[Samba] Samba 3.4.2 and ADS - joined as member *and* DC...?

Onotsky, Steve x55328 Steve.Onotsky at broadridge.com
Mon Nov 16 11:21:30 MST 2009

Hi all,


We're preparing to move from a share-level authentication paradigm to
integrating with AD.  We're running Pware's build of Samba 3.4.2, MIT
Kerberos, and OpenLDAP on AIX 6.1.  I've worked through the procedure
and obtained a Kerberos ticket, then joined the host to our primary AD
domain (we have two, one for general use and one for production systems,
which is firewall-segregated; this host connects to the general domain).


However, when I asked where in Active Directory Users and Computers
(ADU&C) the server object would be, the Windows admins noticed that it
was showing up both as a member server (when looking at the properties
card of the server object), and as a domain controller (when found using
ADU&C's Find facility).


What's odd is, I was certain that I'd turned off everything in smb.conf
that would cause Samba to try to promote itself to be an NT4 DC.


Am I missing something, or is this just the way Samba will present
itself in AD?  Here's my (obfuscated) smb.conf for this host:



   security = ads

   realm = MY.FULL.DOMAIN

   workgroup = MY

   encrypt passwords = yes

   server string = MYHOSTNAME

   log level = 1

   log file = /usr/local/samba/var/log.%m

   hosts allow = x.xx. localhost

   socket options = TCP_NODELAY

   locking = yes

   strict locking = yes

   keepalive = 30

   domain master = no

   preferred master = no

   domain logons = no

   client use spnego = yes



   browseable = no

   guest ok = no

   read only = no

   create mask = 0755



  comment = tmp files

  path = /tmp

  read only = no



Thanks in advance for advice and information.




Steve Onotsky

Team Lead, Server Support


Investor Communication Solutions, Canada

5970 Chedworth Way

Mississauga  ON  L5R 4G5

Tel: (905) 507-5328

Fax: (905) 507-5312



This message and any attachments are intended only for the use of the addressee and
may contain information that is privileged and confidential. If the reader of the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.

More information about the samba mailing list