[Samba] Cannot join server to Samba4 NT4 domain
MI
mi.lists at alma.ch
Sat May 7 15:53:50 UTC 2016
In case it helps someone, the only way I found to add this server and have it use
LDAP for authentication, was with a weird hack which I found here:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/
Basically, I changed the sambaSID of that other server in the LDAP entry it had
created under "dn: sambaDomainName=FILESERVER,dc=mydomain,dc=lan" to be the domain SID.
That now works, and users can authenticate, but I have a duplicate SID, which doesn't
seem right. That server's config is now (excerpts):
# testparm -s
...
Server role: ROLE_STANDALONE
[global]
workgroup = MYDOMAIN
map to guest = Bad User
password server = myPDC.mydomain.lan
passdb backend = ldapsam:"ldap://ldap.mydomain.lan ldap://ldap2.mydomain.lan"
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 192.168.44.10
ldap admin dn = "cn=admin,dc=mydomain,dc=lan"
ldap group suffix = ou=Groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=mydomain,dc=lan
ldap ssl = no
ldap user suffix = ou=People
idmap config * : backend = tdb
....
My previous tests with "server role = member server", or "netbios backup domain
controller" or "classic backup domain controller" and "security = domain" and "net
rpc JOIN" all failed.
"net rpc info" would tell me "Connection failed: NT_STATUS_INTERNAL_DB_CORRUPTION"
(when using the right user/password. With a wrong user/password, the error was
different.)
Anyway, while it sort-of-works now, I have a strong feeling that this is not quite
right, and I really should upgrade to AD. I avoided it until now because I saw only
unneeded added complexity, and no benefit (for a single small network). But maybe
it's unavoidable...
More information about the samba
mailing list