[Samba] AD DC lost sub.conf
Rowland Penny
rpenny at samba.org
Mon Dec 5 11:55:33 UTC 2022
On 05/12/2022 02:54, Callum MacEwan via samba wrote:
>> If the Windows machines are joined to the domain (and there wouldn't be much point to the AD domain if they aren't), they must use the DC as their nameserver, unless the nameserver they are using forwards everything for the AD domain to the DC.
> Yess the AD DC is the DNS for everyone using Samba internal there is a backup DNS on a Debian box
You are not going to like this, but, unless the 'backup dns server'
forwards everything for the AD dns domain to a DC, turn it off and make
your domain members use a DC as their nameserver. You must use the DC's
as nameservers, AD relies heavily on DNS.
>
> I could not get the Domain member to use the AD uid gid even when using the config from your wiki! I worked around that by making the AD uid and gid match the domain member and all is up and running again
>
If by 'AD uid gid' you mean that the DC is using numbers starting at
'3000000', then this is by design. I am fairly sure that I have said
this, but just in case I didn't or you missed it:
Do not use a Samba AD DC as a fileserver, just use it for authentication.
The idmap backend on a DC is totally different from any other Samba
idmap backend and was written around making Sysvol work.
By 'making the AD uid and gid match', I take it that you have given
users and groups, uidNumber & gidNumber attributes. If this is correct
and you have given Domain Admins a gidNumber, then congratulations, you
have just broken Sysvol.
I do wish you would ask before making changes.
Rowland
More information about the samba
mailing list