[Samba] NT4 Domain PDC with Ldap backend and domain members

ERIC PEYREMORTE eric.peyremorte at univ-grenoble-alpes.fr
Tue Jul 7 09:46:56 UTC 2020


I still have an old samba 4 (not AD) NT4 domain controller. 

I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) 

I have two file servers as domain members. 

When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : 

But when i connect to a share on a domain member, right click / security tabs under Windows, i get: 
"Unix User\User" 

(User gets mapped to local user, but ACL not displayed properly) 

It makes some applications checking for user permissions fail (Eclipse 2020 for example) 


I tried using passdb backend = ldapsam:ldap:// on my domain member : it works great and the acl are ok. 

But it adds a sambaDomainName entry in my ldap. 

I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member : 


>This is the why the entry is created. You have pointed your member 
>server at the LDAP backend of the DC. The member server started to 
>write it's own information there. Simply remove this line and use a 
>local passdb for the local users - communication between Samba member 
>servers and Samba3 DCs is not over LDAP. 

So i don't understand how i should configure properly the domain member. 

I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. 

I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. 

Any ideas ? 

More information about the samba mailing list