Section 9.3. Configuring a Samba BDC


9.3. Configuring a Samba BDC

Configuring a Samba backup domain controller seems like it would be more difficult than it actually is. To locate a PDC, Windows clients attempt to resolve the DOMAIN<0x1b> NetBIOS name. To locate all available domain controllers, clients look for the DOMAIN<0x1c> name. So, by definition, a BDC must register the <0x1c> name but not <0x1b>. This requirement translates into the following smb.conf settings:

 [global]     domain master = no     domain logons = yes 

Everything else about the BDC's configuration is identical to that of the PDC.

This step takes care of making the domain controller appear as a BDC. In order to function as a BDC, the Samba hosts must also synchronize the following information with the PDC:

  • The domain SID

  • User and group account information

  • The contents of the [netlogon] share, such as system polices and logon scripts

The first two requirements are easily met by using the ldapsam passdb. In fact, this is the primary goal for Samba's LDAP integration. There are other possible solutions that don't require deploying an LDAP directory. These all involve using rsync to periodically push the passdb storage media (files or databases) periodically from the PDC to other domain controllers.

Synchronizing the contents of the [netlogon] share is fairly easy using any one of the available replication tools. Our preferred method is to run rsync, using SSH keys for authentication, periodically from a cron job. The following script ensures that the [netlogon] shares (i.e., /data/netlogon) on the two BDCs, turtle and owl, are kept in sync with the PDC. Each BDC has the PDC's root SSH key in ~root/.ssh/authorized_keys.

 #!/bin/sh HOSTS="turtle.example.com owl.example.com" NETLOGON=/data/netlogon for h in ${HOSTS}; do     rsync -a -e ssh -delete ${NETLOGON}/ ${h}:${NETLOGON}/ done 

See SSH: The Secure Shell: The Definitive Guide, by Daniel J. Barrett and Richard E. Silverman (O'Reilly), for more information on using public-key-based authentication with SSH.


Not all information is synchronized between the PDC and BDCs. For example, because the UNC path to home directories and roaming user profiles can be stored in the user's passdb enTRy, these file shares must be maintained on a central server. There are several ways to prevent these shares from being a single point of failure, such as maintaining two servers that run high availability software such as Heartbeat (http://www.linux-ha.org) and a shared storage backend. This and other HA solutions are beyond the scope of our discussion.




Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2004
Pages: 135

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net