[Samba] Cannot join server to Samba4 NT4 domain

MI mi.lists at alma.ch
Sat May 7 15:53:50 UTC 2016


In case it helps someone, the only way I found to add this server and have it use 
LDAP for authentication, was with a weird hack which I found here:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/

Basically, I changed the sambaSID of that other server in the LDAP entry it had 
created under "dn: sambaDomainName=FILESERVER,dc=mydomain,dc=lan" to be the domain SID.

That now works, and users can authenticate, but I have a duplicate SID, which doesn't 
seem right. That server's config is now (excerpts):

# testparm -s
...
Server role: ROLE_STANDALONE

[global]
     workgroup = MYDOMAIN
     map to guest = Bad User
     password server = myPDC.mydomain.lan
     passdb backend = ldapsam:"ldap://ldap.mydomain.lan ldap://ldap2.mydomain.lan"
     preferred master = No
     local master = No
     domain master = No
     dns proxy = No
     wins server = 192.168.44.10
     ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
     ldap group suffix = ou=Groups
     ldap idmap suffix = ou=idmap
     ldap machine suffix = ou=Computers
     ldap suffix = dc=mydomain,dc=lan
     ldap ssl = no
     ldap user suffix = ou=People
     idmap config * : backend = tdb
....

My previous tests with "server role = member server", or "netbios backup domain 
controller" or "classic backup domain controller" and "security = domain" and "net 
rpc JOIN" all failed.

"net rpc info" would tell me "Connection failed: NT_STATUS_INTERNAL_DB_CORRUPTION" 
(when using the right user/password. With a wrong user/password, the error was 
different.)

Anyway, while it sort-of-works now, I have a strong feeling that this is not quite 
right, and I really should upgrade to AD. I avoided it until now because I saw only 
unneeded added complexity, and no benefit (for a single small network). But maybe 
it's unavoidable...





More information about the samba mailing list