[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Roland Schwingel roland.schwingel at onevision.com
Tue Jul 7 14:01:17 UTC 2015 

Hi ...

Rowland Penny wrote on 06.07.2015 13:22:57:
 > > Is there no way to detect on my PDC what is the problem. Why is my PDC
 > > Samba rejecting my samba member server...?
 > >
 >
 > Permissions ?? Is the join correct ?
Yes... net rpc testjoin returns OK.

 > It has been sometime since I did anything major with an LDAP PDC and
 > even then I used smbldap tools. It seems strange that 3.6 works but
 > 4.2.2 doesn't, have you looked into the bug report that was posted in
 > this thread ?
 >
 >  From my understanding, you should be able to use 4.2.x just like 3.6.x,
 > but there are slight differences as I pointed out.
The good news is that I finally found the problem.

This morning I moved back my PDC and my test machine to samba 3.6.
Worked out of the box. Everything fine. Then I switched my PDC forward 
to 4.2.2. Everything fine. Rejoined my 3.6 test client (to be on the 
safe side). Everything works as expected. Switched my client to 4.2.2
(fresh install) gave me the same problems as before. 3.6.25 and 4.2.2 
where using the very same smb.conf

When studying logs I saw that winbindd is consulted during auth. I did 
not have any winbind running. Not on 3.6 and not on 4.2.2. As soon as I 
joined my 4.2.2 machine to the domain I do obviously need winbindd 
running on the client machine. On my PDC I still have no winbindd 
running. Now my 4.2.2 PDC and my 4.2.2 domain member server are working 
as they should.

I always thought that winbindd was an optional component. Has this changed?

 > What are the problems, reasons etc for not moving to AD, I ask this
 > because you seem to be trying to set up a new domain and surely this is
 > the very time to upgrade.
Thanks for your advice.

But I can't upgrade. I am not setting up a new domain I am upgrading in 
one network segment. I can't move to AD right now (sigh) because of a 
VERY big LDAP in the backend. It is not even openLDAP. It is 389ds - 
which is working excellent even with Multiple Master live replications 
around the globe. Absolutely rock solid even when there are power 
outages or network cuts happening. EVERYTHING here is LDAP centric. I 
can't switch to sambas LDAP for this reason right now. This would be a 
HUGE project. But I yet don't know whether it is already possible to 
replace sambas LDAP with an own one or to get the SAMBA LDAP to 
replicate with another LDAP (like 389DS).

The second reason is DNS. I am running here powerDNS with a custom pipe 
backend. Here each network is autonomous. Every network has its own 
LDAP,DHCP,DNS,Fileservers etc. LDAP replicates over all networks and all 
subsidiaries. Each network additionally resolves certain internal DNS 
names dynamcially. When you access a certain DNS Name in one network you 
will be directed to a different server compared to when the same dns 
name is resolved from another network. Yet I do not see how to move this 
to AD.

Roland

More information about the samba mailing list