[Samba] Initializing a Samba3 ldapsam
mike.brady at devnull.net.nz
Mon Feb 21 23:56:42 MST 2011
>> I have spent the last few days attempting to get a Samba3 PDC/BDC
>> setup with an LDAP SAM and need some clarification on exactly what
>> should/can be initialized in the LDAP SAM.
>> As my main sources of information/inspiration I have been using
>> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and >the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. >Unfortunately there are inconsistencies that I can not
>> The short version of the question is - is there a full
>> specification (preferably in the form of an LDIF file) of
>> everything that can/should be initialized in the LDAP SAM?
>> The longer version is:
>> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for
>> the BUILTIN groups. I found this reference saying that the
>> sambaGroupType should be 4 for BUILTIN groups.
>> Which is correct?
>> 2) The Wiki page has all the BUILTIN groups with "full domain"
>> SIDs, but smbldap-tools has what I think are the correct SID for
>> these groups. Which is correct?
>> e.g. for Account Operators the Wiki has
>> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has
>> 3) http://support.microsoft.com/kb/243330 has a long list of the
>> well known SIDs, many of which do not make sense in a Samba
>> domain, but is there a full list of all the ones that do make
>> sense for Samba and what the LDAP SAM should be initialized to to
>> implement them?
>> This message was sent using IMP, the Internet Messaging Program.
> Try this from the Official Samba How-To
> In the section in the section, "Default Users, Groups, and Relative
> Identifiers". The only three _required_ groups are: Domain Admins, RID=512
> Domain Users, RID=513
> Domain Guests, RID=514
> In addition to these groups I also have the following domain users just
> for completeness: Domain Administrator, RID=500
> Domain Guest, RID=501
> The builtin groups (RIDS=544 through 533) are not listed as required,
> but you can put them in your ldapsam backend. You will have to add them
> with, sambaGroupType=4, if you want them to show up in usermgr.exe.
> If I have got the correct understanding, SIDs that start with S-1-2-21
> will be domain SIDs and will be followed by the domain sid and then a
> RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
> users and groups) and should be put in a machine local backend (at least
> when I get the time I will look into putting them into a local tdbsam on
> the local server).
> Unfortunately, as you have found, you have to piece together a lot of
> different sources to find the correct working solution for your specific
> situation. Although I have a working ldapsam backend I wish I could take
> the time and recreate and redo my Samba Domain with the knowledge that I
> have gained over the past three plus years (that I have incorporated
> LDAP). However, I can find the time to try and normalize my old LDIF
> files and
> format them with what I think a "minimal" Samba Domain should contain
> and send them to you but these will most likely be specific just to a
> Samba3+LDAP domain (I have no intention of going to Samba4 any time
Thanks for the thoughts.
I had seen the group mapping page and have read it and many others a
number of times :-) As you say there is lot of information in
different places to piece together and it doesn't help when a lot of
it is wrong.
But no matter. On wards and upwards. I have an LDIF file that I
think is correct based on my knowledge and that gets me a running
domain. I will go over it again and tidy it up some more. I am sure
that I have some challenges to come still, but I will keep bashing
away at it.
This message was sent using IMP, the Internet Messaging Program.
More information about the samba