[Samba] NT4 Domain PDC with Ldap backend and domain members

ERIC PEYREMORTE eric.peyremorte at univ-grenoble-alpes.fr
Tue Jul 7 10:39:46 UTC 2020

Hi, thanks for your answer. 

We are migrating on AD, but the legacy domain will stay for few a months. I still use samba 4.2 (before upgrading every file server). 

I don't understand how winbind will be used. I don't need an ou=Idmap as user entry in uid=login already contains the association between uid and sambaSID in the openldap passdb backend (on the DC). 

I just need the domain member to use that information, it seems that winbind is unable to do that : it's going to make it's own uid <> sid mapping and store it in ldap ou=idmap. 

Maybe it's not possible to correctly use domain member with a samba 3 + openldap pdc ? I didn't find any winbind doc covering that case... 


De: "sambalist" <samba at lists.samba.org> 
À: "sambalist" <samba at lists.samba.org> 
Envoyé: Mardi 7 Juillet 2020 12:02:51 
Objet: Re: [Samba] NT4 Domain PDC with Ldap backend and domain members 

On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote: 
> Hi, 
> I still have an old samba 4 (not AD) NT4 domain controller. 
> I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) 
> I have two file servers as domain members. 
> When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : 
> "MYDOMAIN\User" 
> But when i connect to a share on a domain member, right click / security tabs under Windows, i get: 
> "Unix User\User" 
> (User gets mapped to local user, but ACL not displayed properly) 
> It makes some applications checking for user permissions fail (Eclipse 2020 for example) 
> ---- 
> I tried using passdb backend = ldapsam:ldap:// on my domain member : it works great and the acl are ok. 
> But it adds a sambaDomainName entry in my ldap. 
> I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member : 
>> https://lists.samba.org/archive/samba/2012-January/165972.html 
>> This is the why the entry is created. You have pointed your member 
>> server at the LDAP backend of the DC. The member server started to 
>> write it's own information there. Simply remove this line and use a 
>> local passdb for the local users - communication between Samba member 
>> servers and Samba3 DCs is not over LDAP. 
> So i don't understand how i should configure properly the domain member. 
> I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. 
> I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. 
> Any ideas ? 

Yes, do what Andrew said, use winbind, in fact, if you are using Samba 
>= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longer 
contact the PDC directly, it must use winbind. 

>From the release notes for 4.8.0: 

Setups with "security = domain" or "security = ads" require a running 
'winbindd' now. The fallback that smbd directly contacts domain 
controllers is gone. 

Can I also suggest that you consider upgrading to AD, before it stops 
working again (Microsoft has twice broken NT4-style domains by accident, 
they fixed them, next time they might not). 


To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 

More information about the samba mailing list