[Samba] Does the BDC need to "join" a domain?
lacoste at miage.univ-paris12.fr
Wed Oct 14 16:20:34 MDT 2009
On 14 oct. 09, at 18:36, Gaiseric Vandal wrote:
> I supposed it depends if Samba is configured to automatically create
> the underlying unix accounts when you create samba accounts. My
> setup doesn't. I created a "user" account in ldap for my BDC.
> (the unix passwd shd be *LK* and the shell shd be /bin/false)
> Running "net rpc join" will then add the appropriate samba attributes.
> I think you also need to grab the domain SID
> BDC# net rpc getsid
> Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb
> However, I am not sure the domainsid for the machine is meant to
> match the domainsid of the domain. On my PDC, they match. On the
> BDC, they don't. I am not sure if I need to change that.
They shoul match (see e.g. http://lists.samba.org/archive/samba/2007-August/134734.html)
> group mappings do NOT seem to be stored in ldap. So you either need
> to copy the approp tdb file over or run the identical net group map
> commands on the BDC.
Group mappings should be stored in LDAP.
This is the purpose of the sambaGroupMapping auxiliary objectClass which
extends the posixGroup structural objectClass in a typical samba/ldap
More information about the samba