Configuring a Samba BDC

Configuring a Samba BDC

Configuring a Samba backup domain controller seems like it would be more difficult than it actually is. To locate a PDC, Windows clients attempt to resolve the DOMAIN<0x1b> NetBIOS name. To locate all available domain controllers, clients look for the DOMAIN<0x1c> name. So, by definition, a BDC must register the <0x1c> name but not <0x1b>. This requirement translates into the following smb.conf settings:

    domain master = no
    domain logons = yes

Everything else about the BDC's configuration is identical to that of the PDC.

This step takes care of making the domain controller appear as a BDC. In order to function as a BDC, the Samba hosts must also synchronize the following information with the PDC:

  • The domain SID

  • User and group account information

  • The contents of the [netlogon] share, such as system polices and logon scripts

The first two requirements are easily met by using the ldapsam passdb. In fact, this is the primary goal for Samba's LDAP integration. There are other possible solutions that don't require deploying an LDAP directory. These all involve using rsync to periodically push the passdb storage media (files or databases) periodically from the PDC to other domain controllers.

Synchronizing the contents of the [netlogon] share is fairly easy using any one of the available replication tools. Our preferred method is to run rsync, using SSH keys for authentication, periodically from a cron job. The following script ensures that the [netlogon] shares (i.e., /data/netlogon) on the two BDCs, turtle and owl, are kept in sync with the PDC. Each BDC has the PDC's root SSH key in ~root/.ssh/authorized_keys.

for h in ${HOSTS}; do
    rsync -a -e ssh -delete ${NETLOGON}/ ${h}:${NETLOGON}/

See SSH: The Secure Shell: The Definitive Guide, by Daniel J. Barrett and Richard E. Silverman (O'Reilly), for more information on using public-key-based authentication with SSH.

Not all information is synchronized between the PDC and BDCs. For example, because the UNC path to home directories and roaming user profiles can be stored in the user's passdb enTRy, these file shares must be maintained on a central server. There are several ways to prevent these shares from being a single point of failure, such as maintaining two servers that run high availability software such as Heartbeat ( and a shared storage backend. This and other HA solutions are beyond the scope of our discussion.

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows