[Samba] 'ldap passwd sync' not working

John H Terpstra jht at samba.org
Mon Feb 7 16:00:28 GMT 2005

On Monday 07 February 2005 03:43, Tony Earnshaw wrote:
> John H Terpstra:
> [...]
> > The Samba-HOWTO-Collection is literally intended to be correct and
> > capable of being followed literally! Please document what sucks and help
> > us to improve our documentation. I encourage you to file a bug report
> > with details of what needs to be fixed. You can file a bug report on
> > https://bugzilla.samba.org
> On the basis of what the Samba team has done over the years, its
> availability and quality, it would be my bounden duty to do so.
> However, this would mean a complete rewrite, producing a parallel doc that
> omitted all reference to Samba V2 (with which I'm not familiar)

What in goodness name are you referring to? The current Samba-3 HOWTO 
Collection is NOT written around Samba-2. The Samba-3 by Example book 
(Samba-Guide on the Samba Web Site) is entirely based on Samba-3. I must be 
missing something very seriously and must be completely confused. Please help 
me to understand your point.

If the documentation is as bad as you say it is we should withdraw it at once 
and not release it again until it is fixed.

What are others opinions of this situation? Should we withdraw it at once?

> My basic point of criticism (I started with Samba 3.0.7, Openldap V2.2.20)
> after following the "HOWTO", finding out that it crippled my system and

If the documentation is causing people to suffer crippled systems please 
accept my fullest apologies. That is really bad. Is this a generic problem? 
Have others suffered the same crippling because of misleading and bad 
documentation? Wow! This blows my mind!

> asking myself how Samba/LDAP should be configured. For all of what follows
> I used GQ 1.0.b1 (jump from www.biot.com), since it gives a graphical
> representation of the DSA, drag'n drop is possible, making experimenting a
> breeze, shows *all* mandatory and optional attributes in different colors
> and gives sensible error reports when you do something wrong:

OK. Please give me wording to add to the documentation - or to replace bad and 
misleading sections of the existing documentation. All contributions will be 
gladly received.

> 1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain Guests"
> or "Domain Users" should be set up. cns with spaces in are not liked by
> Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't
> like them . Anyway, these groups are NT groups and not Posix groups and
> are defined in the *record* for the group, as defined in the displayName
> attribute. Instead, under ou=smb, define 3 Posix groups domadm, domguest
> and domuser. Give them regular, unique gidNumbers. For domadm, set
> attribute displayName to Domain Admins, for domguest set displayName to
> Domain Guests and domuser set displayName to Domain Users. Make each group
> an objectClass member of sambaGroupMapping. Get your local SID using 'net
> getlocalsid' Give each group its SID as defined in the regular Samba

Is this really necessary? Why? How does this advice affect the greater 

Have you discussed this advice with Idealx? I am sure they would love to hear 
from you. My intent so far as documentation goes is to document what works 
and how it works. I am not out to write a full LDAP management system. Idealx 
are working on that - as are others.

> Into domadm, put cn=Administrator and cn=root as described in the "HOWTO".

Do not use both Administrator and 'root' - The current advice is to use only 
'root' or 'Administrator' as the Windows and UNIX local admin account. Having 
both will result in ambiguous names that will break the ability to administer 
Samba. i.e.: If both Administrator and root have UID=0 (so both are UNIX 
admins) then Samba will not be able to resolve who is the real UID=0 owner.

> objectClasses top, person, organizationalPerson, inetOrgPerson,
> posixAccount and sambaSamAccount, Administrator can have any uidNumber (I
> use a Red Hat "system" number, 16( and his gidNumber will be that of
> domadm. root has to have uidNumber=0 and domadm's gidNumber.
> Administrator's sambaSID is localsid+calculated RID as in the Samba HOWTO
> docs, sambaPrimaryGroupSID=localsid+512; root\s sambaSID=localsid+502,
> primary group SID=localsid+512.

Whatever you call the Windows domain administrator account, it must have the 
correct RID=500. If it has anything else it will NOT be the domain 
administrator on the windows client. For the domain administrator on the 
Windows client to have UNIX admin rights the POSIX account must have UID=0. 
Translation from UID->SID, from SID->login_name, from login_name->UID, etc. 
must be unambiguous.

New to Samba-3.0.11, it is now possible to assign some administrative rights 
to users who are not administrator on either platform - but that is not at 
issue here.

> When following the Navarra "HOWTO", 'net groupmap list' didn't work at
> all, nor could I do a 'net rpc join'; that was what started me
> experimenting. now it works as it should and I can do a 'net rpc join'.

The Navarra HOWTO is not my direct concern, but if it is wrong and misleading 
we should advise the author to either withdraw it, or to correct it.

> Hope this helps someone, it cost me enough pain before it worked properly
> for me.

You have put the official Samba documentation in the position that it must be 
withdrawn until we can get it right. I will not rest until this issue is 
fully resolved. This is a very serious problem. Please help us to fix this.

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list