[Samba] Samba PDC, LDAP and permissions

Julian Pilfold-Bagwell jools at oss4all.plus.com
Thu Dec 8 18:23:37 GMT 2005

Hi all, 

I have a Samba PDC running on OpenSuSe 10 with LDAP as the backend and am 
running Mandriva 2006 as a member server with a few shares for users.

The PDC seems OK and I've added the member using the instructions in the Samba 
example documents and I'm at the following point:

OpenLDAP is running on the PDC itself. I can login to Linux as any LDAP user 
account suggesting that NSS Ldap is functioning correctly. Running getent 
passwd and getent group on the PDC provide a user and group list confirming 

I can set user and group ownership on any file or folder to a valid LDAP 
SambaSAM account and set permissions accordingly and these persmissions have 
the appropriate effect on user's access. 

The PDC's name is SMB1, the Domain is BGS. If I run net getlocalsid and net 
getlocasid BGS on the PDC  I receive the same SID in the both cases. 

Smbldap-tools from Idealx.org works fine and I can add, modify and delete 
user's accounts from the command line without problems. The whole LDAP setup 
is from the idealx.org example 

Onto the member server (SMB2)...

I've only got one domain so I'm not using Winbind relying instead on the LDAP 
database on the PDC.  The server will authenticate UNIX users and getent 
returns complete user and group lists.

Smb.conf uses ldapsam as the idmap backend and the second server successfully 
works as a BDC taking logins from clients on the network. 

There are three users listed as Domain Admins. If any of these users logs into 
a client and selects a folder or file from a shared directory on the BDC and 
opens the permissions tab in properties the permission on a folder shows as 
SMB2\Domain Admins instead of BGS\Domain Admins. If you printscreen the 
window as the client resolves the SID's however, the SID/RID of the 
SMB1/Domain Admins group is the same as the  SID from the PDC (BGS/Domain 
Admins). If a domain admin tries to set permission on a folder, it accepts 
the changes but they vanish from the check boxes after it's been OK'd. The 
modified permissions do appear in the advanced tab though. 

Is there a reason for the difference in Domain names? Does it matter if the 
SIDs are the same? Have I missed out an important setlocalsid command?

Help please, I'm getting stressed ;)



More information about the samba mailing list