Samba 3.0 Schema changes

Andrew Bartlett abartlet at
Thu Jun 19 04:25:16 GMT 2003

Just a quick note to those involved with Directory Administrator:

Samba 3.0 has changed our LDAP schema, mainly to avoid conflicts with
existing attribute names, and to allow us to move forward into groups
and the like.  (There is a 2.2 compatibility mode, but new installations
will use the new schema).

It's not particularly documented at present, but a quick reading of the
included conversion script should show the basic changes.

It has become increasingly evident that Samba *needs* tools like
Directory Administrator in order to move forward - telling people to
script or edit the directory manually just doesn't cut it.

As such, it would be a pity to ship Samba 3.0 with what existing tools
we have broken.  I'm quite wiling to assist in the changes, if
developers have questions about how the changes should be implemented.

In particular:
 - We now have a 'sambaDomain' object, with the primary domain SID
 - We now store the 'sambaSid' for each user, not their RID
 - The algorithm for calculating such a SID is no longer fixed. 

As such, we will need to work with you to ensure that we export the
required information into LDAP, so Directory Administrator can pick it

Also, if you have any ideas for how you would like Samba to 'behave
better' in it's interaction with LDAP, I would be glad to hear it.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list