Samba4 ADS BDC howto/help/status, please?

Brian Dickson Brian.Dickson at
Tue Jan 26 14:55:22 MST 2010

Thanks for the info, and here's an update (on my usage, at least).

It took a long time to get anything to work correctly, in part because I had tried previously to make things work, and installed most of the things in an earlier version.

What perplexed me (vexed me, actually), was that even with debug set to level 10, there weren't any indications of the actual problem, although there were some vague, obscure hints.

The problem can be summed up thusly:
- doing all the build steps (autogen, ./configure, make, make install) does *not* install everything needed.
   - PLEASE consider this a BIG request to add in either installation of libnss_winbind, or a big message saying "YOU NEED TO INSTALL THIS NOW" and instructions on how to do so.
- libnss_winbind and libnss_wins (.so and friends) are needed in /lib, *AND* need to be the same version (WINBIND_INTERFACE_VERSION) as the other components (winbindd, pam_winbind, nmbd, smbd)
- the error messages were vaguely consistent with other kinds of problems (e.g. mismatches in smb.conf, krb5.conf, /etc/pam.d/*, /etc/nsswitch.conf, etc.
- diagnostics at the point where calls, callbacks, hand-offs, children, pipes, etc., are used, related to authentication and all the other PAM type things, would have really helped
- perhaps some lightweight "shim" immediately above or immediately below the pam_winbind, installed only when debugging is desired, would help?
   - the idea is to add additional contextual diagnostic (debug) messages, to help identify state, flow, interaction, return values, etc., so that it isn't necessary to run gdb in order to look for problems at the level of "knowledgeable user/sysadmin with knowledge of kerberos, pam, maybe even ldap, but not AD".

BTW - my S3 authentication against non-R2 WS2003 AD is working.

I'm more than happy to assist with more testing of the "net vampire" stuff - I would like to be able to say the efforts also produced a backup DC running on linux, to my co-workers and higher-ups.

Thanks again,


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at] 
Sent: January-22-10 5:57 AM
To: Brian Dickson
Cc: samba-technical at
Subject: Re: Samba4 ADS BDC howto/help/status, please?

On Thu, 2010-01-21 at 14:28 -0400, Brian Dickson wrote:
> Hi,
> I'm interested in deploying Samba4 in a non-critical (but very useful!) role, as an AD backup DC, for authentication purposes only.
> Specifically, the environment in which this is to be deployed is:
> (A) An AD PDC (and two BDCs) all running Windows Server 2003 SP2 (not, unfortunately, R2 :-) ).
> (B) Lots of users and groups, for some smallish value of "lots" (a few dozen).
> (C) Add to this, the desire to have Linux host(s) which will authenticate users via PAM with one of pam_winbind, pam_ldap, and/or pam_krb5, by way of Samba4.
> The need to have a Linux host do the mappings between UID/GID, and RID/SID (or whatever *ID exists), is why I think Samba4 as BDC (possibly read-only) would be ideal. Samba3 only supports queries against AD PDC with the "support for unix" stuff that came in R2, or against a stand-alone Linux Samba3 PDC.

I don't think Samba4 is useful here.  To add the UID/GID mappings you need to extend the AD schema.  once you do that (with extra schema elements that just happen to match the ones in 2003 R2 - ie as if you were preparing to upgrade to 2003 R2) then you can use the idmap_ad against it.

Or, if you can't do that, then I understand you can share the UID/GID mappings on a distinct OpenLDAP server.  

> P.S. Sorry for posting to -technical, but I think this is probably the best case to get answers to the above...

samba-technical is the right place for Samba4 questions.  I don't think
Samba4 is quite what you want here however.  you could of course add a
Samba4 DC into the mix, but it would not add value in the area you desire. 

Andrew Bartlett

Andrew Bartlett <abartlet at>

More information about the samba-technical mailing list