[Samba] Samba/LDAP PDC and member servers

[Julian Pilfold-Bagwell]

Hi All,

I have a problem with permissions following a migration from tdbsam to LDAP.

As I understand it from the documentation, each member server on the 
domain needs to have 2 SIDs, a domain SID and a local machine SID. After 
migrating the server to ldap, users can still login and desktops and 
servers can still connect so the machine accounts are fine but I've lost 
access to shares on member servers. I've set the smb.conf to obtain the 
unix user and group info from the LDAP server and the conditions are met:

1) I can su to a UNIX account on any machine

2) wbinfo -u & g return full and correct user & group listsings.

3) net groupmap list on all servers returns identical map lists

4) logging into any server and running id <username> produces identical 
user and group id's

I have 777 as permissions on the share and its parent directory and I 
have tried valid users, read list and write list with @"Group" and 
+"NTDomain\groupname" with no success. The only member server I can 
access shares on is one that has the same SID for local and machine 
although users and groups show up as SERVERNETBIOSNAME\group.

It states in the documentation that each member server has different 
domain and machine SIDs but does that include the PDC. Given that the 
PDC itself has to be joined to the NT Domain with net rpc join I suspect 
that's the case but I haven't  found anything confirming it. Can anyone 
elaborate?

Cheers,

Jools