我遇到了以下情况:
- 旧 Samba 服务器
data.company.com
版本 4.6.7 workgroup = COMPANY
配置为具有以下配置的 Windows 主机群体的PDC :
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
- 新的 Samba 服务器
dc1.company.com
版本 4.17.4 - 配置为 AD DC,配置
workgroup = COMPANY-NEW
如下:
[global]
dns forwarder = 8.8.8.8
netbios name = DC1
realm = COMPANY-NEW.COMPANY.INTERNAL
server role = active directory domain controller
workgroup = COMPANY-NEW
log level = 2
idmap_ldb:use rfc2307 = yes
min protocol = SMB2
ntlm auth = yes
ldap server require strong auth = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/company-new.company.internal/scripts
read only = No
机器可以顺利加入两个域,COMPANY
并且COMPANY-NEW
一旦加入,就可以在相应的域上更新密码(在 Windows 中使用 Ctrl+Alt+Del)。
我希望旧服务器使用新服务器对用户进行身份验证(作为密码后端),这样用户就不必使用两个密码。这样,我就可以慢慢将用户从旧域迁移到新域,无论用户在哪里更改密码,他们都会隐式地为两个域更改密码。
由于我无法将旧服务器加入data.company.com
到新服务器,dc1.company.com
因为它们具有不同的域名,因此我尝试将新服务器的 LDAP 服务器设置为旧服务器的 passdb 后端,如下所示:
[global]
workgroup = COMPANY
server string = COMPANY Samba Server
netbios name = SMBMASTER
unix extensions = no
max open files = 200000
log file = /var/log/samba/log.%m
max log size = 50
#log level = 9
ntlm auth = Yes
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon path =
logon script = logon.bat
logon drive = U:
local master = yes
wins support = yes
passdb backend = ldapsam:ldap://dc1.company.com
ldapsam:editposix = yes
ldapsam:trusted = yes
ldap admin dn = cn=Administrator,cn=Users,dc=company-new,dc=company,dc=internal
ldap suffix = dc=company-new,dc=company,dc=internal
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap ssl = off
idmap config * : backend = autorid
idmap config * : range = 10000-24999999
idmap config COMPANY: backend = ldap
idmap config COMPANY: range = 10000-19999
idmap config COMPANY: ldap_base_dn = ou=idmap,dc=company-new,dc=company,dc=internal
idmap config COMPANY: ldap_user_dn = cn=admin,dc=company-new,dc=company,dc=internal
map untrusted to domain = yes
ldap delete dn = yes
ldap password sync = yes
winbind use default domain = yes
然而,经过这一改变,我的旧服务器将无法再启动,并在日志中显示以下消息:
[2023/12/05 19:31:43.778601, 3] ../source3/smbd/server.c:1743(main)
Becoming a daemon.
[2023/12/05 19:31:43.781838, 2] ../source3/passdb/pdb_interface.c:161(make_pdb_method_name)
No builtin backend found, trying to load plugin
[2023/12/05 19:31:43.786133, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'ldapsam' loaded
[2023/12/05 19:31:43.786281, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
[2023/12/05 19:31:43.800342, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2023/12/05 19:31:43.853302, 3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2023/12/05 19:31:43.853352, 4] ../source3/lib/smbldap.c:1092(smbldap_open)
The LDAP server is successfully connected
[2023/12/05 19:31:43.895873, 3] ../source3/passdb/pdb_ldap_util.c:305(smbldap_search_domain_info)
smbldap_search_domain_info: Got no domain info entries for domain
[2023/12/05 19:31:43.934623, 3] ../source3/passdb/pdb_ldap_util.c:166(add_new_domain_info)
add_new_domain_info: Adding new domain
[2023/12/05 19:31:43.936770, 1] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=COMPANY,dc=company-new,dc=company,dc=internal with: No such attribute
0000200A: objectclass sambaDomain is not a valid objectClass in schema
[2023/12/05 19:31:43.936814, 0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for COMPANY failed with NT_STATUS_UNSUCCESSFUL
[2023/12/05 19:31:43.936896, 0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/12/05 19:31:43.936937, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://dc1.company.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
- 有人能帮我解释一下吗?
- 我的想法是否与我想要实现的目标正确相关?
- 如果是,那么我的配置错误在哪里?
- 如果不是,那么正确的方法是什么?
非常感谢您的帮助,我为此而疯狂。如果您需要有关我的设置或更高日志级别输出的更多详细信息,我很乐意为您提供。