[Samba] LDAP backend and sambaGroupType for builtin groups

Sébastien Prud'homme sebastien.prudhomme at gmail.com
Thu Oct 16 09:32:03 GMT 2008


I have a question about sambaGroupType attribute on a Samba 3.2 PDC
with LDAP backend (and nss_ldap + nss_winbind).

What should be the value for Administrators builtin group ?

If i use smbldap-populate from smbldap-tools, the value of
sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup
and a sambaGroupMapping).
I've also noticed that "wbinfo -g" doesn't list the group. "getent
group" displays the group correctly (i guess because of the posixGroup
and nss_ldap) but the domain administrator account is not listed in
that group (no nested group expand).

If i simply start Samba without provisioning the Administrators
builtin group in LDAP, Samba automaticaly creates it:

dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
gidNumber: XXXXXX
structuralObjectClass: sambaSidEntry

The value of sambaGroupType is 4 (and there is no posixGroup) and
"wbinfo -g" list the group as "BUILTIN\administrators". "getent group"
works fine (the domain administrator account is listed in the builtin
Administrators group).

Can anyone explains me what the correct value for sambaGroupType
should be in Samba 3.2? I guess "4" but i'm not sure as a lot of
people seems to use the smbldap-tools (which said "5").

Another question, is it ok to add a posixAccount object class in a
builtin local group. If yes, how to avoid having twice the group entry
in "getent group" (one by nss_ldap and one by nss_winbind)?


More information about the samba mailing list