[Samba] Samba 2 PDC upgrade to Samba 3 - group mapping problem

Thu Aug 31 17:56:53 GMT 2006

I'm in the process of replacing a Samba 2.2.12 PDC with Samba 3.0.14a-Debian. An LDAP database serves as the user data store, and I've made no changes to the Samba 2.2.x-compatible LDAP records. Since I don't relish LDAP schema changes, I've specified ldapsam_compat as my passdb backend; I figured that since I was already running a compatible LDAP schema, there was no need to make use of the updated, Samba3-compatible LDAP schemas. However, I'm starting to doubt that assumption, because every time I try to list group mappings or assign security rights, I get the following search in my LDAP log:

filter="(&(objectClass=sambaGroupMapping)(gidNumber=1000))" attrs="gidNumber sambasid sambagrouptype sambasidlist description displayName cn objectClass"

[My already-defined group "Domain Admins" has GID 1000]

Since sambaGroupMapping is part of the updated Samba LDAP schema, I suppose I'll have to make those schemas available; or do I have my ldapsam_compat configuration wrong? Again, I would have thought that specifying ldapsam_compat would have meant maintaining operational capability with a working Samba 2.2.x+LDAP installation, but apparently I was wrong...?

On a possibly-related note, does anyone know where I could find SunOne DS-compatible Samba schemas? The latest version I've been able to find was listed compatible with Samba <= 3.0.10.

TIA,
Ryan

relevant smb.conf:

[global]
workgroup = DOMAIN
netbios name = DOMAIN-PDC
server string = Samba 3 PDC
encrypt passwords = Yes
passwd program = <REDACTED>
passwd chat debug = No
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
; remember to lower the log level in real life :-)
log level = 3
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 255
preferred master = True
domain master = True
dns proxy = No
wins support = Yes
preexec = sh -c 'echo Welcome to XXXX domain | /usr/bin/smbclient -M "%m" -I "%i" ' &
passdb backend = ldapsam_compat:"ldap://ldapserver.domain.com"
ldap suffix = o=example.com
ldap admin dn = cn=LDAP Manager
ldap timeout = 60
add user script = /usr/sbin/smbldap-useradd -w %u >/tmp/smbldap-useradd-user 2>&1
add machine script = /usr/sbin/smbldap-useradd -w %u >/tmp/smbldap-useradd-machine 2>&1
-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.

The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------