[Samba] Does the BDC need to "join" a domain?

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Oct 16 06:51:28 MDT 2009

I initially had my unix accounts in NIS (or /etc/passwd) with samba 
accounts stored in tdbsam.   My 2nd server was configured as a member I 
moved the unix accounts to ldap and then eventually moved the samba 
stuff to ldap so that I could then start configuring a BDC.    My setup 
is probably not as clean as it would have been if I had started out in LDAP.

I changed the local domainsid for the BDC to the same as the domainsid, 
which seems to have fixed error messages in the log about it not being 
able to map DOMAIN/someuser to any unix account.

Also, when I run "net rpc trustdom list -U Administrator" on the BDC, I 
know see the same listed of trusted domains that I see on the PDC.  This 
was not the case before changing the domainsid for BDC.

When I migrated to ldap, the existing net group mappings where 
automatically imported into ldap under ou=smb_groups.   Altho samba does 
reread the smb.conf file automatically to check for network shares, you 
do need to restart samba when make changes to account backends.

The "net groupmap add" command doesn't work anymore-  which is actually 
OK since I can just create an entry in ldap using one of the existing 
entries as a template.   (I use Apache Directory Studio to manage the 
ldap data.)     I am not sure that I really need memberuid entries since 
the group membership should be enforced in the ldap unix groups.    I 
think what I may need to do is consolidate the unix groups (ou=groups) 
and samba group mappings (ou=smb_groups) into a single ou.  And instread 
of adding a new entry for each group mapping may be just add the 
appropriate attributes to the existing group entry.  Otherwise some 
users may end up appearing to be in two groups when they should be in 
one.  Although this may not work for groups where the Windows name and 
unix name differ (e.g. "Human Resources" vs "hr.")  I only need the 
group mappings for required groups like Domain Admins and Domain 
Controllers  anyway.

The netdom command on a Windows machine  (from the Win2003 support tools 
pack) should show me the domain controllers.  However, it can only find 
the PDC.

     Finds mypdc

     The RPC server is available

Not sure if this actually means anything.


On 10/14/09 17:58, Thierry Lacoste wrote:
> On 14 oct. 09, at 22:57, Mariano Absatz wrote:
>> On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>> I supposed it depends if Samba is configured to automatically create 
>>> the underlying unix accounts when you create samba accounts.  My 
>>> setup doesn't.  I created a "user"  account in ldap for my BDC.   
>>> (the unix passwd shd be *LK* and the shell shd be /bin/false)   
>>> Running "net rpc join" will then add the appropriate samba attributes.
>>> (...)
>> Thanx Gaiseric,
>> it was more or less the way you said... only changing the order:
>> 1) BDC# net join -S PDC -UAdministrator
>> (since I'm using ldapsam:editposix = yes, the posix account is created
>> automatically by samba)
>> 2) BDC# net rpc getsid
>> (this automatically retrieves the domain SID from the PDC and stores
>> it into secrets.tdb)
> According to "samba 3 by example"  this is not necessary unless you 
> run winbind
> (http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-bldg1)
> Now you must obtain the domain SID from the PDC and store it into the
> secrets.tdb file also. This step is not necessary with an LDAP passdb
> backend because Samba-3 obtains the domain SID from the sambaDomain 
> object
> it automatically stores in the LDAP backend. It does not hurt to add 
> the SID
> to the secrets.tdb, and if you wish to do so, this command can achieve 
> that:
> root#  net rpc getsid MEGANET2
> Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
>                            for Domain MEGANET2 in secrets.tdb
> When configuring a Samba-3 BDC that has an LDAP backend, there is no 
> need to
> take any special action to join it to the domain. However, winbind
> communicates with the domain controller that is running on the 
> localhost and
> must be able to authenticate, thus requiring that the BDC should be 
> joined to
> the domain. The process of joining the domain creates the necessary
> authentication accounts.
>> The only thing that doesn't seem completely right is that after this, 
>> if I run
>> BDC# net getdomainsid
>> I get: "Could not fetch local SID"
>> However, if I run
>> BDC# sudo net getlocalsid MYDOMAIN
>> I get the correct SID for the domain... maybe I must generate a local
>> SID for the BDC? or something went wrong?...
> You can issue "net setlocalsid S-XXXX" on your BDC where S-XXXX is the 
> SID obtained
> with "net getlocalsid MYDOMAIN"
> Regards,
> Thierry

More information about the samba mailing list