[Samba] confusion about using samba as NT4 PDC with ldapsam backend

TAKAHASHI Motonobu monyo at monyo.com
Wed Dec 29 20:16:15 MST 2010

> On 12/29/2010 11:08, Jon Detert wrote:
>> Thanks, that clarifies several points, and introduces me to the
>> ldapsam:editposix configuration setting.
>> A few questions about using ldapsam:editposix :
>> 1) Does the use of ldapsam:editposix mean that I won't need to specify the
>> 'add user script' or 'add group script' settings?

No, no 'add user/group script' is needed.


>> 3) I assume that the MsWin program 'srvtools.exe' (a.k.a. 'User Manager
>> for
>> Domains') will transparently make use of the ldapsam:editposix when
>> creating/editting/deleting users and groups.  Will the samba-provided
>> utility 'net rpc {user|group} {add|delete|}' do the same?

Basically yes, but they can not set the detail attributes for example homedir,
profile path ...

I think if you want to manage without srvtools.exe, you need to use
"net rpc user add"
for creating a user, and need to use "pdbedit" for setting the detail.

Anyway ldapsam:editposix is not intended to manage such way, I think.
So you will need somewhat "tricky" way.

>> Samba ObjectClass question:
>> What about assigning the samba ObjectClasses to existing users that don't
>> have them already?  Can/should I use the smbldap-tools to do so?  If not,
>> any suggestions?

>> posixAccount and posixGroup ObjectClass questions:
>> 1) The existing users in ldap don't have the posixAccount or posixGroup
>> objectClasses at present.  How should I populate them?
>> 2) Are the posixAccount uid and posixGroup gid attributes the uid and gid
>> that the samba config settings 'idmap uid' and 'idmap gid' refer to?  In
>> any
>> case, how do I pick ranges that will work?  Do I just make sure the ranges
>> include every posixAccount uid and posixGroup gid that I set?

Same as above,  ldapsam:editposix is not intended to migrate in such way,
I think.

So you should manually adjust attributes both for UNIX and Samba users
to use LDAP tools, pdbedit, smbldap-tools based custom scripts and other
tools to suit ldapsam:editposix. It's not easy.

TAKAHASHI Motonobu <monyo at monyo.com>

More information about the samba mailing list