sambaSID in the sambaSamAccount a good idea?

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Jun 24 20:21:19 GMT 2003


I just ran into the following problem, which in retrospect is an
absolutely simple user error: I took an existing LDAP database with
sambaSamAccount objects and set up a new server with it. This simply
does not work as expected, at least I as a naive user had expected a
different result.

The new server had created a SID of its own, as it did not have a
secrets.tdb. So all the LDAP accounts were foreign to him, and idmap
happily allocated arbitrary uids to the LDAP users. So with this as a
PDC I could not join a domain with 'root' as the account 'root' was
mapped to uid 10000.

In this respect pdb_ldap and pdb_tdb behave differently, pdb_tdb only
stores the RID.

Ok, we definitely need to store the domain SID in LDAP. But I'm not sure
I like the idea that we have the complete SID attached to the user. I
think I would feel better with only the RID in it. We could make it
relative to the OU and the domain object in that OU or whatever, but
user objects with a complete SID? I'm not sure.

This does not mean that the sambaSID attribute does not have a value in
itself -- we will need it for a decent alias implementation.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the samba-technical mailing list