[Samba] trying to prepare to go live this weekend

John H Terpstra jht at samba.org
Fri Dec 19 18:30:15 GMT 2003

On Fri, 19 Dec 2003, Craig White wrote:

> Asking these questions again, I have read/re-read the documentation and
> want to get these ideas clear before I commit. Any answers on any
> question will be appreciated.
> 1 - Group (Linux) - Groups (Windows) seems to confusing to me so I
> mapped Groups to Group in the smbldap-tools and the nss/ldap.conf so I
> would only have one group called Group. This seems reasonable to me - is
> there a problem with that thinking?

Every NT Group needs a correxponding UNIX GID. The UNIX GID must be
capable of being resolved by Samba. If you are using LDAP, Samba will try
only LDAP. That means that your UNIX (Posix) group account must be in
LDAP. So long as your NSS resolver is able to obtain the LDAP UNIX group
info, you do not need entries for the same groups in /etc/groups.

> 2 - Now I know, I can't have WinNT PDC or BDC and thus have 3 choices...
>  a) create a new domain for linux based domain and set up a trust
> between the two - still leaves me without a BDC for original domain.

This one is frought with the problems of working across interdomain
trusts. Ask an experianced windows admin what his experience is with that
before you try it.

>  b) reformat/reinstall WinNT on current PDC and make it a server on
> Linux managed domain - ugly option at this point.

This is the best option.

>  c) turn off logon services (never done this on NT domain controller but
> presume that it can be somewhat disabled) - has anyone done anything
> down this path?

That will work too. Just shut down the Netlogon service.

> 3 - If I make a new domain and set up trusts between old domain and new
> domain - do I have to then add the group Groups to get continuity
> (proper mapping) between the two domains?

No. Winbind is your friend here. It will resolve groups from the foreign

> 4 - I can't discern the significance of having the local users with
> uid's 500+ and sambaSamAccount/uid's 1000+ and I'm thinking that this
> convention came into being only to make it simpler to identify. Am I
> missing something? It would seem that a uid in any range could have
> objectclasses with sambaSamAccount and/or posixAccounts

Windows RIDs below 1000 have special meaning. It is necessary to keep UNIX
users' RIDs above 1000. That is why we use the algorithmic mapping scheme.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list