sambaAccount LDIF construction

Shanker Balan shanu at
Mon Jan 28 04:37:10 GMT 2002


I am in the process of building a web based LDAP management tool which
handles both POSIX accounts and Samba Accounts. Could anyone comment on
whether my "assumptions" are correct for the various sambaAccount

All time related attributes are in seconds after the UNIX epoch.

	rid = UID + 1000

	pwdLastSet = Epoch

	logonTime = ? ("0" disables it)
	logoffTime = ? ("0" disables it)
	kickoffTime = ? ("0" disables it)
	pwdCanChange = pwdLastSet + time in secs ("0" disables it)
	pwdMustChange = pwdLastSet + time in secs ("0" disables it)
	acctFlags = Must be 13 chars long. See lib/smbpasswd.c for Flags

	displayName = The name as you want it to appear in "user manager"

	smbHome = "logon home"

	homeDrive = "logon drive"

	scriptPath = "logon script"

	profilePath = "logon path"

	userWorkstations = <list of machines the user is allowed domain

	primaryGroupID = (GID * 2) + 1001

 - In the case of a machine account, the pwdMustChange value is
   mandatory and defaults to epoch + 1814400 secs.

 - The initial machine account passwords are generated from lowercase
   machine name (without the $ prefix). 

 - Is there anything else different in the case of machine accounts

 - Anything extra reqd for Win2k/XP machine accounts?

 - Do I need to maintain primaryGroupID for user and machine accounts?

 - What are the values expected for logonTime, logoffTime and

It would be great if the Samba-LDAP HOWTO were updated with the above
information too.

Thank you for your time.

-- Shanu

More information about the samba-technical mailing list