[Samba] NT4 Domain PDC with Ldap backend and domain members

Rowland penny rpenny at samba.org
Tue Jul 7 11:11:23 UTC 2020

On 07/07/2020 11:39, ERIC PEYREMORTE wrote:
> Hi, thanks for your answer.
> We are migrating on AD, but the legacy domain will stay for few a 
> months. I still use samba 4.2 (before upgrading every file server).
4.2 is EOL, but I think you know that ;-)
> I don't understand how winbind will be used. I don't need an ou=Idmap 
> as user entry in uid=login already contains the association between 
> uid and sambaSID in the openldap passdb backend (on the DC).
OK, your PDC needs to know who your users and groups are, but, like an 
AD DC, you shouldn't use the PDC as a fileserver.
> I just need the domain member to use that information, it seems that 
> winbind is unable to do that : it's going to make it's own uid <> sid 
> mapping and store it in ldap ou=idmap.

It doesn't actually, I created a test NT4-style domain last week, to 
remind me how they worked, you create the users and groups on the PDC, 
joining a computer creates a computer object in ldap on the PDC. 
However, your users and groups get ID's from winbind based in the range 
you set in the clients smb.conf

> Maybe it's not possible to correctly use domain member with a samba 3 
> + openldap pdc ? I didn't find any winbind doc covering that case...

By 'samba 3' do you mean Samba version 3.x.x and if so, what version, or 
do you mean an NT4-style domain ?


More information about the samba mailing list