> Hi, > > I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but > don't > understand something: > >>Samba-3 cannot participate in true SAM replication and is therefore not > able to employ >>precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will >> not > create >>SAM update delta files. > > Ok, I understand until that, but: > >>It will not interoperate with a PDC (NT4 or Samba) to synchronize >>the SAM from delta files that are held by BDCs.
Samba3 BDCs can not do SAM sync with a Windows NT4 PDC. Samba3 BDCs passe update requests to the Samba3 PDC - and the PDC will then apply the update to the LDAP directory. It is possible to configure a Samba3 BDC to update LDAP directly - the choice is yours. >>The BDC is said to hold a read-only of the SAM from which it is able to > process network >>logon requests and authenticate users. The BDC can continue to provide >> this > service, >>particularly while, for example, the wide-area network link to the PDC is > down. > > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), > can > BDC update machine and/or user information or not? Yes, when a BDC receives an update request it will pass it to the PDC. > As I understood, only > the > LDAP solution is suitable for a PDC-BDC setup, because "domain member > servers and workstations periodically change the Machine Trust Account > password", so BDC has to update some data. > As I understood, BDC can change at least Machine Trust Account passwords. > Additional question: can a user change his/her login password, when he/she > connected to the BDC (in case PDC is available and in case PDC is > temporarily unavailable)? It depends on how the BDC is configured to integrate with LDAP. It is possible to configure a Samba3 BDC to directly write to the LDAP master. This may not be an optimum solution, but it does work. > I read in TOSHARG2 too that in the BDC's smb.conf, > I don't need user/group modification scripts, so I guess, I cannot > add/modify them from the BDC. You can - IF the BDC is given direct write access to the LDAP directory. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
