Samba4 ADS BDC howto/help/status, please?

Andrew Bartlett abartlet at
Fri Jan 22 02:57:08 MST 2010

On Thu, 2010-01-21 at 14:28 -0400, Brian Dickson wrote:
> Hi,
> I'm interested in deploying Samba4 in a non-critical (but very useful!) role, as an AD backup DC, for authentication purposes only.
> Specifically, the environment in which this is to be deployed is:
> (A) An AD PDC (and two BDCs) all running Windows Server 2003 SP2 (not, unfortunately, R2 :-) ).
> (B) Lots of users and groups, for some smallish value of "lots" (a few dozen).
> (C) Add to this, the desire to have Linux host(s) which will authenticate users via PAM with one of pam_winbind, pam_ldap, and/or pam_krb5, by way of Samba4.
> The need to have a Linux host do the mappings between UID/GID, and RID/SID (or whatever *ID exists), is why I think Samba4 as BDC (possibly read-only) would be ideal. Samba3 only supports queries against AD PDC with the "support for unix" stuff that came in R2, or against a stand-alone Linux Samba3 PDC.

I don't think Samba4 is useful here.  To add the UID/GID mappings you
need to extend the AD schema.  once you do that (with extra schema
elements that just happen to match the ones in 2003 R2 - ie as if you
were preparing to upgrade to 2003 R2) then you can use the idmap_ad
against it.

Or, if you can't do that, then I understand you can share the UID/GID
mappings on a distinct OpenLDAP server.  

> P.S. Sorry for posting to -technical, but I think this is probably the best case to get answers to the above...

samba-technical is the right place for Samba4 questions.  I don't think
Samba4 is quite what you want here however.  you could of course add a
Samba4 DC into the mix, but it would not add value in the area you

Andrew Bartlett

Andrew Bartlett <abartlet at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list