[Samba] Initializing a Samba3 ldapsam

Mike Brady mike.brady at devnull.net.nz
Mon Feb 21 14:45:55 MST 2011

Quoting Mike Brady <mike.brady at devnull.net.nz>:

> I have spent the last few days attempting to get a Samba3 PDC/BDC  
> setup with an LDAP SAM and need some clarification on exactly what  
> should/can be initialized in the LDAP SAM.
> As my main sources of information/inspiration I have been using  
> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos.  Unfortunately there are inconsistencies that I can not  
> resolve.
> The short version of the question is - is there a full specification  
> (preferably in the form of an LDIF file) of everything that  
> can/should be initialized in the LDAP SAM?
> The longer version is:
> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
> the BUILTIN groups.  I found this reference saying that the  
> sambaGroupType should be 4 for BUILTIN groups.
> http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html
> Which is correct?
> 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
> but smbldap-tools has what I think are the correct SID for these  
> groups.  Which is correct?
> e.g. for Account Operators the Wiki has  
> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
> S-1-5-32-548.
> 3) http://support.microsoft.com/kb/243330  has a long list of the  
> well known SIDs, many of which do not make sense in a Samba domain,  
> but is there a full list of all the ones that do make sense for  
> Samba and what the LDAP SAM should be initialized to to implement  
> them?
> Thanks
> Mike
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Further to the above I have used a Centos 5.5 x86_64 system and the  
Sernet RPMs to set up a PDC with an LDAPSAM.  I have used the smbldap  
SIDs and set the sambaGroupType to 4 and am able to join machines to  
the domain and logon as domain users, so hopefully my guesses are not  
too far wrong.

I get the following command outputs:

[root at ad01 ~]# wbinfo -g
domain admins
domain users
domain guests
domain computers
[root at ad01 ~]# wbinfo -u
[root at ad01 ~]# net sam list localgroups
[root at ad01 ~]# net sam list groups
Domain Admins
Domain Users
Domain Guests
Domain Computers
[root at ad01 ~]# net sam list builtin
Power Users
Account Operators
Print Operators
Backup Operators
[root at ad01 ~]# net sam list users

Are these what are expected?

I got a Wiki account last night and will update the Wiki if someone in  
the know can confirm my guess work.

Many Thanks


This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list