simo idra at samba.org
Wed Mar 1 22:06:37 GMT 2006

On Wed, 2006-03-01 at 21:42 +0100, Volker Lendecke wrote:
> Hi, Simo!
> As already said on irc: I've tested editing posix accounts
> in ldapsam without any 'add user script' & friends. This
> looks very good, thanks!
> For all who haven't seen this yet, let me advertise Simo's
> work a bit: If you set 'ldapsam:trusted=yes' and
> 'ldapsam:editposix=yes' and you run winbind (even on a DC)
> you can use usrmgr.exe to edit the posix users and groups
> without any idealx scripts etc.
> Extremely cool feature I think, thanks Simo! :-)

Thanks Volker, I really enjoyed making this patch.

I'll take the opportunity to explain how this works.

First of all, it does _not_ substitute user scripts, they are still
there do not worry :-) This patch is meant to help out people that build
their own LDAP server only, or mainly for the purpose of running a samba

So no fancy LDAP schemes are permitted, if you want to use your own
shema, then you just need to stick with your scripts.

On the other hand if you want to build a DC server from scratch, and
want to use LDAP as backend, but want to keep it simple without the
requirement to play with scripts you may look into this solution.


- The editposix ldapsam extension rely on the trusted extension. This
means you must keep _all_ your posix accounts in ldap (All the accounts
that are going to have a samba account attached to).

- On the ldap side you will need to create a basic tree with containers
for users and groups and configure smb.conf accordingly and you need the
an rfc 2307 compliant schema as well as the samba schema.

- Configure nsswitch with ldap and winbind nss backends.
the ldap backend is use to retrieve users, computers and domain groups
the winbindd backend is used to retrieve aliases (winbindd nested group
is enabled by default now).

How does it work.

You need an account to connect to server,
pdbedit -a root  is fine for that.

actually it is recommended to create by hand the posix groups and group
mappings for Domain Users and Admin Users (working to fix this).

After this minimal setup just fire up usrmgr.exe from a Windows
workstation and make your groups and users or just join your servers to
the DC. (You can use as well the net user and net group commands).

Users, groups and machine accounts will be created on your tree using
the rfc2307 posixAccount and posixGroup classes.

The uids and gids for these users and groups are allocated via winbindd,
so you need to properly configure idmap uid and idmap gid parameters for
that to work correctly.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba-technical mailing list