user authentication issues with samba4-beta5 as a member server

Jean Raby jraby at
Wed Sep 5 10:48:33 MDT 2012

On 12-08-31 2:02 AM, Michael Wood wrote:
> On 30 August 2012 18:30, Jean Raby<jraby at>  wrote:
>> >  On 12-08-30 11:56 AM, Michael Wood wrote:
>>> >>
>>> >>  Hi
>>> >>
>>> >>  On 30 August 2012 16:58, Jean Raby<jraby at>   wrote:
>>>> >>>
>>>> >>>  Hi all,
>>>> >>>
>>>> >>>  I'm trying to setup samba4 (beta5) as a member server in a 2003 domain
>>>> >>>  and I'm struggling to get the user authentication to work.
>>>> >>>
>>>> >>>  I ran the provision script with '--server-role=member' and then joined
>>>> >>>  the domain using 'samba-tool domain join domainname MEMBER'.
>>> >>  [...]
>>> >>
>>> >>  Someone will correct me if I'm wrong, but as the release notes say:
>>> >>
>>> >>  - Domain member support in the 'samba' binary is in it's infancy, and
>>> >>      is not comparable to the support found in winbindd.  As such, do not
>>> >>      use the 'samba' binary (provided for the AD server) on a member
>>> >>      server.
>>> >>
>>> >>  i.e. rather do not provision anything and do not run the "samba"
>>> >>  binary or "samba-tool domain join"
>>> >>
>>> >>  Just use the "net" command (and smbd, nmbd) as if it was Samba 3.
>>> >>  (i.e. net ads join ... or something like that.)  You'll likely also
>>> >>  need winbindd, although there's a discussion about potential issues
>>> >>  with that going on on this list at the moment.
>>> >>
>> >  I forgot to say, I think I need 'samba' (as opposed to smbd) since this is
>> >  for an openchange setup and it requires dcerpc_mapiproxy, which is not
>> >  available with smbd.
> Well, in that case I can't help you:)

Alright, I tested this again with beta8 and /usr/sbin/samba won't even 
start when configured as a member server.
So I guess the release notes were right ;-)

We've been using samba as a DC along with openchange and sogo and it 
works pretty well for our development needs, but we're trying to find a 
way to integrate that with existing domains with a windows DC.

At first I thought that we'd simply have to join samba as a member 
server, but obviously, that won't work for now.

Are there any other options that we could try to be able to authenticate 
users against an existing domain short of joining samba as a DC?
Or if it is not possible at all right now, is this something that might 
be implemented in the foreseeable future?

Like I said earlier, we need to use 'samba' instead of smbd since we 
need to use the following configuration parameters, which I think are 
only available with the samba daemon :

   dcerpc endpoint servers = epmapper, mapiproxy
   dcerpc_mapiproxy:server = true
   dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, 



More information about the samba-technical mailing list