[Samba] Initializing a Samba3 ldapsam

Daniel Müller mueller at tropenklinik.de
Mon Feb 21 23:59:10 MST 2011

usermgr.exe is not function any more in vista and above and xp is announced
end of lifetime.
Just use an ldap tool for windows to mange the users.

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Robert W. Smith
Gesendet: Dienstag, 22. Februar 2011 01:04
An: samba at lists.samba.org
Betreff: Re: [Samba] Initializing a Samba3 ldapsam

On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote:

> I have spent the last few days attempting to get a Samba3 PDC/BDC  
> setup with an LDAP SAM and need some clarification on exactly what  
> should/can be initialized in the LDAP SAM.
> As my main sources of information/inspiration I have been using  
_and_file_server_using_LDAP and the smbldap-tools source code, but have also
been reading "Samba by Example" and the Samba How-tos.  Unfortunately there
are inconsistencies that I can not  
> resolve.
> The short version of the question is - is there a full specification  
> (preferably in the form of an LDIF file) of everything that can/should  
> be initialized in the LDAP SAM?
> The longer version is:
> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
> the BUILTIN groups.  I found this reference saying that the  
> sambaGroupType should be 4 for BUILTIN groups.
> Which is correct?
> 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
> but smbldap-tools has what I think are the correct SID for these  
> groups.  Which is correct?
> e.g. for Account Operators the Wiki has  
> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
> S-1-5-32-548.
> 3) http://support.microsoft.com/kb/243330  has a long list of the well  
> known SIDs, many of which do not make sense in a Samba domain, but is  
> there a full list of all the ones that do make sense for Samba and  
> what the LDAP SAM should be initialized to to implement them?
> Thanks
> Mike
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.


Try this from the Official Samba How-To


In the section in the section, "Default Users, Groups, and Relative
Identifiers". The only three _required_  groups are: 
  Domain Admins, RID=512
  Domain Users, RID=513
  Domain Guests, RID=514

In addition to these groups I also have the following domain users just
for completeness: 
  Domain Administrator, RID=500
  Domain Guest, RID=501

The builtin groups (RIDS=544 through 533) are not listed as required,
but you can put them in your ldapsam backend. You will have to add them
with, sambaGroupType=4, if you want them to show up in usermgr.exe.

If I have got the correct understanding, SIDs that start with S-1-2-21
will be domain SIDs and will be followed by the domain sid and then a
RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
users and groups) and should be put in a machine local backend (at least
when I get the time I will look into putting them into a local tdbsam on
the local server).

Unfortunately, as you have found, you have to piece together a lot of
different sources to find the correct working solution for your specific
situation. Although I have a working ldapsam backend I wish I could take
the time and recreate and redo my Samba Domain with the knowledge that I
have gained over the past three plus years (that I have incorporated

However, I can find the time to try and normalize my old LDIF files and
format them with what I think a "minimal" Samba Domain should contain
and send them to you but these will most likely be specific just to a
Samba3+LDAP domain (I have no intention of going to Samba4 any time


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list