[Samba] Samba/LDAP documentation

Tony Earnshaw tonye at billy.demon.nl
Sun Feb 13 21:06:27 GMT 2005

Craig White:


>> > Please bear in mind that Samba interfaces between MS Windows and
>> > UNIX-like
>> > platforms. The issues we are touching on here are deeper than the
>> > cosmetics of user names and group names. To change the behaviour will
>> > require changes deep inside the smbd source code to affect new mapping
>> > semantics and to enforce conversion of all Windows user and group names
>> > before making any reference to the UNIX environment for name look-ups
>> > and/or for identity resolution.
>> That is not so. The solution lies for the hand and is already present in
>> the current code. Craig and I both implement it ;)

> I have to believe that some of this exchange has occurred off channel.

There was no exchange off list. It was sent to me off list, but my mail
proggies (mostly SquirrelMail, Evo and Thunderbird) all filter on subject
etc. and send to my respective folders. My MDA (maildrop) has in advance
already deleted duplicate Message-IDs, so there's only one copy to read.
I replied in the forum to which the thread is dedicated.


> # Administrator, People, Example, US
> dn: uid=Administrator,ou=People,o=Example,c=US
> gecos: System User
> description: Built-in account for administering the computer/domain
> displayName: Administrator
> sambaLogonTime:
> sambaLogoffTime:
> sambaPwdLastSet:
> sambaLMPassword:
> sambaNTPassword:
> sambaPwdCanChange:
> sambaPwdMustChange:
> sambaProfilePath:
> sambaHomePath:
> uid: Administrator
> cn: Administrator
> homeDirectory:
> uidNumber:
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> sambaDomainName:
> gidNumber:
> sambaSID: S-1-5-21-9999999999-9999999999-9999999999-500
> sambaAcctFlags: [U          ]
> sambaHomeDrive:
> sn: Administrator
> loginShell:
> userPassword::
> sambaPrimaryGroupSID: S-1-5-21-9999999999-9999999999-9999999999-513

A note for good measure: if you're adding a record with ldapadd, empty
attributes will be refused. They must have a value to be accepted.
However, LDAP clients such as GQ will in fact show you empty attributes;
though if you export such an entry to an ldif, the empty attributes will
not be included in your export.

> where the sambaSID MUST be inclusive of the '500' RID

My Win XP prof machine accepts any RID whatsoever for Administrator.
Maybe a Win 2000 machine wouldn't. Moreover, using USRMGR/SRVMGR it
issues out-of-context RIDS (e.g. 513 for a computer). It coexists with
and accepts these quite happily. As I wrote, there are exceptions to all

>  and uidNumber: 0
> if you expect this account to have root privileges...necessary to be
> able to join machines to domain (subject to the following
> conditions...you not have another account with uidNumber: 0 in the DSA
> i.e. root AND subject to anticipated changes in Policy objects) and
> other privileged operations that may be required for samba use.

I also wrote that there is *NO WAY* any UID other than root will get
uidNumber 0 or gidNumber 0 on any Unix/Linux machine I administer. I
have a serious problem with this. Think: you are empowering a probably
clueless NTadmin running provenly corrupt software, subject to weekly
security fixes, superuser access to one of your most valuable assets.
Nobody cares if a Windows user box gets corrupted, everybody expects it,
in fact.  But neither it or the probable idiot administering it should
be allowed to ...


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl

They love us, don't they, They feed us, won't they ...

mail: tonye at billy.demon.nl

More information about the samba mailing list