[Samba] LDAP PDC migration gone wrong.

Julian Pilfold-Bagwell jpb at bordengrammar.kent.sch.uk
Tue Apr 17 11:36:04 GMT 2007

Hi All,

I have a problem following the migration of my PDC's backend from tdbsam 
to LDAP. We started out with a PDC called SMB1 which ran with a tdbsam 
backend. I used pdbedit to convert it to LDAP and built a new server 
onto which the LDIF file was loaded. Samba was then setup to use the 
LDAP server as a backend. So far so good, Samba runs against LDAP and I 
was able to add 60 new XP client machines to the network without any 

The problem starts however when trying to access Samba domain member 
servers that have been connected since the PDC upgrade.

I go through the process of adding the servers to the domain by setting 
the domain SID on the member server using setdomainsid and using net rpc 
join -U admin -S SMB5 to join the domain. The latter command brings up 
"joined domain BGS" and after restarting samba and winbind,  wbinfo -u 
and wbinfo -g both return correct lists of users and groups.

Getent passwd and getent group both return full lists of users and 
groups from the UNIX/LDAP side suggesting that nss and pam and 
successfully communicating with smb5.

The problems start when trying to access shares configured on the member 
server. If the ownership of the file is set to testuser who is a member 
of the pupils group, testuser can access it. If the owner is set to 
admin and the file is grouped to pupils, no-one in the pupils group can 
access it even with the group perms set to rwx.

I suspect that as owner/users can access shares but groups can't that 
group mapping is stuffed. My questions are therefore as follows.

1) can I set up smb.conf on member servers to access LDAP directly and 
abandon winbind.  I have two additional seperate networks/NT Domains 
accessing the net  via an NTLM_AUTH authenticated  squid proxy so I 
don't know how this will affect them.
2) The domain SID and machine SID on the PDC are the same. Is this 
correct? winbind on the PDC returns "error looking up domain users". I'm 
quite restricted in what I can try as I have 300 people accessing their 
shares on the PDC and don't want to make things any worse than they are.

3) net groupmap on the member servers creates a mapping between NT 
Domain and UNIX users but the SIDs are local domain sids and group 
permissions seem to fail. Should the Sids in groupmap be local or domain?

Basically, I'm getting confused. Everything worked fine on TDBsam 
backends and I need help and clarification.



More information about the samba mailing list