[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

Andrew Bartlett abartlet at samba.org
Tue Sep 27 20:41:24 UTC 2022

On Tue, 2022-09-27 at 21:33 +0100, Rowland Penny via samba wrote:
> But one thing I remember is that you could run a PDC or domain
> member 
> without local users & groups, so how could the OS be the authority
> for 
> users ?

A domain member yes, but not and NT4-like DC.  They have to be in
/etc/passwd or ldap, via nsswitch.  There are some hacks to trust the
LDAP server a bit more, but the philosphy is still one of presenting
'Samba augmented local users', not Samba users. 

> So, from what you are saying, port 135 should be removed from this
> wiki 
> page:
> https://wiki.samba.org/index.php/Samba_NT4_PDC_Port_Usage

I think we are discussing the difference between used and required.
 Subsequent developments (focussed on the FreeIPA case in particular)
have included the endpoint mapper, which listens on 135, but I'm not
aware of that being required for the NT4-like DC.

> Well it certainly does that, the problem is that people will try to 
> disassemble it back to the kit of parts, e.g. use dnsmasq instead of
> the 
> internal or Bind9 dns server.

Yes, our users have long memories and are a little suborn at points.
But that is why they use Samba, rather than Windows :-)

> > This is a big part of why 'samba-tool provision' does so much.
> And thankfully it does it so well.


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list