[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
roland.schwingel at onevision.com
Tue Jul 7 14:01:17 UTC 2015
Rowland Penny wrote on 06.07.2015 13:22:57:
> > Is there no way to detect on my PDC what is the problem. Why is my PDC
> > Samba rejecting my samba member server...?
> Permissions ?? Is the join correct ?
Yes... net rpc testjoin returns OK.
> It has been sometime since I did anything major with an LDAP PDC and
> even then I used smbldap tools. It seems strange that 3.6 works but
> 4.2.2 doesn't, have you looked into the bug report that was posted in
> this thread ?
> From my understanding, you should be able to use 4.2.x just like 3.6.x,
> but there are slight differences as I pointed out.
The good news is that I finally found the problem.
This morning I moved back my PDC and my test machine to samba 3.6.
Worked out of the box. Everything fine. Then I switched my PDC forward
to 4.2.2. Everything fine. Rejoined my 3.6 test client (to be on the
safe side). Everything works as expected. Switched my client to 4.2.2
(fresh install) gave me the same problems as before. 3.6.25 and 4.2.2
where using the very same smb.conf
When studying logs I saw that winbindd is consulted during auth. I did
not have any winbind running. Not on 3.6 and not on 4.2.2. As soon as I
joined my 4.2.2 machine to the domain I do obviously need winbindd
running on the client machine. On my PDC I still have no winbindd
running. Now my 4.2.2 PDC and my 4.2.2 domain member server are working
as they should.
I always thought that winbindd was an optional component. Has this changed?
> What are the problems, reasons etc for not moving to AD, I ask this
> because you seem to be trying to set up a new domain and surely this is
> the very time to upgrade.
Thanks for your advice.
But I can't upgrade. I am not setting up a new domain I am upgrading in
one network segment. I can't move to AD right now (sigh) because of a
VERY big LDAP in the backend. It is not even openLDAP. It is 389ds -
which is working excellent even with Multiple Master live replications
around the globe. Absolutely rock solid even when there are power
outages or network cuts happening. EVERYTHING here is LDAP centric. I
can't switch to sambas LDAP for this reason right now. This would be a
HUGE project. But I yet don't know whether it is already possible to
replace sambas LDAP with an own one or to get the SAMBA LDAP to
replicate with another LDAP (like 389DS).
The second reason is DNS. I am running here powerDNS with a custom pipe
backend. Here each network is autonomous. Every network has its own
LDAP,DHCP,DNS,Fileservers etc. LDAP replicates over all networks and all
subsidiaries. Each network additionally resolves certain internal DNS
names dynamcially. When you access a certain DNS Name in one network you
will be directed to a different server compared to when the same dns
name is resolved from another network. Yet I do not see how to move this
More information about the samba