[Samba] NT4 Domain PDC with Ldap backend and domain members
Rowland penny
rpenny at samba.org
Tue Jul 7 10:02:51 UTC 2020
On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:
> Hi,
>
> I still have an old samba 4 (not AD) NT4 domain controller.
>
> I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....)
>
> I have two file servers as domain members.
>
> When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly :
> "MYDOMAIN\User"
>
> But when i connect to a share on a domain member, right click / security tabs under Windows, i get:
> "Unix User\User"
>
> (User gets mapped to local user, but ACL not displayed properly)
>
> It makes some applications checking for user permissions fail (Eclipse 2020 for example)
>
> ----
>
> I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok.
>
> But it adds a sambaDomainName entry in my ldap.
>
> I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member :
>
>> https://lists.samba.org/archive/samba/2012-January/165972.html
>> This is the why the entry is created. You have pointed your member
>> server at the LDAP backend of the DC. The member server started to
>> write it's own information there. Simply remove this line and use a
>> local passdb for the local users - communication between Samba member
>> servers and Samba3 DCs is not over LDAP.
>
> So i don't understand how i should configure properly the domain member.
>
> I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend.
>
> I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list.
>
> Any ideas ?
Yes, do what Andrew said, use winbind, in fact, if you are using Samba
>= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longer
contact the PDC directly, it must use winbind.
From the release notes for 4.8.0:
Setups with "security = domain" or "security = ads" require a running
'winbindd' now. The fallback that smbd directly contacts domain
controllers is gone.
Can I also suggest that you consider upgrading to AD, before it stops
working again (Microsoft has twice broken NT4-style domains by accident,
they fixed them, next time they might not).
Rowland
More information about the samba
mailing list