[Samba] Does the BDC need to "join" a domain?
gaiseric.vandal at gmail.com
Fri Oct 16 06:51:28 MDT 2009
I initially had my unix accounts in NIS (or /etc/passwd) with samba
accounts stored in tdbsam. My 2nd server was configured as a member I
moved the unix accounts to ldap and then eventually moved the samba
stuff to ldap so that I could then start configuring a BDC. My setup
is probably not as clean as it would have been if I had started out in LDAP.
I changed the local domainsid for the BDC to the same as the domainsid,
which seems to have fixed error messages in the log about it not being
able to map DOMAIN/someuser to any unix account.
Also, when I run "net rpc trustdom list -U Administrator" on the BDC, I
know see the same listed of trusted domains that I see on the PDC. This
was not the case before changing the domainsid for BDC.
When I migrated to ldap, the existing net group mappings where
automatically imported into ldap under ou=smb_groups. Altho samba does
reread the smb.conf file automatically to check for network shares, you
do need to restart samba when make changes to account backends.
The "net groupmap add" command doesn't work anymore- which is actually
OK since I can just create an entry in ldap using one of the existing
entries as a template. (I use Apache Directory Studio to manage the
ldap data.) I am not sure that I really need memberuid entries since
the group membership should be enforced in the ldap unix groups. I
think what I may need to do is consolidate the unix groups (ou=groups)
and samba group mappings (ou=smb_groups) into a single ou. And instread
of adding a new entry for each group mapping may be just add the
appropriate attributes to the existing group entry. Otherwise some
users may end up appearing to be in two groups when they should be in
one. Although this may not work for groups where the Windows name and
unix name differ (e.g. "Human Resources" vs "hr.") I only need the
group mappings for required groups like Domain Admins and Domain
The netdom command on a Windows machine (from the Win2003 support tools
pack) should show me the domain controllers. However, it can only find
NETDOM QUERY /D:MYDOMAIN PDC
NETDOM QUERY /D:MYDOMAIN DC
The RPC server is available
Not sure if this actually means anything.
On 10/14/09 17:58, Thierry Lacoste wrote:
> On 14 oct. 09, at 22:57, Mariano Absatz wrote:
>> On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>> I supposed it depends if Samba is configured to automatically create
>>> the underlying unix accounts when you create samba accounts. My
>>> setup doesn't. I created a "user" account in ldap for my BDC.
>>> (the unix passwd shd be *LK* and the shell shd be /bin/false)
>>> Running "net rpc join" will then add the appropriate samba attributes.
>> Thanx Gaiseric,
>> it was more or less the way you said... only changing the order:
>> 1) BDC# net join -S PDC -UAdministrator
>> (since I'm using ldapsam:editposix = yes, the posix account is created
>> automatically by samba)
>> 2) BDC# net rpc getsid
>> (this automatically retrieves the domain SID from the PDC and stores
>> it into secrets.tdb)
> According to "samba 3 by example" this is not necessary unless you
> run winbind
> Now you must obtain the domain SID from the PDC and store it into the
> secrets.tdb file also. This step is not necessary with an LDAP passdb
> backend because Samba-3 obtains the domain SID from the sambaDomain
> it automatically stores in the LDAP backend. It does not hurt to add
> the SID
> to the secrets.tdb, and if you wish to do so, this command can achieve
> root# net rpc getsid MEGANET2
> Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
> for Domain MEGANET2 in secrets.tdb
> When configuring a Samba-3 BDC that has an LDAP backend, there is no
> need to
> take any special action to join it to the domain. However, winbind
> communicates with the domain controller that is running on the
> localhost and
> must be able to authenticate, thus requiring that the BDC should be
> joined to
> the domain. The process of joining the domain creates the necessary
> authentication accounts.
>> The only thing that doesn't seem completely right is that after this,
>> if I run
>> BDC# net getdomainsid
>> I get: "Could not fetch local SID"
>> However, if I run
>> BDC# sudo net getlocalsid MYDOMAIN
>> I get the correct SID for the domain... maybe I must generate a local
>> SID for the BDC? or something went wrong?...
> You can issue "net setlocalsid S-XXXX" on your BDC where S-XXXX is the
> SID obtained
> with "net getlocalsid MYDOMAIN"
More information about the samba