PINTO ELIA wrote: > > Hi all > > We are migrating from an AS/U(Advanced Server for Unix)/NT environment to > Samba/NT, using the Samba 3.0 alpha19. > We have implemented a domain with Samba acting as both PDC and BDC. Also we > use OpenLDAP as Samba backend in multimaster replication to realize the > sam syncronization between PDC and BDC. At the moment not all our > requirement are satisfied. We'd like to have your help to overcome the > obstacles. Following are the questions raised during our implementation: > > 1) Samba schema does not include the Domain groups and the > domain SID. Is it scheduled to include these in the Samba schema? I think > that is useful (no local > Secrets.tdb and group_mapping.tdb to replicate via rsync)
We are activly looking at these issues, and the best way to solve them in both the long and short term. > 2) About BDC, could I update the user accounts when the PDC is > down? Is the BDC read-only like NT for the SAM? Yes, the BDC is considerd read-only. If you really have a mulimaster replication scheme, then you could 'flip' the BDC up to a PDC for that period, but windows clients won't attempt to send updates to a BDC. pdbedit/smbpasswd etc don't actually know about this, so would attempt to update regardless. > 3) We have dumped the Sam database from the AS/U server to > fully migrate our environment to Samba. We've seen that some machine > accounts and interdomain trust account have the lanman password length = 0, > lm password null and ntpasswd not null. This is correct. Samba only sets both for historical reasons. It sets them to the same value too... > How the Samba would interpret that behaviors? That means we > should put "NO PASSWORDxxx...", or "disabled" for those accounts? I have > also found that after removing lmPassword from the SAMBA LDAP interdomain > trust account (with ldapmodify ) the trust seems to work but is this the > right thing to do ? In Samba 3.0, this should be fine. I put a bit of work into ensuring that 'magic' tests on the value on the LM password no longer apply. > 4) What does mean the acctFlag for "MNS logon account" ? No idea... > We hope you could kindly give us some suggestion. At the end of our project > we'll like to public our experiences if could be contribute to the Samba > community. I look forward to hearing how you go. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net