[Samba] security = domain -- samba adds its netbios name as samba domain to LDAP

[Christian Brandes]

> Ok. I think I understood something wrong. I thought the
> logfile was from a member server, not from a BDC. If a BDC
> creates its own name as a sambaDomain object in LDAP, then
> there's a misconfiguration or a bug. A BDC does not have a
> local SAM, only member servers do.

In my case you were completely right. The configuration and logfile I 
posted are from a member server.
But this member server is a separate samba "share instance" running 
additionaly on a machine that runs a "BDC instance" of samba, too.

I found out, that it is necessary to join a member server to the BDC (or 
PDC) Domain.
This is not done by smb.conf, but by this command:

net rpc join MEMBER -U <sambaroot-account> -n 
<member-server-netbios-name> -s <smb.conf-file>

Done so, a machine account for the member server is ceated and access on 
the member server's shares is granted to users of the BDC domain.

The next problem is:

Having more than one such "share instances" on one machine, I would have 
to join the machine with different Netbios Names to the BDC domain. 
Which does not seem to work.

net rpc join MEMBER -U <sambaroot-account> -n NetbiosName1 -s SMB.conf1
net rpc join MEMBER -U <sambaroot-account> -n NetbiosName2 -s SMB.conf2

net rpc testjoin MEMBER -U <sambaroot-account> -n NetbiosName2 -s SMB.conf2
--> Join to 'MyCompany' is OK

net rpc join MEMBER -U <sambaroot-account> -n NetbiosName1 -s SMB.conf1
--> [2007/10/05 17:38:43, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
--> net_rpc_join_ok: failed to get schannel session key from server 
VSERVER for domain MyCompany.
--> Error was NT_STATUS_ACCESS_DENIED
--> Join to domain 'MyCompany' is not valid

It looks like both Netbios Names are registered in the same place and I 
do not know where.

So either I find out how to join with two different Netbios Names or I 
have to make the share instances BDCs, too.

Best regards
Christian