptable.

  No need to disjoin/rejoin laptops.  A member of one NTLM domain can
use authentication data from any trusted NTLM domain.

  If you have a BDC for the other site's domain at each site, then a
visitor's authentication traffic would stay local.  The only time a
visitor's NTLM domain traffic would cross the WAN is for a password
change or other account update.  Without BDCs, all visitor NTLM domain
traffic would cross the WAN, but maybe that's not common enough for
you to worry about.

  Again, this is all in theory.  Check it first.  :-)

-- Ben "Google Local doesn't know where 'theory' is.  Darn." Scott

More information about the gnhlug-discuss mailing list