[Samba] user entries in LDAP, group mapping (samba 3.0alpha cvs - LDAP)

Tom Van Overschelde vanovers at hotmail.com
Tue Mar 4 17:25:25 GMT 2003

Hello everybody,

I'm experimenting with samba 3.0 but something is not very clear to me,
especially the user entries in the OpenLDAP server.
On my samba server, I configured NSS_LDAP to lookup passwd, group and shadow
Now I have to add some entries to my LDAP: uid=Administrator and uid=nobody.
According to
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html a user with uidNumber
0 should also be present in the ldap.

I decided to add

uid: Administrator
uidNumber: 0
gidNumber: 0
primaryGroupID: 512

uid: nobody
uidNumber: 65534
gidNumber: 65534
primaryGroupID: 514

I mapped the 'nogroup' group (under debian gid 65534) with smbgroupedit, so
I think the "guest" stuff is ok, but what about the Administrator entry? Is
it save to create such an entry with uidNumber and gidNumber 0 ??? Or do I
have to create another entry?

My intention is to use Administrator as a domain admin with all user rights.
Must this user have uidNumber 0? Probably I have to create an extra group in
LDAP (ex. domadmin) and map this GROUP RID 512, but which gidNumber must
have this group (also gidNumber 0 ???)?

Because I have 2 entries with uid=0 (root in /etc/passwd and
uid=Administrator in ldap via NSS), sometimes 'su' doesn't work on my linux
server, I get "pam_authenticate: Authentication service cannot retrieve
authentication info". Note, I don't have PAM configured to use LDAP.
Also creating user entries as Administrator with NT USRMGR gives some error.

Has somebody some advice for me? A working example (LDAP entries (users +
Thanx for your answers!!

Tom Van Overschelde

/etc/nsswitch.conf :
passwd: compat ldap
group: compat ldap
shadow: compat ldap

I've imported the following in my LDAP :
dn: uid=Administrator, ou=People, o=hogent,c=be
logonTime: 0
objectClass: sambaAccount
objectClass: posixAccount
lmPassword: 2ACFE0DCD4F90C9728D41
primaryGroupID: 512
acctFlags: [U          ]
userPassword:: e1NTSEF9S05lbXBPaVQxZVI
uid: Administrator
uidNumber: 0
cn: Administrator
loginShell: /dev/null
logoffTime: 0
gidNumber: 0
kickoffTime: 0
pwdLastSet: 1046643900
rid: 500
gecos: Samba Admin
description: Domain Administrator
homeDirectory: /home/administrator
pwdCanChange: 1
pwdMustChange: 1048458300
ntPassword: 8A05EB5942D5E619D9EA6

dn: uid=nobody, ou=People, o=hogent,c=be
logonTime: 0
displayName: Nobody
objectClass: sambaAccount
objectClass: posixAccount
primaryGroupID: 514
acctFlags: [NU         ]
userPassword:: e1NTSEF9cG9HdXF3W
uid: nobody
uidNumber: 65534
cn: Nobody
loginShell: /dev/null
logoffTime: 2147483647
gidNumber: 65534
kickoffTime: 2147483647
pwdLastSet: 1046644586
rid: 501
gecos: Nobody or Guest
description: Domain Guest
homeDirectory: /dev/null
pwdCanChange: 0
pwdMustChange: 1048458986

My current configuration:

Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
Processing section "[temp]"
Processing section "[printers]"
Processing section "[Netlogon]"
Processing section "[Profile]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
        unix charset = "CP850"
        workgroup = LOKAALNETWERK
        server string = %h server (Samba %v)
        map to guest = Bad User
        null passwords = Yes
        passdb backend = ldapsam:ldap://enterprise.lokaalnetwerk.thuis
        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 1000
        time server = Yes
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
        load printers = No
        add user script = /usr/local/sbin/smbldap-useradd.pl -a %U
        delete user script = /usr/local/sbin/smbldap-userdel.pl -r %U
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g
machines %u
        logon script = logon.bat
        logon path = \\%N\profile\%U
        logon drive = X:
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap suffix = o=hogent,c=be
        ldap machine suffix = ou=Computers,o=hogent,c=be
        ldap user suffix = ou=People,o=hogent,c=be
        ldap admin dn = "cn=Manager,o=hogent,c=be"
        ldap passwd sync = Yes
        lock dir = /var/run/samba
        socket address =
        invalid users = root

        comment = Home Directories
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

        comment = Temporary disk space
        path = /tmp
        read only = No
        guest ok = Yes

        comment = All Printers
        path = /tmp
        create mask = 0600
        printable = Yes
        browseable = No

        path = /home/samba/netlogon
        browseable = No
        locking = No

        comment = %u's roaming profile
        path = /home/samba/profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No
        locking = No


More information about the samba mailing list