primaryGroupID etc -- Questions concerning samba-2.2.6 and openldap 2.0.23

Andrew Bartlett abartlet at
Sat Oct 26 13:02:00 GMT 2002

"Dr. Hansjoerg Maurer" wrote:
> Hi,
> I installed samba 2.2.6 as pdc with openldap 2.0.23 and most things are
> working.
> Thanks for your great work.
> But I have a few technical questions about details, which I am not sure
> about and a few problems with usrmgr.exe
> I took the samba.shema included in 2.2.6 and the ldif from IDEALIX.
> Then I had many Groups in Ldap (Domain Admins, Domain Users etc)
> With the ldif from above, these groups e.g. the Domain Admin group had
> gid's of about 200 to 220.
> I changed it to 512,513 ... because I have heard, that this is the GID
> of Domain Admin , Domain Users ...(I have no posix Unix group in
> /etc/group with this ID).
> Same with Doamin Users (513) Domain guest (514).
> Are these changes necessary?
> Do I need Unix groups with this GID?

Don't confuse RIDs (an NT concept, and shared between all users and all
groups) with unix uids and gids.

> Next question:
> What is the correct  primaryGroupID of a Domain-User? 513 or
> 2*gidNumber(Unix)+1001 ?

LDAP in HEAD allows you to specify a fixed RID for a user/group, but
otherwise it uses that algorithm.  The 'well known' users/groups need to
keep their 'well known' rids.

> If I want a User to be a Domain Admin can I just put him in the Domain
> Admin Group in ldap?
> I have
> domain admin group =  " @"Domain Admins" "
> in smb.conf
> Is an  /etc/group entry necessary für this?
> (Background the Server has the Unix groups in ldap too)
> Apart from this questions I have some problems with usrmgr.exe, which
> are not serious.
> But I just want to know, if these are limitations or if I did somthing
> wrong.
> First of all, usrmgr is able to show all values in ldap (great).
> If I edit a real name of an user, it works.
> But after saving the changes, I get a message on the windows side:
> "The following error changing properties of user maurer occured: group
> name could not be found" (translated from german)
> But the changes are submitted to ldap correctly.
> When I edit the properties of an user (eg real name), during the the
> save  values of logofftime, kickofftime,pwdmustchange are changed form
> 2147483647 to 0
> >From this point on, I am unable to change the pwdmustchange settings
> with usmgr.
> I habe to insert a value greater 2000000000 into ldap by hand , to
> deactivate pwdmustchange.

The issues with LDAP and usrmgr are fixed in current HEAD, and should be
merged in to 3.0 shortly.  

For once usrmgr actually works pretty well! 

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list