[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Rowland Penny rowlandpenny241155 at gmail.com
Tue Jul 7 15:32:31 UTC 2015 

On 07/07/15 15:01, Roland Schwingel wrote:
> Hi ...
>
> Rowland Penny wrote on 06.07.2015 13:22:57:
> > > Is there no way to detect on my PDC what is the problem. Why is my 
> PDC
> > > Samba rejecting my samba member server...?
> > >
> >
> > Permissions ?? Is the join correct ?
> Yes... net rpc testjoin returns OK.
>
> > It has been sometime since I did anything major with an LDAP PDC and
> > even then I used smbldap tools. It seems strange that 3.6 works but
> > 4.2.2 doesn't, have you looked into the bug report that was posted in
> > this thread ?
> >
> >  From my understanding, you should be able to use 4.2.x just like 
> 3.6.x,
> > but there are slight differences as I pointed out.
> The good news is that I finally found the problem.
>
> This morning I moved back my PDC and my test machine to samba 3.6.
> Worked out of the box. Everything fine. Then I switched my PDC forward 
> to 4.2.2. Everything fine. Rejoined my 3.6 test client (to be on the 
> safe side). Everything works as expected. Switched my client to 4.2.2
> (fresh install) gave me the same problems as before. 3.6.25 and 4.2.2 
> where using the very same smb.conf
>
> When studying logs I saw that winbindd is consulted during auth. I did 
> not have any winbind running. Not on 3.6 and not on 4.2.2. As soon as 
> I joined my 4.2.2 machine to the domain I do obviously need winbindd 
> running on the client machine. On my PDC I still have no winbindd 
> running. Now my 4.2.2 PDC and my 4.2.2 domain member server are 
> working as they should.
>
> I always thought that winbindd was an optional component. Has this 
> changed?
>
> > What are the problems, reasons etc for not moving to AD, I ask this
> > because you seem to be trying to set up a new domain and surely this is
> > the very time to upgrade.
> Thanks for your advice.
>
> But I can't upgrade. I am not setting up a new domain I am upgrading 
> in one network segment. I can't move to AD right now (sigh) because of 
> a VERY big LDAP in the backend. It is not even openLDAP. It is 389ds - 
> which is working excellent even with Multiple Master live replications 
> around the globe. Absolutely rock solid even when there are power 
> outages or network cuts happening. EVERYTHING here is LDAP centric. I 
> can't switch to sambas LDAP for this reason right now. This would be a 
> HUGE project. But I yet don't know whether it is already possible to 
> replace sambas LDAP with an own one or to get the SAMBA LDAP to 
> replicate with another LDAP (like 389DS).
>
> The second reason is DNS. I am running here powerDNS with a custom 
> pipe backend. Here each network is autonomous. Every network has its 
> own LDAP,DHCP,DNS,Fileservers etc. LDAP replicates over all networks 
> and all subsidiaries. Each network additionally resolves certain 
> internal DNS names dynamcially. When you access a certain DNS Name in 
> one network you will be directed to a different server compared to 
> when the same dns name is resolved from another network. Yet I do not 
> see how to move this to AD.
>
> Roland

All very good reasons to stick with what you have got, you cannot use 
samba4 in AD mode with anything other than the built-in samba ldap and 
it will not replicate to anything other than another AD machine (well, 
as far as I know).

DNS is possible and AD is made to do most of, if not all of what you are 
doing, only problem is the lack of domain trusts, though I understand 
this is being worked on. I think once the trusts problem is sorted will 
be the time to start thinking of upgrading, in the mean time, you could 
investigate if what you are doing is possible with microsoft AD, if it 
is, then samba4 will ultimately be able to do it.

I was wondering why you couldn't join a linux client to your s4 NT4 
style PDC, so I created a couple of VMs running wheezy and set one up as 
an LDAP PDC and the other as a client and guess what, I couldn't get the 
client to join either ;-)

Tried various things, including setting up bind9 DNS server on the PDC, 
nothing until I sat and had a thought 'does samba know the user', quick 
check with pdbedit proved it didn't DOH, so 'smbpasswd -a root' , 
entered the passwd twice and tried again, it now worked, don't know if 
this is your problem.

Rowland

More information about the samba mailing list