As I see, when I send a reply, and I leave [samba] in the subject, the SaMBa archive get confused. My topic is in several threads. Sorry.
Look, I'm not sure if my emails are getting through or not, but drop this > multi PDC thing. It's just more complexity. > > Dropped :) > You need some sort of LDAP replication because you want authentication done > locally. Multi-master is more difficult to set up, but more flexible. There > are other schemes. I had some 16 servers setup this way and had very few > difficulties. It is quite resilient and reliable. Here is a good primer: > > http://www.zytrax.com/books/ldap/ch7/ > Thank you. It is important to me, if people answer me who have more experience than me. Last year, when I set up my present system, I used zytrax.com, and I found it very useful. At that time, I read all ldap replication versions, and I finally chose master-slave configuration with refreshAndPersist replication method. > > > > a. Master LDAP server in the HQ, and slave in the branch site, > according > to the SaMBa guide. > b. Branch site uses master LDAP server too. It looks tepmting, but > difficult/dangerous to me. > 2. PDC on the HQ, BDC on the branch site > a. branch site uses slave LDAP server. > b. Branch site uses master LDAP server too. > In 1/a and 2/a, the VPN outage could be problem. Am I right? > > No, the b's are the problem if the VPN is down. They're calling the > "master" which is at the other end of the VPN. The a's have a slave copy. > All is good, unless they need to write to LDAP. How much LDAP writing goes > on in the branch? > Very few. I think, users change their passwords very rarely. I manage users with my own scripts, which call smbldap-tools scripts. One important thing remains: machine account passwords. It is automatic, and is repeated periodically. A longer-than-some-minutes outage could be a serious problem. Fortunately, it can be ruled: http://support.microsoft.com/kb/175468/ I'm going to disable the machine account password change for the clients in the branch office. > As i know, only > PDC writes to the LDAP database. Is that true? > > No. If you're using smbldap-tools, the ldap calls are made via > smbldap_bind.conf. So with multi-master this whole dual PDC thing is fairly > useless. See, Multi-master...all are writable. > Now, I don't use smbldap-passwd for password change. I use pam-ldap for it. Because in case of VPN > outage, this situation has the same drawback. > So, my main problem is the unreliable ADSL line. Can we live with slave > server in the branch office? > > > Yes, using Replication refreshOnly or Replication refreshAndPersist. You > can truly go apeshit with this stuff, making only pieces of the DIT > available to branches. Very nifty once you get it down. > So, I'm going to set up a slave ldap server in the branch site. It won't be flexible, but I don't want troubles. If I would have much time, I made a test system first, with multi-master replication. Thanks all for your help, and if you have additional thoughts, they are welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
