[Samba] NT4 Domain PDC with Ldap backend and domain members

Rowland penny rpenny at samba.org
Tue Jul 7 10:02:51 UTC 2020

On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:
> Hi,
> I still have an old samba 4 (not AD) NT4 domain controller.
> I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....)
> I have two file servers as domain members.
> When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly :
> But when i connect to a share on a domain member, right click / security tabs under Windows, i get:
> "Unix User\User"
> (User gets mapped to local user, but ACL not displayed properly)
> It makes some applications checking for user permissions fail (Eclipse 2020 for example)
> ----
> I tried using passdb backend = ldapsam:ldap:// on my domain member : it works great and the acl are ok.
> But it adds a sambaDomainName entry in my ldap.
> I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member :
>> https://lists.samba.org/archive/samba/2012-January/165972.html
>> This is the why the entry is created. You have pointed your member
>> server at the LDAP backend of the DC. The member server started to
>> write it's own information there. Simply remove this line and use a
>> local passdb for the local users - communication between Samba member
>> servers and Samba3 DCs is not over LDAP.
> So i don't understand how i should configure properly the domain member.
> I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend.
> I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list.
> Any ideas ?

Yes, do what Andrew said, use winbind, in fact, if you are using Samba 
 >= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longer 
contact the PDC directly, it must use winbind.

 From the release notes for 4.8.0:

Setups with "security = domain" or "security = ads" require a running 
'winbindd' now. The fallback that smbd directly contacts domain 
controllers is gone.

Can I also suggest that you consider upgrading to AD, before it stops 
working again (Microsoft has twice broken NT4-style domains by accident, 
they fixed them, next time they might not).


More information about the samba mailing list