Experts
I've got the following situation:
- Old Samba-server
data.company.comVersion 4.6.7 - Configured as a PDC with
workgroup = COMPANYfor a population of Windows hosts with the following configuration:
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
- New Samba-server
dc1.company.comVersion 4.17.4 - Configured as an AD DC with
workgroup = COMPANY-NEWthe following configuration:
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = COMPANY-NEW.COMPANY.INTERNAL
server role = active directory domain controller
workgroup = COMPANY-NEW
log level = 2
idmap_ldb:use rfc2307 = yes
min protocol = SMB2
ntlm auth = yes
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/company-new.company.internal/scripts
read only = No
Machines can join fine to both domains, COMPANY and COMPANY-NEW and, once joined, update their passwords (with Ctrl+Alt+Del in Windows) on the respective domain.
What I would like to achieve is for the old server to use the new server for authentication of the users (as a password backend) so users don't have two passwords. This way, I could slowly migrate the population from the old domain to the new and no matter where a user changes their password, they would implicitly change it for both domains.
Since I cannot join the old server data.company.com to the new server dc1.company.com because they have different domain names, I tried out setting the LDAP-server of the new server as a passdb backend for the old one as follows:
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
passdb backend = ldapsam:ldap://dc1.company.com
ldapsam:editposix = yes
ldapsam:trusted = yes
ldap admin dn = cn=Administrator,cn=Users,dc=company-new,dc=company,dc=internal
ldap suffix = dc=company-new,dc=company,dc=internal
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap ssl = off
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
idmap config COMPANY: backend = ldap
idmap config COMPANY: range = 10000-19999
idmap config COMPANY: ldap_base_dn = ou=idmap,dc=company-new,dc=company,dc=internal
idmap config COMPANY: ldap_user_dn = cn=admin,dc=company-new,dc=company,dc=internal
map untrusted to domain = yes
ldap delete dn = yes
ldap password sync = yes
winbind use default domain = yes
With this change however, my old server won't start anymore and give me the following message in the logs:
[2023/12/05 19:31:43.778601, 3] ../source3/smbd/server.c:1743(main)
Becoming a daemon.
[2023/12/05 19:31:43.781838, 2] ../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
No builtin backend found, trying to load plugin
[2023/12/05 19:31:43.786133, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'ldapsam' loaded
[2023/12/05 19:31:43.786281, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
[2023/12/05 19:31:43.800342, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2023/12/05 19:31:43.853302, 3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2023/12/05 19:31:43.853352, 4] ../source3/lib/smbldap.c:1092(smbldap_open)
The LDAP server is successfully connected
[2023/12/05 19:31:43.895873, 3] ../source3/passdb/pdb_ldap_util.c:305(smbldap_search_domain_info)
smbldap_search_domain_info: Got no domain info entries for domain
[2023/12/05 19:31:43.934623, 3] ../source3/passdb/pdb_ldap_util.c:166(add_new_domain_info)
add_new_domain_info: Adding new domain
[2023/12/05 19:31:43.936770, 1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=COMPANY,dc=company-new,dc=company,dc=internal with: No such attribute
0000200A: objectclass sambaDomain is not a valid objectClass in schema
[2023/12/05 19:31:43.936814, 0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for COMPANY failed with NT_STATUS_UNSUCCESSFUL
[2023/12/05 19:31:43.936896, 0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/12/05 19:31:43.936937, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://dc1.company.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
- Could somebody decipher this for me?
- I my idea even remotely going into the right direction for what I'm trying to achieve?
- If so, where is the mistake in my configuration?
- If not, what would be the right approach?
Thanks a lot for your help, I'm going bonkers over this. If you need more details about my setup or higher log level outputs I'm happy to provide you with them.