[Samba] FW: LDAP getent issues

Rowland Penny rpenny at samba.org
Sun Apr 8 10:19:46 UTC 2018

On Sun, 8 Apr 2018 09:05:46 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> I have gone through that link a few times and have done both the  TDB
> to AD and also LDAP to AD migration a few times.
> The AD migration is the second stage.
> Let me explain the situation.  The Production server is a Samba 3 box
> which acts as the DC (TDB) and file share. We decided to to add a
> Samba 4 box to that classic domain and make it a PDC.  Having gone
> through various documents , which suggested to not use TDB for a PDC
> BDC setup, we are looking at using LDAP.  The plan is to make the old
> PDC a member server as it still has all the files.

I repeat, you do not need to move to LDAP before the upgrade to AD. All
you are doing is adding an LDAP PDC to the domain and after you upgrade
to AD, you will have an AD DC using the same workgroup name and SID
as the NT4-style PDC and you will then have turn the PDC off (Note: I
am referring to the NT4-style PDC, not the AD DC. An AD DC should NEVER
be referred to as a PDC.), you cannot have an NT4-style PDC and an AD
DC with the same SID in the same domain.

> The adding new box and making it a PDC using LDAP works.
> Authentication of the users who were in TDB works too. The issue is
> any newly created users in LDAP. Hence the question.

If you are upgrading to AD, you do not need to bother about any other
Unix machines, just alter the smb.conf (for info, see here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member )
to be an AD Unix domain member and join them to the new AD domain, it
will work.


More information about the samba mailing list