[Samba] Inter. between Samba 2.2.x and 3.x w/ LDAP backend (and another changes)

Fabiano Felix felix at getnet.com.br
Fri Aug 20 01:09:48 GMT 2004 

Hi all,

I have a network that are composed at this way:

- Samba 2.2.8a PDC
- Samba 2.2.8a BDC
- Some Samba 2.2.8a as MS
- OpenLDAP 2.1 as backend (w/ Samba2 schema)

We are planning some changes, including change the domain name. For this, we planning to setup the new Samba 3 domain on the same environment as the Samba 2, and sharing the same backend using the ldapsam_compat feature. After the workstations are changed to the new domain, we will convert the LDAP to the Samba 3 schema.

In tests, we found some problems:

- In Samba 3, we have the "built-in" accounts, which must be mapped to unix accounts. When I try to map it using the "idmap ldap backend", we receive an error;
- Using the tdbbackend, we can map the "Domain Admins" group, but when I try to add a machine on domain, we receive "the user or password is incorrect" (the machine account is created). Testing with "net join", using an user of "Domain Admins" group (after the map), I receive "this user could not have administrative rights". Reading the Idealx howto, I found that, in LDAP, is created a "Domain Admins" with an user "Administrator" with UID 0.

Questions:

- Is it possible to use the idmap ldap backend with ldapsam_compat? Someone has an example?
- In Samba 3, we don't have some option as "domain admin group" (I read that this parameter isn't used)? I  believed that mapping the Unix Group to "Domains Admins" can be done it. We need to have an user with UID 0?
- I see on LDAP Account Manager (http://lam.sourceforge.net/), on live demo that the Domain SID are stored on LDAP backend, and not on secrets.tdb, is it correct? If yes, how to make it? Is possible to store more than one SID?
- In some examples, all groups uses the posixGroup and sambaGroup objectclass, this can be the error in my built-in account maps? In Samba 3, is it mandatory? If I do it with all my groups, I can view then on Windows Workstations? (without the sambaGroup, on Samba 2, I can use it to provide access control on filesystem, but it can't be listed on Windows machines)

Sirs, I need to make this change. I can't found any doc in the net about this setup. I believe that I can write my experience about after , and I need this help to make it. Please, any help will be apreciated.

With best regards,

Fabiano Felix

More information about the samba mailing list