BDC does not join PDC
Migrated from: https://tracker.clearos.com/view.php?id=13531
Reported by: Dave Loper
When configured to Master/Slave, BDC won't finish initialization. The following things are items I had to do to get it to work as a BDC:
- modified nslcd.conf: The default regex in nslcd does not pick up the plus in proper usernames (ie. user+DOMAIN). The default regex is see (man nslcd.conf):
/^[a-z0-9._@$][a-z0-9._@$\\~-]*[a-z0-9._@$~-]$/i
I had to add the following:
validnames /^[a-z0-9._@$][a-z0-9._@+$\\~-]*[a-z0-9._@$~-]$/i
I then had to chattr +i /etc/nslcd.conf
since the file is automatically generated.
- Had to set the localsid to match the domain sid.
DOMAINSID=`net getdomainsid |grep -oh "S-1-5.*$"`;if [ -v DOMAINSID ]; then net setlocalsid $DOMAINSID; fi
This should ALWAYS be the case with a Backup Domain Controller. The big separator between a PDC and a BDC is the 'domain master = No' parameter in /etc/smb.conf. All other parameters like 'preferred master = Yes' should be the same as the PDC.
- The directories in /var for samba and her children were not created. I had to do the following:
mkdir -p /var/samba/drivers
mkdir -p /var/samba/netlogon
mkdir -p /var/samba/profiles
chown winadmin:domain_users /var/samba/*
chmod g+w /var/samba/profiles
chmod g+s /var/samba/profiles
- I had to set the interfaces to bind to the interface of the LAN network interface object. Only the loopback was set and bind interfaces only had been 'No'. New settings were:
# Network
bind interfaces only = Yes
interfaces = lo enp0s8
- Since this BDC is to be located on a site and subnet different than the PDC, I had to make this server the WINS Server. This was a configuration choice and not an error
- After confirming that I had the domainsid, ldap was replicating, and that the smb, winbind, and nmb services were running, I set the initialized flag:
touch /var/clearos/samba_common/initialized
Developer comment:
Please confirm this is still an issue. Setting up a PDC/BDC was not a problem.
Also please review the WINS server statement. normally I would expect you to point the WINS server to the PDC but this does require a VPN.
This also seems to be related to the issue of no interfaces configured, #19.