I have a setup like that:
Samba PDC + OpenLDAP master <-> WAN/VPN <-> Samba BDCs + OpenLDAP slaves +
PDC is a WINS server for all BDCs, and a secondary WINS for workstations.
BDC are defined with "domain master = No" in smb.conf.
As I see using iptraf, domain joins are always performed over WAN/VPN, which is
slow/over internet/connection can break etc.:
workstation <-> WAN/VPN <-> PDC
and *never* directly to the BDC (which is local):
workstation <-> LAN <-> BDC.
So when I switch off Samba on the PDC (with master LDAP running), workstations
can't join the domain anymore (and they say that domain MYDOMAIN is unavailable).
At first I thought that a workstation can join to a domain only to the PDC, and
not to the BDC.
Then I thought that the point of having a Backup Domain Controller is to have a
backup (hence the name) when the PDC fails.
So I switched off Samba on PDC, and tried to join one of BDC servers named
"backup1" to the domain, with itself as a server:
backup1# net rpc join -S backup1 -U Administrator
Joined domain MYDOMAIN.
So joining a domain to the BDC is possible!
But when I try to do it from the workstation (with Samba on PDC off), it fails
with "domain not available". No packets are sent towards a BDC, too.
When I change a BDC to the PDC "domain master = Yes", workstations join to that
"temporary" PDC without problems.
This is pretty much how it is supposed to work. The clients
have to resolve the DOMAIN<0x1b> (domain master browser) name
in order to locate the PDC. When you shut off the PDC, they
cannot join because they cannot find the domain. The BDC's
provide failover for logons. This is the best we can do
net join actually shouldn't work against a Samba BDC currently.
Eventually we'll get better semantics in place, but it
will take a lot of work.
In that case, as a workaround, is it possible to add some kind of "static WINS
entries" to Windows workstations?