[Samba] samba 3.4.3 DC breaks Windows groups

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Nov 25 20:01:09 MST 2009

I have done the following 

  - Added index for sambaSID and other attributes as per the following


   - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
Server) with the 3.2 version 

   -  installed samba 3.4.3 packages from sun freeware to replace those I
compiled from from source. 

   - Reindexed with "dsconf reindex -h ldapserver  -t sambaSID

Unfortunately did not resolve the group membership problem  (i.e. a user
account only appears to be in its primary group )

Querying the Samba 3.4.x BDC 

# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users

Querying the Samba 3.0.x PDC

# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users

As far as I can tell from the comments at the top of each ldif file, the
only change was the addition of sambaTrustedDomainPassword objectClasses.

On 11/25/09 03:41, Jan Wenzel wrote:
> Hash: SHA1
> Gaiseric Vandal schrieb:
>> I assume an index is not an actual LDAP attribute or object like
>> sambaSID but is more like a database index for optimizing searches?
> You're right :) But in some cases like substring search (samba searches
> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
> get results. I don't know where to configure the indexes exactly in SDS,
> but I'm sure it is possible.
>> I use Sun's Directory Server (LDAP server) as the backend.  I use Apache
>> Directory Studio for managing objects and attributes with in ldap.    I
>> should be able to use Sun's web-based console for creating the indexes.
>> Is there something I need to specify in smb.conf to tell Samba to use
>> the index?
> Samba does not know anything about the configuration details of the LDAP
> server,
> it only talks LDAP - so it should instantly show groups when the index
> is present.
>> I also noticed that if I try to compile samba with Active Directory
>> support, configure fails with
>> configure: error: Active Directory support requires ldap_initialize
> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
> you have a linux system).
>> Since sun has ldap client support included in the OS I do not have
>> openldap installed.    I don't need Active Directory but it makes me
>> suspect that there may be some other ldap compatibility issues when
>> using Sun ldap client vs Openldap client.
>> Thanks
> Jan
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
> WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
> =4Old

More information about the samba mailing list