[Samba] few quick domain questions

Christ Schlacta lists at aarcane.org
Thu Dec 23 02:06:47 MST 2010 

I've got a somewhat special domain (servers only, no clients, for 
unified passwords stored in ldap and unix passwords are in there too), 
and I'm looking at my directory and there are a few things I don't quite 
understand, or that I need some clarification on..

1) these "Domain Admins" and "Domain Guests" and "Domain Computers" 
groups..  do they NEED to be present?  if they have no members, is it 
okay to delete them?  they feel like cruft...  I may someday add a 
windows domain member workstation..  is it okay to delete them, or will 
windows go wonky on me when the day comes?

2) Why can't I use rids that are just SID-(uid-or-gid) ?  it seems that 
smbldap-groupadd and smbldap-useradd make every attempt to ensure that 
all rids are unique..  so with groups and users being both in the range 
10K-20K, I get 
10000=user,10001=group,1000[2-9]=user,1001[0-5]=group,10016=system(yes, 
I know it's a user), and so on...  why can't I use rid=(uid-or-gid) and 
do away with the wierd 2*uid+1000 thing?

3) are PDCs and BDCs supposed to join the domain?  net join -U 
administrator PDC joins the system as a PDC, how is that different from 
joining as a BDC or a master?  how do I swap the roles specified there 
later, when a PDC gets retired and a BDC is promoted to PDC and a member 
to BDC, etc...

4) do I have to use a single ou=People, ou=Groups, ou=Machines, for each 
type of account, or can I actually put them in something resembling a 
hierarchy?  (if applicable, If I use a hierarchy, does that have any 
effect on samba, or on unix?  can it be mapped to "primary group" or 
similar?)

5) there are a few places where local groups or users need to overlap 
with ldap users or groups..  (one system has an exclusive group 
www-data, for example..  if I put the group in ldap, the webserver user 
needs to join the group but the webserver user is a local user...  
however, if I put the group locally, a half dozen people from the 
directory need to be put in the www-data group from the directory...)  
The webserver is just an example, there are others as well.  how do I 
handle this?

Thank you for reading this far.  These are all the issues I've come 
across in setting up my test domain.  I've let my google-fu fail me one 
too many times, and these questions answered clearly and concisely are 
difficult to come by.  Any help you can provide me in answering these 
questions would be a big help!

Thank you again,
Christ Schlacta

More information about the samba mailing list