two PDCs
in [Samba]
|
From: tms3 on 13 Jul 2010 08:40 > > About multi-master replication. Scott wrote that he had to deal with > it a > lot, so he didn't recommended that. But, I need one domain, because a > lot of > users uses both site. So, I have the following options: > 1. PDCs on each site, with the same domain, as chapter 6 describes. Look, I'm not sure if my emails are getting through or not, but drop this multi PDC thing. It's just more complexity. You need some sort of LDAP replication because you want authentication done locally. Multi-master is more difficult to set up, but more flexible. There are other schemes. I had some 16 servers setup this way and had very few difficulties. It is quite resilient and reliable. Here is a good primer: http://www.zytrax.com/books/ldap/ch7/ > > a. Master LDAP server in the HQ, and slave in the branch site, > according > to the SaMBa guide. > b. Branch site uses master LDAP server too. It looks tepmting, > but > difficult/dangerous to me. > 2. PDC on the HQ, BDC on the branch site > a. branch site uses slave LDAP server. > b. Branch site uses master LDAP server too. > In 1/a and 2/a, the VPN outage could be problem. Am I right? No, the b's are the problem if the VPN is down. They're calling the "master" which is at the other end of the VPN. The a's have a slave copy. All is good, unless they need to write to LDAP. How much LDAP writing goes on in the branch? > > As i know, only > PDC writes to the LDAP database. Is that true? No. If you're using smbldap-tools, the ldap calls are made via smbldap_bind.conf. So with multi-master this whole dual PDC thing is fairly useless. See, Multi-master...all are writable. Question: 1. Which office writes to LDAP? 2. Who does the writing? 3. Is there likely to be a mutually exclusive write, at approximately the same instant, during a VPN outage? > > Because in case of VPN > outage, this situation has the same drawback. > So, my main problem is the unreliable ADSL line. Can we live with > slave > server in the branch office? Yes, using Replication refreshOnly or Replication refreshAndPersist. You can truly go apeshit with this stuff, making only pieces of the DIT available to branches. Very nifty once you get it down. > > >> >> >> How are you intending to keep roaming profiles in sync (the files on >> the server, not the stuff in LDAP)? Are you going to use rsync? >> >> Unless users jump from office to office, why bother. I would set road >> warriors with local profiles and and sync their stuff in a manner >> appropriate to there schedules/primary location. >> > > Students will have that problem, but they have to bow to it. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Tamás Pisch on 14 Jul 2010 09:20 As I see, when I send a reply, and I leave [samba] in the subject, the SaMBa archive get confused. My topic is in several threads. Sorry. Look, I'm not sure if my emails are getting through or not, but drop this > multi PDC thing. It's just more complexity. > > Dropped :) > You need some sort of LDAP replication because you want authentication done > locally. Multi-master is more difficult to set up, but more flexible. There > are other schemes. I had some 16 servers setup this way and had very few > difficulties. It is quite resilient and reliable. Here is a good primer: > > http://www.zytrax.com/books/ldap/ch7/ > Thank you. It is important to me, if people answer me who have more experience than me. Last year, when I set up my present system, I used zytrax.com, and I found it very useful. At that time, I read all ldap replication versions, and I finally chose master-slave configuration with refreshAndPersist replication method. > > > > a. Master LDAP server in the HQ, and slave in the branch site, > according > to the SaMBa guide. > b. Branch site uses master LDAP server too. It looks tepmting, but > difficult/dangerous to me. > 2. PDC on the HQ, BDC on the branch site > a. branch site uses slave LDAP server. > b. Branch site uses master LDAP server too. > In 1/a and 2/a, the VPN outage could be problem. Am I right? > > No, the b's are the problem if the VPN is down. They're calling the > "master" which is at the other end of the VPN. The a's have a slave copy. > All is good, unless they need to write to LDAP. How much LDAP writing goes > on in the branch? > Very few. I think, users change their passwords very rarely. I manage users with my own scripts, which call smbldap-tools scripts. One important thing remains: machine account passwords. It is automatic, and is repeated periodically. A longer-than-some-minutes outage could be a serious problem. Fortunately, it can be ruled: http://support.microsoft.com/kb/175468/ I'm going to disable the machine account password change for the clients in the branch office. > As i know, only > PDC writes to the LDAP database. Is that true? > > No. If you're using smbldap-tools, the ldap calls are made via > smbldap_bind.conf. So with multi-master this whole dual PDC thing is fairly > useless. See, Multi-master...all are writable. > Now, I don't use smbldap-passwd for password change. I use pam-ldap for it. Because in case of VPN > outage, this situation has the same drawback. > So, my main problem is the unreliable ADSL line. Can we live with slave > server in the branch office? > > > Yes, using Replication refreshOnly or Replication refreshAndPersist. You > can truly go apeshit with this stuff, making only pieces of the DIT > available to branches. Very nifty once you get it down. > So, I'm going to set up a slave ldap server in the branch site. It won't be flexible, but I don't want troubles. If I would have much time, I made a test system first, with multi-master replication. Thanks all for your help, and if you have additional thoughts, they are welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
First
|
Prev
|
Pages: 1 2 3 Prev: One account can access samba, another can't.SOLVED Next: [Samba] Another WINS Question/Issue |