okay, this is what i did after your recommendations:
PDC owns/hosts LDAP MASTER BDC owns/hosts LDAP SLAVE
created manager account for SAMBA (uid=sambamanager) - all changes on MASTER are done under this identity
cn=manager is used very seldom just for administrative tasks on the directory (like replication)
slurpd is responsible for replication to slave changes are done only on MASTER
if owe of the LDAP SERVERs dies, samba processes and NSS are configured to fall back to another one
samba redundancy is done by PDC/BDC processes
ACLs on SLAVE deny changes by uid=sambamanager only cn=manager can write
by this way, no SAMBA/NSS process can change the SLAVE directory if MASTER is dead
this doesn't solve the problem of changing machine account passwords but ensures a consistent directory
thanks to all for pointing me to the right direction greez
--
"Matrix - more than a vision"
**************************************************
Michael Gasch- Central IT Department -
Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig
Germany **************************************************
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
