< Previous | Contents | Next >
5.2. Backup Domain Controller
With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.
When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of accomplishing this scp, rsync, or by using LDAP as the passdb backend.
Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See Section 2, “Samba and LDAP” [p. 140] for details.
1. First, install samba and libpam-winbind. From a terminal enter:
sudo apt install samba libpam-winbind
2. Now, edit /etc/samba/smb.conf and uncomment the following in the [global]:
workgroup = EXAMPLE
...
security = user
3. In the commented Domains uncomment or add:
domain logons = yes domain master = no
4. Make sure a user has rights to read the files in /var/lib/samba. For example, to allow users in the admin
group to scp the files, enter:
sudo chgrp -R admin /var/lib/samba
5. Next, sync the user accounts, using scp to copy the /var/lib/samba directory from the PDC:
sudo scp -r username@pdc:/var/lib/samba /var/lib
Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC.
6. Finally, restart samba:
sudo systemctl restart smbd.service nmbd.service
You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.
Another thing to keep in mind is if you have configured the logon home option as a directory on the PDC, and the PDC becomes unavailable, access to the user's Home drive will also be unavailable. For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC.