Samba PDC/BDC

Paul Lussier p.lussier at comcast.net
Tue Jan 17 21:13:00 EST 2006 

Ben Scott <dragonhawk at gmail.com> writes:

>   In the case of a single NTLM domain, with a single Samba PDC at the
> home office, and a Samba BDC at the remote site, regular user
> authentication traffic at the remote site should use the BDC at that
> site.  Password changes and account modifications (including machine
> trust account auto-updates) will have to go to the PDC (over the WAN),
> though.

This is exactly what I was trying to say.  Granted, I was using LDAP
terminology, but the concept is exactly what I was trying to convey.

>   As I mentioned, it should -- *in theory* -- be possible to have two
> NTLM domains -- one for each site.  Each site's NTLM domain would have
> the Samba PDC for that domain at that site.  You can optionally have a
> BDC for either NTLM domain at either site as well.  Tie both NTLM
> domains into a single LDAP domain using different LDAP contexts in
> Samba.  Establish NTLM trust relationships between the two NTLM
> domains.

Other than the cross-domain trusts, which I was assuming (stupid me)
was a given, I think I made exactly this suggestion, just not using
these words.

>   In that case, most of the traffic for a site stays at that site. 
> The site's domain's PDC is local, so no cross-WAN traffic to update to
> the PDC for the site's domain.

Exactly!

>   LDAP would still have to replicate over the WAN, but I assume you
> consider that acceptable.

Which I also think I mentioned.

>   No need to disjoin/rejoin laptops.  A member of one NTLM domain can
> use authentication data from any trusted NTLM domain.

I assumed (again, silly me) that this was common knowledge.

>   If you have a BDC for the other site's domain at each site, then a
> visitor's authentication traffic would stay local.  The only time a
> visitor's NTLM domain traffic would cross the WAN is for a password
> change or other account update.  Without BDCs, all visitor NTLM domain
> traffic would cross the WAN, but maybe that's not common enough for
> you to worry about.

The only thing not being figured in here is the roaming profiles of
the remote users visiting the home office.  But I think you mentioned
that this would be covered by latency in accessing the profile server
triggering the use of a cached profile on the laptop being used
instead, right?
-- 

Seeya,
Paul

More information about the gnhlug-discuss mailing list