[Samba] AD DC lost sub.conf

Rowland Penny rpenny at samba.org
Mon Dec 5 11:55:33 UTC 2022

On 05/12/2022 02:54, Callum MacEwan via samba wrote:

>> If the Windows machines are joined to the domain (and there wouldn't be much point to the AD domain if they aren't), they must use the DC as their nameserver, unless the nameserver they are using forwards everything for the AD domain to the DC.
> Yess the AD DC is  the DNS for everyone using Samba internal there is a backup DNS on a Debian box

You are not going to like this, but, unless the 'backup dns server' 
forwards everything for the AD dns domain to a DC, turn it off and make 
your domain members use a DC as their nameserver. You must use the DC's 
as nameservers, AD relies heavily on DNS.

> I could not get the Domain member to use the AD uid gid even when using the config from your wiki! I worked around that by making the AD uid and gid match the domain member and all is up and running again

If by 'AD uid gid' you mean that the DC is using numbers starting at 
'3000000', then this is by design. I am fairly sure that I have said 
this, but just in case I didn't or you missed it:

Do not use a Samba AD DC as a fileserver, just use it for authentication.

The idmap backend on a DC is totally different from any other Samba 
idmap backend and was written around making Sysvol work.

By 'making the AD uid and gid match', I take it that you have given 
users and groups, uidNumber & gidNumber attributes. If this is correct 
and you have given Domain Admins a gidNumber, then congratulations, you 
have just broken Sysvol.

I do wish you would ask before making changes.


More information about the samba mailing list