I've got the following situation:
- Old Samba-server
data.company.com
Version 4.6.7 - Configured as a PDC with
workgroup = COMPANY
for a population of Windows hosts with the following configuration:
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
- New Samba-server
dc1.company.com
Version 4.17.4 - Configured as an AD DC with
workgroup = COMPANY-NEW
the following configuration:
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = COMPANY-NEW.COMPANY.INTERNAL
server role = active directory domain controller
workgroup = COMPANY-NEW
log level = 2
idmap_ldb:use rfc2307 = yes
min protocol = SMB2
ntlm auth = yes
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/company-new.company.internal/scripts
read only = No
Machines can join fine to both domains, COMPANY
and COMPANY-NEW
and, once joined, update their passwords (with Ctrl+Alt+Del in Windows) on the respective domain.
What I would like to achieve is for the old server to use the new server for authentication of the users (as a password backend) so users don't have two passwords. This way, I could slowly migrate the population from the old domain to the new and no matter where a user changes their password, they would implicitly change it for both domains.
Since I cannot join the old server data.company.com
to the new server dc1.company.com
because they have different domain names, I tried out setting the LDAP-server of the new server as a passdb backend for the old one as follows:
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
passdb backend = ldapsam:ldap://dc1.company.com
ldapsam:editposix = yes
ldapsam:trusted = yes
ldap admin dn = cn=Administrator,cn=Users,dc=company-new,dc=company,dc=internal
ldap suffix = dc=company-new,dc=company,dc=internal
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap ssl = off
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
idmap config COMPANY: backend = ldap
idmap config COMPANY: range = 10000-19999
idmap config COMPANY: ldap_base_dn = ou=idmap,dc=company-new,dc=company,dc=internal
idmap config COMPANY: ldap_user_dn = cn=admin,dc=company-new,dc=company,dc=internal
map untrusted to domain = yes
ldap delete dn = yes
ldap password sync = yes
winbind use default domain = yes
With this change however, my old server won't start anymore and give me the following message in the logs:
[2023/12/05 19:31:43.778601, 3] ../source3/smbd/server.c:1743(main)
Becoming a daemon.
[2023/12/05 19:31:43.781838, 2] ../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
No builtin backend found, trying to load plugin
[2023/12/05 19:31:43.786133, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'ldapsam' loaded
[2023/12/05 19:31:43.786281, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
[2023/12/05 19:31:43.800342, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2023/12/05 19:31:43.853302, 3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2023/12/05 19:31:43.853352, 4] ../source3/lib/smbldap.c:1092(smbldap_open)
The LDAP server is successfully connected
[2023/12/05 19:31:43.895873, 3] ../source3/passdb/pdb_ldap_util.c:305(smbldap_search_domain_info)
smbldap_search_domain_info: Got no domain info entries for domain
[2023/12/05 19:31:43.934623, 3] ../source3/passdb/pdb_ldap_util.c:166(add_new_domain_info)
add_new_domain_info: Adding new domain
[2023/12/05 19:31:43.936770, 1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=COMPANY,dc=company-new,dc=company,dc=internal with: No such attribute
0000200A: objectclass sambaDomain is not a valid objectClass in schema
[2023/12/05 19:31:43.936814, 0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for COMPANY failed with NT_STATUS_UNSUCCESSFUL
[2023/12/05 19:31:43.936896, 0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/12/05 19:31:43.936937, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://dc1.company.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
- Could somebody decipher this for me?
- I my idea even remotely going into the right direction for what I'm trying to achieve?
- If so, where is the mistake in my configuration?
- If not, what would be the right approach?
Thanks a lot for your help, I'm going bonkers over this. If you need more details about my setup or higher log level outputs I'm happy to provide you with them.
going into the right direction?
no this is not the right direction. The strategy is convoluted and incoherent. This is something that is normally quick and easy but multiple approaches for implementation and administration have been defeated. And it involves tinkering with a release that was End Of Life five years ago, and a "new" server using a release that will be EOL in four months...If not, what would be the right approach?
? The whole point is to get rid of the "old" server and get the "new" server up and running which we will then be able to continuously upgrade. So what is the right direction in your humble opinion? Do you have any actual advice for me?