[Samba] Initializing a Samba3 ldapsam

Mike Brady mike.brady at devnull.net.nz
Mon Feb 21 01:08:13 MST 2011

I have spent the last few days attempting to get a Samba3 PDC/BDC  
setup with an LDAP SAM and need some clarification on exactly what  
should/can be initialized in the LDAP SAM.

As my main sources of information/inspiration I have been using  
http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos.  Unfortunately there are inconsistencies that I can not  

The short version of the question is - is there a full specification  
(preferably in the form of an LDIF file) of everything that can/should  
be initialized in the LDAP SAM?

The longer version is:

1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
the BUILTIN groups.  I found this reference saying that the  
sambaGroupType should be 4 for BUILTIN groups.
Which is correct?

2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
but smbldap-tools has what I think are the correct SID for these  
groups.  Which is correct?

e.g. for Account Operators the Wiki has  
S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  

3) http://support.microsoft.com/kb/243330  has a long list of the well  
known SIDs, many of which do not make sense in a Samba domain, but is  
there a full list of all the ones that do make sense for Samba and  
what the LDAP SAM should be initialized to to implement them?



This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list