[Samba] LDAP backend and sambaGroupType for builtin groups

[Sébastien Prud'homme]

Thanks for the quick answer!

2008/10/17 Jeremy Allison <jra at samba.org>:
> On Thu, Oct 16, 2008 at 11:32:03AM +0200, Sébastien Prud'homme wrote:
>> Hi,
>>
>> I have a question about sambaGroupType attribute on a Samba 3.2 PDC
>> with LDAP backend (and nss_ldap + nss_winbind).
>>
>> What should be the value for Administrators builtin group ?
>>
>> If i use smbldap-populate from smbldap-tools, the value of
>> sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup
>> and a sambaGroupMapping).
>> I've also noticed that "wbinfo -g" doesn't list the group. "getent
>> group" displays the group correctly (i guess because of the posixGroup
>> and nss_ldap) but the domain administrator account is not listed in
>> that group (no nested group expand).
>>
>> If i simply start Samba without provisioning the Administrators
>> builtin group in LDAP, Samba automaticaly creates it:
>>
>> dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain
>> objectClass: sambaSidEntry
>> objectClass: sambaGroupMapping
>> sambaSID: S-1-5-32-544
>> sambaGroupType: 4
>> displayName: Administrators
>> gidNumber: XXXXXX
>> structuralObjectClass: sambaSidEntry
>> sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512
>>
>> The value of sambaGroupType is 4 (and there is no posixGroup) and
>> "wbinfo -g" list the group as "BUILTIN\administrators". "getent group"
>> works fine (the domain administrator account is listed in the builtin
>> Administrators group).
>>
>> Can anyone explains me what the correct value for sambaGroupType
>> should be in Samba 3.2? I guess "4" but i'm not sure as a lot of
>> people seems to use the smbldap-tools (which said "5").
>
> That's a bug in smbldap-tools, I sent them a patch
> for this. See :
>
> https://bugzilla.samba.org/show_bug.cgi?id=5551
>
> for details (and here :
>
> https://bugzilla.samba.org/attachment.cgi?id=3369&action=view
>
> is the patch for smbldap-tools.
>
> Jeremy.
>