Jim -
There's no "backup PDC" - there is one PDC per NT domain (an MS construct
and is NOT the same as an IP domain, for those of you who didn't realize
there's a maddening distinction) and you can have one or many BDCs for that
PDC in the domain. Quoting from O'Reilly's Using Samba on p. 20, "...Samba
currently cannot serve as a backup domain controller." This is because MS'
protocol for syncing Security Account Manager (SAM) data among PDCs and BDCs
is closed.
[Note: My O'Reilly book speaks to Samba 2.0 with foreknowledge of 2.1. It
says that full support for the NT DC protocol will be in 2.1; the Samba team
has been able to reverse-engineer that much. Just the same, my
understanding is that Samba still can't act as a BDC yet. My personal
speculation is that the BDC function will first arrive (if it hasn't
already) in a form that is only usable when you are also using a Samba
server for a PDC. There's one other Samba function that has a similar
caveat but at the moment I can't recall what it is.]
You are right in that clients and servers in an NT domain will seek and
utilize the SAM of any PDC or BDC in the NT domain that responds to a query
first, but I think where you're going astray is where you say "the samba
[server] will be seen as PDC [by a client]." In an NT domain with a PDC and
at least one BDC, IIRC, one BDC or another will get promoted to PDC if the
original PDC fails (this is NT after all, right? ;-) ). The big distinction
between a BDC and a PDC is that a BDC's SAM can only get updated by a PDC
whereas user/admin input can change the SAM data on the PDC. Because Samba
can't sync SAM data yet (it appears that it can maintain a Linux analog to a
SAM because it can act as a PDC), a Samba machine can't be seen as a DC at
all if it's not set up as the (sole) PDC, no matter how much faster it can
respond.
OK, here's where my Samba mojo gets a little squirrely. Where you say
...add the Samba box as a BDC. Now it is 'official' to the NT stuff and the
conflicts go away. Most of the clients will notice a speed-up of login
processes. And the NT box will speed up by not having to do it all. The
Samba box won't notice the load.
I think what you've done is something that's backed-down somewhat compared
to a BDC. If you set Samba up to enable domain logons and have set
"security = server", I think that all that's happening if/when the Samba
machine responds to an auth request first is that it just passes the
authentication off to the NT PDC (remember, it's not getting SAM data from
anywhere). I would think that that would actually tend to slow logons down
because it would add steps to the process. There would be an overall minor
improvement to browsing, though, if your Samba machine were winning the
local master browser election (as mine is).
Is anybody else as ready for Novell NDS for Linux as I am?
- Jeff
-----Original Message-----
From: Jim Kinney [mailto:">jkinney@wizardinc.net]
Sent: Friday, March 03, 2000 9:33 AM
To: Jeff Hubbs
Cc: ">ale@ale.org
Subject: Re: [ale] Samba taking over as PDC on NT network?
Yes and no. There are PDC's and backup PDC's. If a request is made that
requires a response from the PDC, just as in quake, shortest ping wins. So
since an unloaded samba server _will_ respond faster than nearly any loaded
NT server, the samba one will be seen as PDC. If the request is an initial
one, the client machine will store the location of the responder. Next
reqest will be directed to the previous responder. If the next responce
"times out", the client will request on a broadcast, like the initial one,
and the NT PDC will have a chance to weigh in.
What the PDC means is only a single machine to update access info on. It
will then propagate down to all the other backup DC's. This does make
maintenance of the large distributed domains easier. Usually, after an a
change to the access tables, pushing the updated info to the other DC's
ensures they are all synced ASAP.
What you said is exactly my understanding of how things are "supposed" to
work. I have had problems with Samba's trying to be PDC's and PDC's
complaining. An easy way to solve this, and it works to annoy the NT admin,
is to add the Samba box as a BDC. Now it is "official" to the NT stuff and
the conflicts go away. Most of the clients will notice a speed-up of login
processes. And the NT box will speed up by not having to do it all. The
Samba box won't notice the load ;)
As for the "no DMB" problem you mentioned, it looks like your diagnosis is
probably correct.
I have a different Samba manual. "Samba Administrators Handbook" by
Brooksbank, Haberberger, and Doyle. Published by M&T Books. It coveres up
through 2.02 (I think). I haven't bought a copy of the O'Reilly book yet.
Jeff Hubbs wrote:
But a Samba machine doesn't "win" or "claim" PDC, does it? Under NT Server,
you tell the machine at install time whether to be a PDC, a BDC, or nothing.
Under Samba, you set a series of parameters that makes the machine do
everything a PDC does (walks like a duck, quacks like a duck...you know the
rest). If I read and interpret O'Reilly correctly, you won't cause a
problem between Samba and an NT PDC if you a) disable domain logons b)
disable trying to be a domain master browser. I am not sure, but I get the
feeling that if you enable domain logons but have "security = server" and
point to a password server then your domain logon capability doesn't really
do anything. I think that when you run in to trouble is when you try to do
something on your Samba box that is supposed to be unique on a subnet or NT
domain and there is an NT PDC already doing it. By the way, I have the
following entries showing up in my log.nmb every few minutes (suppose that
"DOMAIN_NAME" is the actual name of my
domain):find_domain_master_name_query_fail:Unable to find the Domain Master
Browser DOMAIN_NAME for the workgroup DOMAIN_NAME.Unable to sync browse
lists in this workgroup.I don't understand why I would be seeing this unless
there are no NT servers here that are acting as the Domain Master Browser
(which, again, is NOT the same as acting as a PDC although under NT they are
usually the same box). Any other/better interpretations?- Jeff
[Jeff Hubbs] -----Original Message-----
From: Jim Kinney [ mailto:">jkinney@wizardinc.net
">jkinney@wizardinc.net> ]
Sent: Thursday, March 02, 2000 3:59 PM
To: ">ale@ale.org
Subject: Re: [ale] Samba taking over as PDC on NT network?
Another aspect of this is if the samba machine wins PDC status and is NOT
setup for handeling domain logins. This will cause problems for users trying
to login. Their client (Winxx) requests a *whois PDC?* and then sends login
data to the PDC for verification. If the samba server has won as PDC, logins
are disallowed unless configured.
Either way I look at it, the NT admin hasn't done their job well if a samba
box can claim PDC without reconfiguring the main NT servers.
Jeff Hubbs wrote:
I've been reading up on this very thing (O'Reilly) so I know the proverbial
"thing or two"
(but I don't claim Samba guru status, ok?).
There is a big giant difference between being a LOCAL MASTER BROWSER, a
DOMAIN MASTER BROWSER, and a PRIMARY DOMAIN CONTROLLER. Usually, an NT PDC
is also the DMB. smb.conf doesn't appear to have any ONE thing you turn on
to make it be a PDC for an NT domain; instead, you a) set user-level
security; b) enable domain logons c) Set domain master, preferred master,
and local master to yes; d) set os level higher than 33. Do all these
things in smb.conf, and a PDC you'll have.
I would say that if your smb.conf deviates from that - you should DEFINITELY
set "domain master = no" since there is an NT PDC on your network - then
your Samba machine is NOT a PDC.
All Robert's "local master = yes" means is that his Samba box was
participating in local master browser elections. Now, you can "rig" the
election so you can always win, but it's more interesting to see if you can
win it fair and square.
According to O'Reilly, the local master browser election goes like this,
with each successive question coming into play in the event of a tie in the
next highest question:
Which machine has the highest OS level? (you can dial in the number of your
choice in smb.conf)
NT Server 4.0 33
NT Server 3.51 32
NT Wkstn 4.0 17
NT Wkstn 3.51 16
Win98 2
Win95 1
WfW 1
Which machine is set to be the "Preferred Master Browser?" (you can set this
in smb.conf)
Which machine has been online the longest?
Which machine's name is in first alphabetical order?
My Samba machine has the following settings:
os level = 33 [Note - same level as NTS 4.0]
preferred master = no
domain master = no
local master = yes
So, I've set it up to go head-to-head with any NT 4.0 Server. Yet, even
though there are several NT servers on our LAN (including one PDC), my Samba
machine wins the local master browser election. Because I have "preferred
master = no," my machine should lose to our PDC, which is supposed to have
that "preferred" bit set. This makes me wonder if our NT servers are not be
set up to be local master browsers at all (i.e., my Samba machine runs
unopposed in the election), which is kind of scary. If I understand all
this correctly and if I'm right about there being no other machines
participating in elections, then my little pissant P120 is speeding up
Network Neighborhood browsing all over the office!!
I don't believe there is any harm done if a Samba machine wins the local
master browser election - I think your (Robert's) NT guy overreacted. He
sure shut your Samba box down as far as winning the local master browser
election. If, on average, your Samba box is up longer than his NT servers,
your browse list is going to be more complete than his will be and you'd
actually be doing him a favor by giving him a better-performing Windows
network.
I just now looked over Mike Warfield's Samba article from the first issue
(Spring '99) of Linux Magazine and it appears to agree with what I'm saying.
I would expect that there are a lot of NT people who find Samba very
threatening and therefore would react very irrationally to its presence;
this "taking over the NT network" thing is BS.
- Jeff
> -----Original Message-----
> From: Robert Butera [ mailto:">rbutera@ece.gatech.edu
">rbutera@ece.gatech.edu> ]
> Sent: Thursday, March 02, 2000 1:32 PM
> To: Mike Smith
> Cc: ">ale@ale.org
> Subject: Re: [ale] Samba taking over as PDC on NT network?
>
>
> On Thu, 2 Mar 2000, Mike Smith wrote:
>
> > I just had an interesting call from my local network
> administrator stating
> > that my RH Linux 6.1 box had taken over the "NT" network
> and had become the
> > PDC(Primary Domain Controller). I was wondering if anyone
> has ever heard of
> > such a thing. I performed an upgrade from RH 6.0 to RH 6.1 and was
> > wondering if samba had changed it its defualt settings for
> domains. What
> > was really strange was that all the domain stuff(domain
> master, preferred
> > master, and domain logons) was commented out. Any ideas on
> why this would
> > happen?
>
> I got in trouble for the same thing (on the local domain)
> with my local NT
> administrator last Fall. I am runnin SuSE. The default smb
> configuration
> includes:
>
> domain master = no
> local master = yes
> preferred master = no
>
> Maybe RedHat changes some of these. The default "local master = yes"
> is what got me in "trouble."
>
> To quote from the smb.conf man page:
>
> Note that Windows NT Primary Domain Controllers
> expect to be able to claim this workgroup specific
> special NetBIOS name that identifies them as domain
> master browsers for that workgroup by default (i.e.
> there is no way to prevent a Windows NT PDC from
> attempting to do this). This means that if this
> parameter is set and nmbd claims the special name
> for a workgroup before a Windows NT PDC is able to
> do so then cross subnet browsing will behave
> strangely and may fail.
>
> Here is what my local NT admin added to my smb.conf file (obviously
> your details may be different)
>
> # Global parameters set by toddw
> local master = no
> domain master = no
> preferred master = no
> os level = 0
> name resolve order = wins lmhosts bcast
> wins support = no
> wins server = put.ip.address.here
> wins proxy = no
> lm announce = false
>
>
> Hope this helps.
>
>
> **************************************************************
> ****************
> **
> ** News! Georgia Tech and Emory announce new joint Biomedical
> Engineering PhD
> ** visit http://www.bme.gatech.edu http://www.bme.gatech.edu> for
details
> **
> ** Dr. Robert Butera, Assistant Professor
> ** School of Electrical and Computer Engineering
> ** Institute for Bioengineering and Biosciences
> ** Georgia Institute of Technology, Atlanta, GA
> ** contact info --> http://www.ece.gatech.edu/users/rbutera/
http://www.ece.gatech.edu/users/rbutera/>
>
>
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale"
> in message body.
>
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
body.
--
--
application/x-unknown-content-type attachment: stored
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.