[Samba] 'ldap passwd sync' not working

Tony Earnshaw tonye at billy.demon.nl
Mon Feb 7 10:43:44 GMT 2005

John H Terpstra:


> The Samba-HOWTO-Collection is literally intended to be correct and
> capable of being followed literally! Please document what sucks and help
> us to improve our documentation. I encourage you to file a bug report with
> details of what needs to be fixed. You can file a bug report on
> https://bugzilla.samba.org

On the basis of what the Samba team has done over the years, its
availability and quality, it would be my bounden duty to do so.

However, this would mean a complete rewrite, producing a parallel doc that
omitted all reference to Samba V2 (with which I'm not familiar)

My basic point of criticism (I started with Samba 3.0.7, Openldap V2.2.20)
after following the "HOWTO", finding out that it crippled my system and
asking myself how Samba/LDAP should be configured. For all of what follows
I used GQ 1.0.b1 (jump from www.biot.com), since it gives a graphical
representation of the DSA, drag'n drop is possible, making experimenting a
breeze, shows *all* mandatory and optional attributes in different colors
and gives sensible error reports when you do something wrong:

1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain Guests"
or "Domain Users" should be set up. cns with spaces in are not liked by
Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't
like them . Anyway, these groups are NT groups and not Posix groups and
are defined in the *record* for the group, as defined in the displayName
attribute. Instead, under ou=smb, define 3 Posix groups domadm, domguest
and domuser. Give them regular, unique gidNumbers. For domadm, set
attribute displayName to Domain Admins, for domguest set displayName to
Domain Guests and domuser set displayName to Domain Users. Make each group
an objectClass member of sambaGroupMapping. Get your local SID using 'net
getlocalsid' Give each group its SID as defined in the regular Samba

Into domadm, put cn=Administrator and cn=root as described in the "HOWTO".
objectClasses top, person, organizationalPerson, inetOrgPerson,
posixAccount and sambaSamAccount, Administrator can have any uidNumber (I
use a Red Hat "system" number, 16( and his gidNumber will be that of
domadm. root has to have uidNumber=0 and domadm's gidNumber.
Administrator's sambaSID is localsid+calculated RID as in the Samba HOWTO
docs, sambaPrimaryGroupSID=localsid+512; root\s sambaSID=localsid+502,
primary group SID=localsid+512.

When following the Navarra "HOWTO", 'net groupmap list' didn't work at
all, nor could I do a 'net rpc join'; that was what started me
experimenting. now it works as it should and I can do a 'net rpc join'.

Hope this helps someone, it cost me enough pain before it worked properly
for me.


mail: tonye at billy.demon.nl

More information about the samba mailing list