[Samba] NT4 Domain PDC with Ldap backend and domain members
eric.peyremorte at univ-grenoble-alpes.fr
Tue Jul 7 10:39:46 UTC 2020
Hi, thanks for your answer.
We are migrating on AD, but the legacy domain will stay for few a months. I still use samba 4.2 (before upgrading every file server).
I don't understand how winbind will be used. I don't need an ou=Idmap as user entry in uid=login already contains the association between uid and sambaSID in the openldap passdb backend (on the DC).
I just need the domain member to use that information, it seems that winbind is unable to do that : it's going to make it's own uid <> sid mapping and store it in ldap ou=idmap.
Maybe it's not possible to correctly use domain member with a samba 3 + openldap pdc ? I didn't find any winbind doc covering that case...
De: "sambalist" <samba at lists.samba.org>
À: "sambalist" <samba at lists.samba.org>
Envoyé: Mardi 7 Juillet 2020 12:02:51
Objet: Re: [Samba] NT4 Domain PDC with Ldap backend and domain members
On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:
> I still have an old samba 4 (not AD) NT4 domain controller.
> I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....)
> I have two file servers as domain members.
> When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly :
> But when i connect to a share on a domain member, right click / security tabs under Windows, i get:
> "Unix User\User"
> (User gets mapped to local user, but ACL not displayed properly)
> It makes some applications checking for user permissions fail (Eclipse 2020 for example)
> I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok.
> But it adds a sambaDomainName entry in my ldap.
> I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member :
>> This is the why the entry is created. You have pointed your member
>> server at the LDAP backend of the DC. The member server started to
>> write it's own information there. Simply remove this line and use a
>> local passdb for the local users - communication between Samba member
>> servers and Samba3 DCs is not over LDAP.
> So i don't understand how i should configure properly the domain member.
> I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend.
> I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list.
> Any ideas ?
Yes, do what Andrew said, use winbind, in fact, if you are using Samba
>= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longer
contact the PDC directly, it must use winbind.
>From the release notes for 4.8.0:
Setups with "security = domain" or "security = ads" require a running
'winbindd' now. The fallback that smbd directly contacts domain
controllers is gone.
Can I also suggest that you consider upgrading to AD, before it stops
working again (Microsoft has twice broken NT4-style domains by accident,
they fixed them, next time they might not).
To unsubscribe from this list go to the following URL and read the
More information about the samba