Samba4 ADS BDC howto/help/status, please?

Matthias Dieter Wallnöfer mdw at
Fri Jan 22 01:02:15 MST 2010

Hi Brian,

Brian Dickson wrote:
> Hi,
> I'm interested in deploying Samba4 in a non-critical (but very useful!) role, as an AD backup DC, for authentication purposes only.
> Specifically, the environment in which this is to be deployed is:
> (A) An AD PDC (and two BDCs) all running Windows Server 2003 SP2 (not, unfortunately, R2 :-) ).
> (B) Lots of users and groups, for some smallish value of "lots" (a few dozen).
> (C) Add to this, the desire to have Linux host(s) which will authenticate users via PAM with one of pam_winbind, pam_ldap, and/or pam_krb5, by way of Samba4.
> The need to have a Linux host do the mappings between UID/GID, and RID/SID (or whatever *ID exists), is why I think Samba4 as BDC (possibly read-only) would be ideal. Samba3 only supports queries against AD PDC with the "support for unix" stuff that came in R2, or against a stand-alone Linux Samba3 PDC.
What do you exactly mean with BDC? Do you mean to interoperate with 
NT4-compatible DCs? Since if you would like to achieve this you are for 
sure using the "NT4/Interim" domain levels (Windows 2000 Mixed or 
Windows 2003 Interim) which we don't support. If you mean to use s4 only 
as an additional DC for plain AD structures, you are fine. We support 
currently the Windows 2003 and Windows 2008 Native mode. There are plans 
to support also Windows 2008R2 Native in the future and maybe also 
Windows 2000 Native, but as you may know, it requires some development 
work to do, since all domain levels have differences in the protocols, 
on which we have to care about.
Regarding Read-only DCs: unfortunately, we don't support this yet.
> The mappings UID/GID would be one-way only, on one host, so the scope is very limited. No conflicts, no race conditions, no data sharing, just authentication (and creating home directories, natch.)
> So, my questions are:
> (1) Will Samba4 in its current state, be able to handle this?
I think it should work. As Winbind daemon I suggest the s4 one at least 
for now, I'm a bit unsure if the s3 one already works fully against s4 
(since we on the s4 side lack the support for some query constraints - 
this bug shows what I mean: Maybe someone more 
involved with winbind like Kai could answer this better.
> (2) What compile/install/provision/configure steps/instructions are (or will be) required?
> (3) Can anyone point me at relevant bits and pieces that might need to be added or tweaked, to support this, if there's still work to be done? (I have incentive to do this, of course.)
> (4) Would anyone object to me adding this to the Wiki/howto, as I think this will be a common use-case?
You can find a page on our mediawiki 
( or consider the 
"howto4.txt" included in each source distribution. If you would like to 
join an existing AD domain you have to follow the guide until the 
installation, then make sure to have your computer point to the DNS 
server for AD. Afterwards, instead of running the provision you should 
launch "net vampire <domain>" under the "source4/bin" directory. If all 
went well you should have it up and running. If not, please post here or 
in bugzilla your problem.
Last note: At the moment we suggest always to use a source distribution 
since we evolve fast. Please try to keep your version uptodate since we 
are fixing bugs only if they still persist in new releases (otherwise we 
suggest to update).
> P.S. Sorry for posting to -technical, but I think this is probably the best case to get answers to the above...
No problem!


More information about the samba-technical mailing list