0

I'm a domain administrator for a very old NT4 based network which needs to be taken out back and shot. I had a chat with the colleague who runs the domain, and he wants to move to Samba based NT4 style domain control for authenticating our users to our data servers. He's keen to avoid Active Directory type domain control, as that raises a host of complications with IT services, who run our network (a large university).

So, I've got Samba and LDAP talking to each other OK, but when I try to populate the LDAP database or do anything meaningful, I get:

james@photon:/etc/samba$ sudo net getlocalsid
smbldap_search_domain_info: Adding domain info for ATMOS failed with NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
pdb backend ldapsam:ldap://photon did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
WARNING: Could not open passdb

I'm assuming the problem is that I haven't specified in smb.conf what my domain logon details are, so it's not authenticating me as a domain admin, and I'm not getting domain information sent to me when I request it. Does anyone know how to specify domain credentials in smb.conf?

P.S. Please don't flame - I'm a scientist doing my best with limited resources...

Dorsey
  • 1
  • What type of complications does AD create? – EEAA Jul 23 '15 at 15:30
  • Our users get IPs through DHCP. AD requires us to handle DNS for those users, so we'd need IT services to figure out which IPs were used by our data users, and send out a different DNS server address. Which is unfeasible. I also don't want to use our hardware to handle a million DNS requests per day for facebook and buzzfeed from our students. – Dorsey Jul 23 '15 at 15:35
  • That's not true, actually. All they need to do is create a DNS delegation for your AD domain, pointing to your AD DNS servers. No need to make large-scale DNS changes, and the central IT resolvers can continue handling facebook/youtube/etc. requests. – EEAA Jul 23 '15 at 15:36
  • Great. We're sticking with NT4 DC anyway, - getting IT services to actually do something like that is another headache I don't need. The same problem would remain anyway. I've misunderstood something fundamental about identity mapping I think... – Dorsey Jul 23 '15 at 15:45
  • Dude, with all due respect, this is a *horrible* idea. Windows NT has been EOL and completely unsupported for 11 years now. You and your colleagues need to come up with some solution to deprecate NT4, as it's downright irresponsible to continue using it as you are. – EEAA Jul 23 '15 at 15:48
  • You may have misread the question. The aim is to take the actual NT4 servers out back and shoot them, and replace them with a Samba based method of NT4 **style** domain control. Which is adequate for our needs, secure, and fully supported by Samba. – Dorsey Jul 23 '15 at 15:50
  • OK, got it. Yes, given the circumstances, it's not optimal, but certainly better than NT4. – EEAA Jul 23 '15 at 15:51

0 Answers0