[Samba] Samba/LDAP documentation

Tony Earnshaw tonye at billy.demon.nl
Sun Feb 13 14:41:14 GMT 2005

Craig White to JHT:


> You are a kind, warm and generous person and the thought that I might
> have said anything that wounds you bothers me. Any criticism that I may
> have offered was only offered to make the documentation better.

Seconded. That's obvious from the official HOWTO, which is detailed down
to the last period. It anticipates user difficulties, pinpoints them and
deals with them on a step-by-step basis. This is especially the case with
the sections on spoon-feeding Windows ignoramuses like me. However,
finding things in it when one requires specific info could be improved

> I don't have any skill at writing technical manuals. I have never joined
> samba to an AD, never used winbindd, nor do I even bein to understand SASL
> or Kerberos (seems to be a worthy endeavor). I am probably on the bottom
> rung of knowledge of OpenLDAP and my interaction with other LDAP
> implementations is limited to setting up imp/horde/turba to query a Novell
> Directory (had to use the -P 2) and that was a mighty struggle. I
> have enough skills to do only the barest rudiments of a section on
> integrating Samba into an existing DSA (I didn't even know the definition
> of DSA until a few weeks ago - thanks Adam).
> What I have learned is this...the explanation of the net group map
> command modified the ldapsam - I didn't understand it for quite some time.
> I found that using the base setup from IDEALX left me a bunch to
> clean up as did the net rpc vampire command as they created 'Groups' that
> didn't fit my intentions for the DSA. I suspect that Tonni ran into this
> too but I haven't compared notes.

Exactly. That's what happened. I followed Coupe's "HOWTO" (echoed in the
IDEALX scripts) and ended up with a bunch of Linux groups (in my Samba
hierarchy) which, when one did an 'ls -l on them looked horrible.
Furthermore, to do a cd to them, one had to use double apostrophes. A
horrified colleague sitting next to me couldn't believe it. I couldn't get
'net groupmap' to work, either.

I "fiddled around" and noticed that whatever I put into displayName
Windows USRMGR accepted as the Windows group.

I ended up by using the same sort of ldif as you posted:

dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl
memberUid: tonni
memberUid: Administrator
memberUid: billy
memberUid: root
description: Local Unix group
objectClass: top
objectClass: posixGroup
objectClass: uidObject
objectClass: sambaGroupMapping
uid: domadm
cn: domadm
sambaGroupType: 2
sambaSID: S-1-5-21-18666911-1472750480-3707222013-512
gidNumber: 5004
displayName: Domain Admins

That worked fine, I could now use 'net groupmap' commands. To make new
groups, I simply make a Posix group (without the objectClass:
sambaGroupMapping) and run 'net groupmap add' on it. That adds the Samba
objectclass and calculates a RID. I can change the RID to a well known RID
if I wish, but my single Windows XP Professional machine doesn't seen to
care what the RID is, for any user or group, including Administrator.

Because of this and the fact that they try to muck about with many
previously-defined UIDs and GIDs, I can't use the IDEALX scripts, so I
write my own in shell and awk - with them I can manage a largish site. I'm
not a Perl person, so I can't improve the IDEALX stuff to do what I need.

> He is probably much more adept at
> writing this section we are talking about and is certainly more
> knowledgeable about all aspects of this than I, with maybe the exception
> being the Windows portion.

I'm not good at writing anything that calls itself a HOWTO, since there
are almost always exceptions. I'm not even good at correcting others'
doco. I know what works for me and I can write notes for others about

As for you knowing more about Windows than me, I wouldn't find that hard
to believe ;) I left Windows 98 and NT4 with a sigh of relief to become a
pure Unix sysadmin, and now find I have to begin again, several years
further on. In this respect, the official Samba doco has been invaluable.
Talk about spoon feeding.

And as for managing Openldap, I'd be a dead duck without GQ. And yes, I
have tried LAM, ldap-account-manager.

> I don't generally use the online version of the HOWTO - I have my 2nd
> printing edition by my desk (though I don't refer to it much anymore) - it
> has at present (because I am actually going to count them) 7 sticky notes
> marking relevant sections for me - just to give you an idea of the value
> of the book to me.

The official Samba doco keeps up to date and goes into great detail. It's
difficult to find stuff in it when needed, though.


mail: tonye at billy.demon.nl

More information about the samba mailing list