[Samba] Initializing a Samba3 ldapsam

Mike Brady mike.brady at devnull.net.nz
Mon Feb 21 14:45:55 MST 2011 

Quoting Mike Brady <mike.brady at devnull.net.nz>:

> I have spent the last few days attempting to get a Samba3 PDC/BDC  
> setup with an LDAP SAM and need some clarification on exactly what  
> should/can be initialized in the LDAP SAM.
>
> As my main sources of information/inspiration I have been using  
> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos.  Unfortunately there are inconsistencies that I can not  
> resolve.
>
> The short version of the question is - is there a full specification  
> (preferably in the form of an LDIF file) of everything that  
> can/should be initialized in the LDAP SAM?
>
> The longer version is:
>
> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
> the BUILTIN groups.  I found this reference saying that the  
> sambaGroupType should be 4 for BUILTIN groups.
> http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html
> Which is correct?
>
> 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
> but smbldap-tools has what I think are the correct SID for these  
> groups.  Which is correct?
>
> e.g. for Account Operators the Wiki has  
> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
> S-1-5-32-548.
>
> 3) http://support.microsoft.com/kb/243330  has a long list of the  
> well known SIDs, many of which do not make sense in a Samba domain,  
> but is there a full list of all the ones that do make sense for  
> Samba and what the LDAP SAM should be initialized to to implement  
> them?
>
>
> Thanks
>
> Mike
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Further to the above I have used a Centos 5.5 x86_64 system and the  
Sernet RPMs to set up a PDC with an LDAPSAM.  I have used the smbldap  
SIDs and set the sambaGroupType to 4 and am able to join machines to  
the domain and logon as domain users, so hopefully my guesses are not  
too far wrong.

I get the following command outputs:

[root at ad01 ~]# wbinfo -g
domain admins
domain users
domain guests
domain computers
[root at ad01 ~]# wbinfo -u
nobody
root
test01
test2
[root at ad01 ~]# net sam list localgroups
[root at ad01 ~]# net sam list groups
Domain Admins
Domain Users
Domain Guests
Domain Computers
[root at ad01 ~]# net sam list builtin
Administrators
Users
Guests
Power Users
Account Operators
Print Operators
Backup Operators
[root at ad01 ~]# net sam list users
nobody
root
test01
test2

Are these what are expected?

I got a Wiki account last night and will update the Wiki if someone in  
the know can confirm my guess work.

Many Thanks

Mike


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list