[Samba] Network Meltdown after Samba 4.9.0 Upgrade

Rowland Penny rpenny at samba.org
Sat Sep 15 12:57:15 UTC 2018

On Sat, 15 Sep 2018 05:39:02 -0700
Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2018-09-15 at 10:37 +0100, Rowland Penny via samba wrote:
> > On Sat, 15 Sep 2018 04:02:29 -0500
> > "David C. Rankin via samba" <samba at lists.samba.org> wrote:
> > 
> > > 
> > > On 09/15/2018 03:40 AM, Rowland Penny via samba wrote:
> > > > 
> > > > 
> > > > It is undoubtedly for a 'standalone server', so why does it also
> > > > have the line 'domain master = Yes' ??
> > > > It cannot be both, I would suggest removing this line.
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > Rowland,
> > > 
> > >   domain master=yes used to be standard for stand-alone to cause
> > > nmbd
> > > claim a special domain specific NetBIOS name as a domain master
> > > browser (based on the os level/preferred master election rules)
> > > 
> > >   man smb.conf does not mention any discontinuation for use in
> > > stand-alone mode. Should it not be used any longer in that role,
> > > or is it a matter of network scale?
> > > 
> > Things have changed, you should allow the domain/workgroup to set
> > its own master especially if there is a PDC or DC in the mix.
> Rowland,
> The purpose of the 'domain master' parameter is as David describes, to
> configure exactly this mode.  
> It is not in conflict with 'server role = standalone server', the
> parameters are intended to allow this, which is why the default for
> 'domain master' is 'auto'.
> I hope this clarifies things,
> Andrew Bartlett

Not really, if you examine man smb.conf, you will find this:

       domain master (G)

           Tell smbd(8) to enable WAN-wide browse list collation. Setting this
           option causes nmbd to claim a special domain specific NetBIOS name
           that identifies it as a domain master browser for its given
           workgroup. Local master browsers in the same workgroup on
           broadcast-isolated subnets will give this nmbd their local browse
           lists, and then ask smbd(8) for a complete copy of the browse list
           for the whole wide area network. Browser clients will then contact
           their local master browser, and will receive the domain-wide browse
           list, instead of just the list for their broadcast-isolated subnet.

           Note that Windows NT Primary Domain Controllers expect to be able
           to claim this workgroup specific special NetBIOS name that
           identifies them as domain master browsers for that workgroup by
           default (i.e. there is no way to prevent a Windows NT PDC from
           attempting to do this). This means that if this parameter is set
           and nmbd claims the special name for a workgroup before a Windows
           NT PDC is able to do so then cross subnet browsing will behave
           strangely and may fail.

           If domain logons = yes, then the default behavior is to enable the
           domain master parameter. If domain logons is not enabled (the
           default setting), then neither will domain master be enabled by

           When domain logons = Yes the default setting for this parameter is
           Yes, with the result that Samba will be a PDC. If domain master =
           No, Samba will function as a BDC. In general, this parameter should
           be set to 'No' only on a BDC.

           Default: domain master = auto

So, from my reading, you should only set 'domain master' (be it 'yes'
or 'no') on a PDC or a BDC, on anything else it shouldn't be set at all
and allow the default, which is auto.

Also, doesn't network browsing need SMBv1 and isn't it now turned off
by default ?


More information about the samba mailing list