[Samba] Samba NT4 domain: "demote" a DC to a stand alone file server to un-break the domain clients?

Fabio Muzzi liste at kurgan.org
Wed Jul 19 09:50:38 UTC 2023

Please bear with me for this maybe stupid idea:

I have an old Samba 3.6 NT domain that is now broken because of Windows latest fix we all know about.

Since I'm not going to try to fix my Samba 3.6, and I don't think MS will fix the old NT-style logons, I'm stuck with only one option: disable the domain.

Now I have 2 ways:

1- use Forensit profile wizard to migrate every PC from a domain account to a local account. It works, I have done it before, but sometimes it mangles the profile and you end up with a lost profile, which is not nice. Especially with overly complicated profiles.

2- demote the samba DC (which is also my only file server) to a stand-alone server (no more a DC) by means of a simple smb.conf modification. I'm expecting the clients to not be able to find the DC anymore, and logon on cached credentials FOREVER, or at least until all of these older clients have been replaced with newer ones that will not be in a domain anymore. And on the Samba side, it should make no difference because the whole users and permissions are not stored differently between an old NT4 DC and a stand-alone configuration (local linux users, and pdb for Samba internal user records, no LDAP, no fancy configs)

Will method 2 actually work? (I have only one user per PC, so the only account is cached for sure, and cache, AFAIK, does never expire)


Fabio Muzzi

More information about the samba mailing list