[Samba] LDAP backend and sambaGroupType for builtin groups

Jeremy Allison jra at samba.org
Thu Oct 16 22:16:51 GMT 2008

On Thu, Oct 16, 2008 at 11:32:03AM +0200, Sébastien Prud'homme wrote:
> Hi,
> I have a question about sambaGroupType attribute on a Samba 3.2 PDC
> with LDAP backend (and nss_ldap + nss_winbind).
> What should be the value for Administrators builtin group ?
> If i use smbldap-populate from smbldap-tools, the value of
> sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup
> and a sambaGroupMapping).
> I've also noticed that "wbinfo -g" doesn't list the group. "getent
> group" displays the group correctly (i guess because of the posixGroup
> and nss_ldap) but the domain administrator account is not listed in
> that group (no nested group expand).
> If i simply start Samba without provisioning the Administrators
> builtin group in LDAP, Samba automaticaly creates it:
> dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-544
> sambaGroupType: 4
> displayName: Administrators
> gidNumber: XXXXXX
> structuralObjectClass: sambaSidEntry
> sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512
> The value of sambaGroupType is 4 (and there is no posixGroup) and
> "wbinfo -g" list the group as "BUILTIN\administrators". "getent group"
> works fine (the domain administrator account is listed in the builtin
> Administrators group).
> Can anyone explains me what the correct value for sambaGroupType
> should be in Samba 3.2? I guess "4" but i'm not sure as a lot of
> people seems to use the smbldap-tools (which said "5").

That's a bug in smbldap-tools, I sent them a patch
for this. See :


for details (and here :


is the patch for smbldap-tools.


More information about the samba mailing list