[Samba] Does the BDC need to "join" a domain?
Thierry Lacoste
lacoste at miage.univ-paris12.fr
Wed Oct 14 15:58:53 MDT 2009
On 14 oct. 09, at 22:57, Mariano Absatz wrote:
> On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>>
>> I supposed it depends if Samba is configured to automatically
>> create the underlying unix accounts when you create samba
>> accounts. My setup doesn't. I created a "user" account in ldap
>> for my BDC. (the unix passwd shd be *LK* and the shell shd be /
>> bin/false) Running "net rpc join" will then add the appropriate
>> samba attributes.
>> (...)
>
>
> Thanx Gaiseric,
>
> it was more or less the way you said... only changing the order:
> 1) BDC# net join -S PDC -UAdministrator
> (since I'm using ldapsam:editposix = yes, the posix account is created
> automatically by samba)
> 2) BDC# net rpc getsid
> (this automatically retrieves the domain SID from the PDC and stores
> it into secrets.tdb)
According to "samba 3 by example" this is not necessary unless you
run winbind
(http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-
bldg1)
Now you must obtain the domain SID from the PDC and store it into the
secrets.tdb file also. This step is not necessary with an LDAP passdb
backend because Samba-3 obtains the domain SID from the sambaDomain
object
it automatically stores in the LDAP backend. It does not hurt to add
the SID
to the secrets.tdb, and if you wish to do so, this command can achieve
that:
root# net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
for Domain MEGANET2 in secrets.tdb
When configuring a Samba-3 BDC that has an LDAP backend, there is no
need to
take any special action to join it to the domain. However, winbind
communicates with the domain controller that is running on the
localhost and
must be able to authenticate, thus requiring that the BDC should be
joined to
the domain. The process of joining the domain creates the necessary
authentication accounts.
>
>
> The only thing that doesn't seem completely right is that after
> this, if I run
> BDC# net getdomainsid
> I get: "Could not fetch local SID"
>
>
> However, if I run
> BDC# sudo net getlocalsid MYDOMAIN
> I get the correct SID for the domain... maybe I must generate a local
> SID for the BDC? or something went wrong?...
You can issue "net setlocalsid S-XXXX" on your BDC where S-XXXX is the
SID obtained
with "net getlocalsid MYDOMAIN"
Regards,
Thierry
More information about the samba
mailing list