[Samba] confusion about using samba as NT4 PDC with ldapsam backend

[Jon Detert]

Hello,

I want to use samba v3.3.x to implement an NT4/Win2k style domain:
a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'.  I plan
to use RedHat Directory Server v8.2 as the ldap server.

I'm trying to sort out how user/group management and nss will work.

I'm confused about how/when the samba-supplied ldap schema is used (I mean
the schema that's in the samba distribution, that contains the
'sambaSamAccount' objectClass).

I understand that I have to add/activate the schema within my ldap server
(and that in its distributed form, it's for openLDAP, and so I have to
convert it to a syntax suitable for RedHat DirServer).

However, I don't understand how to make samba use it.

Does the simple fact of specifying 'passdb backend' = ldapsam imply that
this schema is used?

How do the samba ObjectClasses and their attributes get set for new users?
E.g. will they be set automagically if I specify the 'add
{user|group|machine} script' settings in the smb.conf?  If not, how then?

The ldap server is already populated with inetOrgPerson information for my
user population.  I've just added the samba schema and the posixAccount
schema.  How should I populate the samba and posixAccount ObjectClasses and
attributes for the existing users?  I.e. run a one-time script to populate
them, or is there a more clever way?  If the former, are there ready-made
scripts to do this, or do I need to write my own?

Once the samba schema objects and attributes are populated, how does smbd
know about them?  Will I need to run winbind in order for samba to map posix
UIDs and GIDs to SIDs and RIDs, or will that be done automagically by virtue
of specifying that the 'passdb backend' is ldapsam, and populating the samba
schema?

Even if I don't need to run winbind, should I?  I'll need to use nss in any
case, but if I use nss_ldap, I think that the o.s. won't grok nested
groups.  If I use nss_winbind, I think it will.

AtDhVaAnNkCsE,

Jon