[Samba] Does the BDC need to "join" a domain?

Thierry Lacoste lacoste at miage.univ-paris12.fr
Wed Oct 14 16:20:34 MDT 2009

On 14 oct. 09, at 18:36, Gaiseric Vandal wrote:

> I supposed it depends if Samba is configured to automatically create  
> the underlying unix accounts when you create samba accounts.  My  
> setup doesn't.  I created a "user"  account in ldap for my BDC.    
> (the unix passwd shd be *LK* and the shell shd be /bin/false)    
> Running "net rpc join" will then add the appropriate samba attributes.
> I think you also need to grab the domain SID
> BDC# net rpc getsid
> Password:
> Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb
> #
> However, I am not sure the domainsid for the machine is meant to  
> match the domainsid of the domain.    On my PDC, they match.  On the  
> BDC, they don't.    I am not sure if I need to change that.
They shoul match (see e.g. http://lists.samba.org/archive/samba/2007-August/134734.html) 

> group mappings do NOT seem to be stored in ldap.  So you either need  
> to copy the approp tdb file over or run the identical net group map  
> commands on the BDC.
Group mappings should be stored in LDAP.
This is the purpose of the sambaGroupMapping auxiliary objectClass which
extends the posixGroup structural objectClass in a typical samba/ldap  


More information about the samba mailing list