[Samba] Initializing a Samba3 ldapsam

Mike Brady mike.brady at devnull.net.nz
Mon Feb 21 23:56:42 MST 2011

>> I have spent the last few days attempting to get a Samba3 PDC/BDC   
>> setup with an LDAP SAM and need some clarification on exactly what   
>> should/can be initialized in the LDAP SAM.
>> As my main sources of information/inspiration I have been using   
>> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and >the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos.  >Unfortunately there are inconsistencies that I can not   
>> resolve.
>> The short version of the question is - is there a full  
>> specification  (preferably in the form of an LDIF file) of  
>> everything that can/should  be initialized in the LDAP SAM?
>> The longer version is:
>> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
>>  the BUILTIN groups.  I found this reference saying that the   
>> sambaGroupType should be 4 for BUILTIN groups.
>> http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html
>> Which is correct?
>> 2) The Wiki page has all the BUILTIN groups with "full domain"  
>> SIDs,  but smbldap-tools has what I think are the correct SID for  
>> these  groups.  Which is correct?
>> e.g. for Account Operators the Wiki has   
>> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
>>  S-1-5-32-548.
>> 3) http://support.microsoft.com/kb/243330  has a long list of the  
>> well  known SIDs, many of which do not make sense in a Samba  
>> domain, but is  there a full list of all the ones that do make  
>> sense for Samba and  what the LDAP SAM should be initialized to to  
>> implement them?
>> Thanks
>> Mike
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
> Mike,
> Try this from the Official Samba How-To
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
> In the section in the section, "Default Users, Groups, and Relative
> Identifiers". The only three _required_  groups are:   Domain Admins, RID=512
>   Domain Users, RID=513
>   Domain Guests, RID=514
>  In addition to these groups I also have the following domain users just
>  for completeness:  Domain Administrator, RID=500
>  Domain Guest, RID=501
> The builtin groups (RIDS=544 through 533) are not listed as required,
> but you can put them in your ldapsam backend. You will have to add them
> with, sambaGroupType=4, if you want them to show up in usermgr.exe.
> If I have got the correct understanding, SIDs that start with S-1-2-21
> will be domain SIDs and will be followed by the domain sid and then a
> RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
> users and groups) and should be put in a machine local backend (at least
> when I get the time I will look into putting them into a local tdbsam on
> the local server).
> Unfortunately, as you have found, you have to piece together a lot of
> different sources to find the correct working solution for your specific
> situation. Although I have a working ldapsam backend I wish I could take
> the time and recreate and redo my Samba Domain with the knowledge that I
> have gained over the past three plus years (that I have incorporated
> LDAP). However, I can find the time to try and normalize my old LDIF  
> files and
> format them with what I think a "minimal" Samba Domain should contain
> and send them to you but these will most likely be specific just to a
> Samba3+LDAP domain (I have no intention of going to Samba4 any time
> soon).
> Bob
> --bs


Thanks for the thoughts.

I had seen the group mapping page and have read it and many others a  
number of times :-) As you say there is lot of information in  
different places to piece together and it doesn't help when a lot of  
it is wrong.

But no matter. On wards and upwards.   I have an LDIF file that I  
think is correct based on my knowledge and that gets me a running  
domain.  I will go over it again and tidy it up some more.  I am sure  
that I have some challenges to come still, but I will keep bashing  
away at it.



This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list