[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)

Adam Williams awilliam at mdah.state.ms.us
Tue Mar 24 23:59:11 GMT 2009

samba creates the RID when smbpasswd -a is used (or machine is joined to 
the domain).  smbldap-tools creates an entry in ldap to keep up with the 
next available UID.  i don't remember what it is.  personally, I just 
use a text file that contains my next available UID and GID in it and 
increment when i add a user.  i do everything by hand with .ldif files 

Thierry Lacoste wrote:
> Hello,
> I did the steps described below and I have a problem with machine RIDs.
> When I first join a machine, samba adds to my sambaDomainName ldap entry
> a sambaNextRid attribute with a value of 1000.
> Now samba uses this value (incremented each time) to give its RID
> to the machine.
> This is going to be a real problem as my current samba computes RDIs
> as 1000+2*UID.
> FWIW I'm using smbldap-tools to create user accounts and I have
> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
> in my smb.conf though I don't think it is relevant because
> AFAIK this script is only called to create the posix machine account.
> What are my options?
> If at all possible, I'd rather stick to the 1000+2*UID algorithm.
> I googled about it and I know that others where caught too
> but I wasn't able to find a solution.
> Regards,
> Thierry.
> Quoting Adam Williams <awilliam at mdah.state.ms.us>:
>> your steps are fine.  you don't need the samba LDAP entries you listed,
>> when ou do smbpasswd -a user, it will add the minimum required LDAP
>> entries for samba.
>> lacoste at miage.univ-paris12.fr wrote:
>>> Hello,
>>> I plan to update my samba-3.0.22/openldap-2.3.24
>>> to samba-3.0.34/openldap-2.4.15 and I'm currently testing it.
>>> This is on FreeBSD.
>>> My idea is :
>>> 1) slapcat the openldap server and save the various tdb files.
>>> 2) deinstall samba and openldap and wipe out the bdb files
>>> 3) install the newer versions
>>> 4) slapadd to the new openldap server
>>> This seems to work in my test lab.
>>> During my tests I also built a new domain afresh and realized that the
>>> sambaDomainName ldap entry has some attributes that are not in my
>>> production server: sambaMinPwdLength, sambaLogonToChgPwd,  
>>> sambaLockoutDuration,
>>> sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff.
>>> Do I have to add these attributes to my ldif file before slapadd?
>>> More generally, do I have to add some attributes to my ldap entries?
>>> Regards,
>>> Thierry

More information about the samba mailing list