[Samba] Does the BDC need to "join" a domain?

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Oct 14 10:36:16 MDT 2009

I supposed it depends if Samba is configured to automatically create the 
underlying unix accounts when you create samba accounts.  My setup 
doesn't.  I created a "user"  account in ldap for my BDC.   (the unix 
passwd shd be *LK* and the shell shd be /bin/false)   Running "net rpc 
join" will then add the appropriate samba attributes.

I think you also need to grab the domain SID

BDC# net rpc getsid
Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb

However, I am not sure the domainsid for the machine is meant to match 
the domainsid of the domain.    On my PDC, they match.  On the BDC, they 
don't.    I am not sure if I need to change that.

PDC# net getdomainsid
SID for domain PDC is: S-xxxx-1234
SID for domain MYDOMAIN is: S-xxxx-1234

BDC# net getdomainsid
SID for domain BDC is: S-xxxx-1234
SID for domain MYDOMAIN is: S-xxxx-1234

And you also need to set the ldap password

BDC# smbpasswd -w xxxxxx
Setting stored password for "Admin" in secrets.tdb

pdbedit -Lv bdc$ should indicate the machine is type S.

group mappings do NOT seem to be stored in ldap.  So you either need to 
copy the approp tdb file over or run the identical net group map 
commands on the BDC.

I am not 100% convinced my BDC is setup correctly tho.

On 10/14/09 02:05, Mariano Absatz wrote:
> If I configure a samba PDC and then a samba BDC, do I need a machine
> trust account for the BDC?
> That is, do I have to run "net rpc join" on the BDC?
> Or manually create the account for the BDC in LDAP?

More information about the samba mailing list