1 <chapter id="samba-bdc">
8 <title>Backup Domain Control</title>
11 Before you continue reading in this section, please make sure that you are comfortable
12 with configuring a Samba Domain Controller as described in the
13 <link linkend="samba-pdc">Domain Control</link> chapter.
17 <title>Features And Benefits</title>
20 This is one of the most difficult chapters to summarise. It does not matter what we say here
21 for someone will still draw conclusions and / or approach the Samba-Team with expectations
22 that are either not yet capable of being delivered, or that can be achieved far more
23 effectively using a totally different approach. Since this HOWTO is already so large and
24 extensive, we have taken the decision to provide sufficient (but not comprehensive)
25 information regarding Backup Domain Control. In the event that you should have a persistent
26 concern that is not addressed in this HOWTO document then please email
27 <ulink url="mailto:jht@samba.org">John H Terpstra</ulink> clearly setting out your requirements
28 and / or question and we will do our best to provide a solution.
32 Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain
33 Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can
34 operate with a slave LDAP server for the Account backend. This effectively gives samba a high
35 degree of scalability. This is a very sweet (nice) solution for large organisations.
39 While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will
40 need to figure out precisely what is the best way to replicate (copy / distribute) the
41 user and machine Accounts backend.
45 The use of a non-LDAP backend SAM database is particularly problematic because Domain member
46 servers and workstations periodically change the machine trust account password. The new
47 password is then stored only locally. This means that in the absence of a centrally stored
48 accounts database (such as that provided with an LDAP based solution) if Samba-3 is running
49 as a BDC, the BDC instance of the Domain member trust account password will not reach the
50 PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in
51 overwriting of the SAM that contains the updated (changed) trust account password with resulting
52 breakage of the domain trust.
56 Considering the number of comments and questions raised concerning how to configure a BDC
57 lets consider each possible option and look at the pro's and con's for each theoretical solution:
61 <title>Backup Domain Backend Account Distribution Options</title>
63 Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server
67 Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam)
68 is constantly kept up to date.
72 Arguments Against: Complexity
77 Passdb Backend is tdbsam based, BDCs use cron based "net rpc vampire" to
78 suck down the Accounts database from the PDC
82 Arguments For: It would be a nice solution
86 Arguments Against: It does not work because Samba-3 does not support the required
87 protocols. This may become a later feature but is not available today.
92 Make use of rsync to replicate (pull down) copies of the essential account files
96 Arguments For: It is a simple solution, easy to set up as a scheduled job
100 Arguments Against: This will over-write the locally changed machine trust account
101 passwords. This is a broken and flawed solution. Do NOT do this.
106 Operate with an entirely local accounts database (not recommended)
110 Arguments For: Simple, easy to maintain
114 Arguments Against: All machine trust accounts and user accounts will be locally
115 maintained. Domain users will NOT be able to roam from office to office. This is
116 a broken and flawed solution. Do NOT do this.
125 <title>Essential Background Information</title>
128 A Domain Controller is a machine that is able to answer logon requests from network
129 workstations. Microsoft LanManager and IBM LanServer were two early products that
130 provided this capability. The technology has become known as the LanMan Netlogon service.
134 When MS Windows NT3.10 was first released, it supported an new style of Domain Control
135 and with it a new form of the network logon service that has extended functionality.
136 This service became known as the NT NetLogon Service. The nature of this service has
137 changed with the evolution of MS Windows NT and today provides a very complex array of
138 services that are implemented over a complex spectrum of technologies.
142 <title>MS Windows NT4 Style Domain Control</title>
145 Whenever a user logs into a Windows NT4 / 200x / XP Professional Workstation,
146 the workstation connects to a Domain Controller (authentication server) to validate
147 the username and password that the user entered are valid. If the information entered
148 does not validate against the account information that has been stored in the Domain
149 Control database (the SAM, or Security Account Manager database) then a set of error
150 codes is returned to the workstation that has made the authentication request.
154 When the username / password pair has been validated, the Domain Controller
155 (authentication server) will respond with full enumeration of the account information
156 that has been stored regarding that user in the User and Machine Accounts database
157 for that Domain. This information contains a complete network access profile for
158 the user but excludes any information that is particular to the user's desktop profile,
159 or for that matter it excludes all desktop profiles for groups that the user may
160 belong to. It does include password time limits, password uniqueness controls,
161 network access time limits, account validity information, machine names from which the
162 user may access the network, and much more. All this information was stored in the SAM
163 in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0).
167 The account information (user and machine) on Domain Controllers is stored in two files,
168 one containing the Security information and the other the SAM. These are stored in files
169 by the same name in the <filename>C:\WinNT\System32\config</filename> directory. These
170 are the files that are involved in replication of the SAM database where Backup Domain
171 Controllers are present on the network.
175 There are two situations in which it is desirable to install Backup Domain Controllers:
180 On the local network that the Primary Domain Controller is on, if there are many
181 workstations and/or where the PDC is generally very busy. In this case the BDCs
182 will pick up network logon requests and help to add robustness to network services.
186 At each remote site, to reduce wide area network traffic and to add stability to
187 remote network operations. The design of the network, the strategic placement of
188 Backup Domain Controllers, together with an implementation that localises as much
189 of network to client interchange as possible will help to minimise wide area network
190 bandwidth needs (and thus costs).
195 The PDC contains the master copy of the SAM. In the event that an administrator makes a
196 change to the user account database while physically present on the local network that
197 has the PDC, the change will likely be made directly to the PDC instance of the master
198 copy of the SAM. In the event that this update may be performed in a branch office the
199 change will likely be stored in a delta file on the local BDC. The BDC will then send
200 a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then
201 request the delta from the BDC and apply it to the master SAM. The PDC will then contact
202 all the BDCs in the Domain and trigger them to obtain the update and then apply that to
203 their own copy of the SAM.
207 Thus the BDC is said to hold a <emphasis>read-only</emphasis> of the SAM from which
208 it is able to process network logon requests and to authenticate users. The BDC can
209 continue to provide this service, particularly while, for example, the wide area
210 network link to the PDC is down. Thus a BDC plays a very important role in both
211 maintenance of Domain security as well as in network integrity.
215 In the event that the PDC should need to be taken out of service, or if it dies, then
216 one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on
217 line then it is automatically demoted to a BDC. This is an important aspect of Domain
218 Controller management. The tool that is used to affect a promotion or a demotion is the
219 Server Manager for Domains.
223 <title>Example PDC Configuration</title>
226 Since version 2.2 Samba officially supports domain logons for all current Windows Clients,
227 including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some
228 parameters in the <parameter>[global]</parameter>-section of the &smb.conf; have to be set:
231 <para><programlisting>
235 </programlisting></para>
238 Several other things like a <parameter>[homes]</parameter> and a <parameter>[netlogon]</parameter> share also need to be set along with
239 settings for the profile path, the users home drive, etc.. This will not be covered in this
240 chapter, for more information please refer to the chapter on <link linkend="samba-pdc">Domain Control</link>.
247 <title>Active Directory Domain Control</title>
250 As of the release of MS Windows 2000 and Active Directory, this information is now stored
251 in a directory that can be replicated and for which partial or full administrative control
252 can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory
253 tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT
254 act as a Backup Domain Controller to an Active Directory Domain Controller.
260 <title>What qualifies a Domain Controller on the network?</title>
263 Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS
264 group name SAMBA<#1c> with the WINS server and/or by broadcast on the local network.
265 The PDC also registers the unique NetBIOS name SAMBA<#1b> with the WINS server.
266 The name type <#1b> name is normally reserved for the Domain Master Browser, a role
267 that has nothing to do with anything related to authentication, but the Microsoft Domain
268 implementation requires the domain master browser to be on the same machine as the PDC.
274 <title>How does a Workstation find its domain controller?</title>
277 An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a
278 local user to be authenticated has to find the domain controller for SAMBA. It does this
279 by doing a NetBIOS name query for the group name SAMBA<#1c>. It assumes that each
280 of the machines it gets back from the queries is a domain controller and can answer logon
281 requests. To not open security holes both the workstation and the selected domain controller
282 authenticate each other. After that the workstation sends the user's credentials (name and
283 password) to the local Domain Controller, for validation.
291 <title>Backup Domain Controller Configuration</title>
294 Several things have to be done:
299 The domain SID has to be the same on the PDC and the BDC. This used to
300 be stored in the file private/MACHINE.SID. This file is not created
301 anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is
302 stored in the file private/secrets.tdb. Simply copying the secrets.tdb
303 from the PDC to the BDC does not work, as the BDC would
304 generate a new SID for itself and override the domain SID with this
308 To retrieve the domain SID from the PDC or an existing BDC and store it in the
309 secrets.tdb, execute:
312 &rootprompt;<userinput>net rpc getsid</userinput>
317 The Unix user database has to be synchronized from the PDC to the
318 BDC. This means that both the /etc/passwd and /etc/group have to be
319 replicated from the PDC to the BDC. This can be done manually
320 whenever changes are made, or the PDC is set up as a NIS master
321 server and the BDC as a NIS slave server. To set up the BDC as a
322 mere NIS client would not be enough, as the BDC would not be able to
323 access its user database in case of a PDC failure. NIS is by no means
324 the only method to synchronize passwords. An LDAP solution would work
330 The Samba password database has to be replicated from the PDC to the BDC.
331 As said above, though possible to synchronise the <filename>smbpasswd</filename>
332 file with rsync and ssh, this method is broken and flawed, and is
333 therefore not recommended. A better solution is to set up slave LDAP
334 servers for each BDC and a master LDAP server for the PDC.
338 Any netlogon share has to be replicated from the PDC to the
339 BDC. This can be done manually whenever login scripts are changed,
340 or it can be done automatically together with the smbpasswd
347 <title>Example Configuration</title>
350 Finally, the BDC has to be found by the workstations. This can be done by setting:
353 <para><programlisting>
357 </programlisting></para>
360 in the <parameter>[global]</parameter>-section of the &smb.conf; of the BDC. This makes the BDC
361 only register the name SAMBA<#1c> with the WINS server. This is no
362 problem as the name SAMBA<#1c> is a NetBIOS group name that is meant to
363 be registered by more than one machine. The parameter 'domain master =
364 no' forces the BDC not to register SAMBA<#1b> which as a unique NetBIOS
365 name is reserved for the Primary Domain Controller.
372 <title>Common Errors</title>
375 As this is a rather new area for Samba there are not many examples that we may refer to. Keep
376 watching for updates to this section.
380 <title>Machine Accounts keep expiring, what can I do?</title>
383 This problem will occur when occur when the passdb (SAM) files are copied from a central
384 server but the local Backup Domain Controllers. Local machine trust account password updates
385 are not copied back to the central server. The newer machine account password is then over
386 written when the SAM is copied from the PDC. The result is that the Domain member machine
387 on start up will find that it's passwords does not match the one now in the database and
388 since the startup security check will now fail, this machine will not allow logon attempts
389 to proceed and the account expiry error will be reported.
393 The solution: use a more robust passdb backend, such as the ldapsam backend, setting up
394 an slave LDAP server for each BDC, and a master LDAP server for the PDC.
400 <title>Can Samba be a Backup Domain Controller to an NT4 PDC?</title>
403 With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully
404 implemented. The Samba Team is working on understanding and implementing the protocols,
405 but this work has not been finished for version 2.2.
409 With version 3.0, the work on both the replication protocols and a suitable storage
410 mechanism has progressed, and some form of NT4 BDC support is expected soon.
414 Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a
415 BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to
416 service logon requests whenever the PDC is down.
422 <title>How do I replicate the smbpasswd file?</title>
425 Replication of the smbpasswd file is sensitive. It has to be done whenever changes
426 to the SAM are made. Every user's password change is done in the smbpasswd file and
427 has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary.
431 As the smbpasswd file contains plain text password equivalents, it must not be
432 sent unencrypted over the wire. The best way to set up smbpasswd replication from
433 the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport.
434 Ssh itself can be set up to accept <emphasis>only</emphasis> rsync transfer without requiring the user
439 As said a few times before, use of this method is broken and flawed. Machine trust
440 accounts will go out of sync, resulting in a very broken domain. This method is
441 <emphasis>not</emphasis> recommended. Try using LDAP instead.
447 <title>Can I do this all with LDAP?</title>
450 The simple answer is YES. Samba's pdb_ldap code supports binding to a replica
451 LDAP server, and will also follow referrals and rebind to the master if it ever
452 needs to make a modification to the database. (Normally BDCs are read only, so
453 this will not occur often).
git.samba.org / kai / samba-autobuild / .git / blob