[Samba] samba 3.4.3 DC breaks Windows groups
gaiseric.vandal at gmail.com
Wed Nov 25 20:42:39 MST 2009
I think I have found the problem:
Samba 3.0.x looks for group mappings in the "ldap group suffix" param. On
my systems this is "ldap group suffix = ou=smb_groups." Regular unix
groups are just in ou=groups. Initially we had used NIS (then LDAP) for
unix groups, and had used tdbsam for the samba account backend. Group
mappings were also in tdb. When we moved to ldap backend, group mappings
were imported into ou=smb_groups.
Samba 3.4.x reads thru the entire ldap tree. Since I have both "cn=Domain
Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group" both with the
same gidNumber, group membership processing fails.
Therefore I think the solution will be to consolidate entries. For example,
Replace cn=smb_domadmins,ou=group" with "cn=Domain
Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to
Repeat for all the other mapped groups
Update smb.conf on the 3.0.x servers to use "ldap group suffix =
This is assuming of course that Solaris doesn't have problems with group
names with spaces.
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Wednesday, November 25, 2009 10:01 PM
To: samba at lists.samba.org
Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups
I have done the following
- Added index for sambaSID and other attributes as per the following
- replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
Server) with the 3.2 version
- installed samba 3.4.3 packages from sun freeware to replace those I
compiled from from source.
- Reindexed with "dsconf reindex -h ldapserver -t sambaSID
Unfortunately did not resolve the group membership problem (i.e. a user
account only appears to be in its primary group )
Querying the Samba 3.4.x BDC
# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Querying the Samba 3.0.x PDC
# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
As far as I can tell from the comments at the top of each ldif file, the
only change was the addition of sambaTrustedDomainPassword objectClasses.
On 11/25/09 03:41, Jan Wenzel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Gaiseric Vandal schrieb:
>> I assume an index is not an actual LDAP attribute or object like
>> sambaSID but is more like a database index for optimizing searches?
> You're right :) But in some cases like substring search (samba searches
> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
> get results. I don't know where to configure the indexes exactly in SDS,
> but I'm sure it is possible.
>> I use Sun's Directory Server (LDAP server) as the backend. I use
>> Directory Studio for managing objects and attributes with in ldap. I
>> should be able to use Sun's web-based console for creating the indexes.
>> Is there something I need to specify in smb.conf to tell Samba to use
>> the index?
> Samba does not know anything about the configuration details of the LDAP
> it only talks LDAP - so it should instantly show groups when the index
> is present.
>> I also noticed that if I try to compile samba with Active Directory
>> support, configure fails with
>> configure: error: Active Directory support requires ldap_initialize
> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
> you have a linux system).
>> Since sun has ldap client support included in the OS I do not have
>> openldap installed. I don't need Active Directory but it makes me
>> suspect that there may be some other ldap compatibility issues when
>> using Sun ldap client vs Openldap client.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
More information about the samba