[Samba] Does the BDC need to "join" a domain?

Thierry Lacoste lacoste at miage.univ-paris12.fr
Wed Oct 14 15:58:53 MDT 2009

On 14 oct. 09, at 22:57, Mariano Absatz wrote:

> On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> I supposed it depends if Samba is configured to automatically  
>> create the underlying unix accounts when you create samba  
>> accounts.  My setup doesn't.  I created a "user"  account in ldap  
>> for my BDC.   (the unix passwd shd be *LK* and the shell shd be / 
>> bin/false)   Running "net rpc join" will then add the appropriate  
>> samba attributes.
>> (...)
> Thanx Gaiseric,
> it was more or less the way you said... only changing the order:
> 1) BDC# net join -S PDC -UAdministrator
> (since I'm using ldapsam:editposix = yes, the posix account is created
> automatically by samba)
> 2) BDC# net rpc getsid
> (this automatically retrieves the domain SID from the PDC and stores
> it into secrets.tdb)

According to "samba 3 by example"  this is not necessary unless you  
run winbind

Now you must obtain the domain SID from the PDC and store it into the
secrets.tdb file also. This step is not necessary with an LDAP passdb
backend because Samba-3 obtains the domain SID from the sambaDomain  
it automatically stores in the LDAP backend. It does not hurt to add  
the SID
to the secrets.tdb, and if you wish to do so, this command can achieve  

root#  net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
                            for Domain MEGANET2 in secrets.tdb

When configuring a Samba-3 BDC that has an LDAP backend, there is no  
need to
take any special action to join it to the domain. However, winbind
communicates with the domain controller that is running on the  
localhost and
must be able to authenticate, thus requiring that the BDC should be  
joined to
the domain. The process of joining the domain creates the necessary
authentication accounts.

> The only thing that doesn't seem completely right is that after  
> this, if I run
> BDC# net getdomainsid
> I get: "Could not fetch local SID"
> However, if I run
> BDC# sudo net getlocalsid MYDOMAIN
> I get the correct SID for the domain... maybe I must generate a local
> SID for the BDC? or something went wrong?...
You can issue "net setlocalsid S-XXXX" on your BDC where S-XXXX is the  
SID obtained
with "net getlocalsid MYDOMAIN"


More information about the samba mailing list