[Samba] LDAP: PDC to BDC replication issues

Praveen Ghimire PGhimire at sundata.com.au
Wed Mar 14 11:15:54 UTC 2018


That worked. Thank you very much.

As per your suggestion, I changed the os level to 66, and changed the following to yes

         local master = yes
        domain master = yes
        preferred master = yes

The four commands you suggested were pointing to the correct servers and giving the correct replies both pre and post the cutover.

What I then realised is the following

-          The client machines were still logging in using the "old" PDC, not sure if it is to be expected

-          The echo "%logonservername% in a windows client was pointing to the "old PDC", even after a reboot

I should have mentioned before, the "old" PDC box is not going to be decommissioned just yet. It still has and will have the samba shares / CUPS and few other things until such time they get migrated.

What I did then is disabled the vNIC of the "old" PDC. The issue I faced then is the following

-          Machines with cached credentials worked

-          New logins to those machines came up with " No logon server" available

-          Couldn't join a machine to the domain.

I then brought up the old "PDC" back, changed the local master/domain master/preferred master to "no". Still the same results. I thought it might be due to the DNS (Bind9) records. So then changed the hosts and reverse host file to point to the "new" PDC as the SOA. Also, disabled the vNIC of the "old" PDC without changing anything else in that machine.

The above enabled me to join the machine to the domain and login using different users. However, when running the same 4 commands, I found an issue with one of them. The rest worked ok

root at lin-bdc:/etc/samba# host
;; connection timed out; no servers could be reached

Earlier this gave domain name pointer lin-pdc.lin , which is correct

Looks like the "new" PDC is still looking at the old PDC for DNS . But where though? Have checked the usual suspects
/etc/resolv.conf: Points to itself as the nameserver
/etc/network/interfaces: points to itself as the nameserver

The following is the reverse host file

$TTL 38400      ; 10 hours 40 minutes
14.10.10.in-addr.arpa IN SOA  lin-bdc. admin.lin.com.au. (
                                2012125288 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                432000     ; expire (5 days)
                                38400      ; minimum (10 hours 40 minutes)

                        NS      lin-pdc.
                        NS      lin-bdc.
$ORIGIN 14.10.10.in-addr.arpa.
1                       PTR     lin-pdc.lin.
3                       PTR     lin-bdc.lin.

Any thoughts?

Just one more question ;). The next step is to migrate (Classic-AD) the new PDC. I've done this in isolation but using the pre-ldap config, i.e. tdbsam. I would think it will still work with LDAP.

The question is how will the "old" PDC handle being in an AD environment? Obviously it will still be in the " classic" mode. My thoughts were removing any domain login related info (eg. Domain login , preferred master, local master, domain master) from smb.conf, change the bind9 info from the "old" PDC to point to the "new" PDC as the SOA. Then migrate, Classic-AD. Will this approach work?

Sorry for the long email.


Praveen Ghimire

From: Harry Jede [mailto:walk2sun at arcor.de]
Sent: Wednesday, 14 March 2018 2:20 AM
To: Praveen Ghimire
Cc: samba at lists.samba.org
Subject: Re: [Samba] LDAP: PDC to BDC replication issues

Am Dienstag, 13. März 2018, 11:21:17 CET schrieb Praveen Ghimire:

> Harry,


> Thank you.


> Unfortunately we don't have the choice of upgrading LDAP due to distro

> not supporting the newer version. However we have managed to get it

> to work. A lot of fiddling around.


> I do have another question though ;). Now that we have LDAP

> replicating, how do I transfer the "samba classic " PDC role to our

> BDC. I have read that using the domain master=yes in smb.conf is not

> enough. Do I need to change the NS and SOA entry in our bind 9 hosts

> file to point to the existing BDC as we are not setting up Netbios

> entries in the client machine? Also will wr need to make changes to

> other parameters in smb.conf?

Servers *must have* a "in-addr.arpa domain name pointer".

Check "os level" on old PDC in smb.conf, maybe:

os level = 65

Now run these 4 commands on both PDC and BDC

# nmblookup -M <netbios domain name>

# nmblookup -M -- -

# host <ip address found>

# nmblookup -s /dev/null -R -T -S <short hostname found>

Go to new PDC


domain master=yes

and set a "higher os level" on this machine

restart smbd and nmbd

Server election wil start in background, wait some minutes

Run the above 4 commands again, watch for <1d>. This is the current PDC.

samples with output:

# nmblookup -M europa

querying europa on europa<1d>

# nmblookup -M -- -

querying __MSBROWSE__ on __MSBROWSE__<01>

# host domain name pointer capella.europa.xx.

# nmblookup -s /dev/null -R -T -S capella

querying capella on

capella.europa.xx, capella<00>

Looking up status of




..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>






MAC Address = 00-00-00-00-00-00

here "CAPELLA" is the server netbios name, the server ip

and "EUROPA" is the netbios domain name.



Harry Jede

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

More information about the samba mailing list