[Samba] Initializing a Samba3 ldapsam

Daniel Müller mueller at tropenklinik.de
Mon Feb 21 23:59:10 MST 2011 

usermgr.exe is not function any more in vista and above and xp is announced
end of lifetime.
Just use an ldap tool for windows to mange the users.

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Robert W. Smith
Gesendet: Dienstag, 22. Februar 2011 01:04
An: samba at lists.samba.org
Betreff: Re: [Samba] Initializing a Samba3 ldapsam

On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote:

> I have spent the last few days attempting to get a Samba3 PDC/BDC  
> setup with an LDAP SAM and need some clarification on exactly what  
> should/can be initialized in the LDAP SAM.
> 
> As my main sources of information/inspiration I have been using  
>
http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller
_and_file_server_using_LDAP and the smbldap-tools source code, but have also
been reading "Samba by Example" and the Samba How-tos.  Unfortunately there
are inconsistencies that I can not  
> resolve.
> 
> The short version of the question is - is there a full specification  
> (preferably in the form of an LDIF file) of everything that can/should  
> be initialized in the LDAP SAM?
> 
> The longer version is:
> 
> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
> the BUILTIN groups.  I found this reference saying that the  
> sambaGroupType should be 4 for BUILTIN groups.
>
http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-built
in-groups-td2446893.html
> Which is correct?
> 
> 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
> but smbldap-tools has what I think are the correct SID for these  
> groups.  Which is correct?
> 
> e.g. for Account Operators the Wiki has  
> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
> S-1-5-32-548.
> 
> 3) http://support.microsoft.com/kb/243330  has a long list of the well  
> known SIDs, many of which do not make sense in a Samba domain, but is  
> there a full list of all the ones that do make sense for Samba and  
> what the LDAP SAM should be initialized to to implement them?
> 
> 
> Thanks
> 
> Mike
> 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> 

Mike,

Try this from the Official Samba How-To

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

In the section in the section, "Default Users, Groups, and Relative
Identifiers". The only three _required_  groups are: 
  Domain Admins, RID=512
  Domain Users, RID=513
  Domain Guests, RID=514

In addition to these groups I also have the following domain users just
for completeness: 
  Domain Administrator, RID=500
  Domain Guest, RID=501


The builtin groups (RIDS=544 through 533) are not listed as required,
but you can put them in your ldapsam backend. You will have to add them
with, sambaGroupType=4, if you want them to show up in usermgr.exe.

If I have got the correct understanding, SIDs that start with S-1-2-21
will be domain SIDs and will be followed by the domain sid and then a
RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
users and groups) and should be put in a machine local backend (at least
when I get the time I will look into putting them into a local tdbsam on
the local server).

Unfortunately, as you have found, you have to piece together a lot of
different sources to find the correct working solution for your specific
situation. Although I have a working ldapsam backend I wish I could take
the time and recreate and redo my Samba Domain with the knowledge that I
have gained over the past three plus years (that I have incorporated
LDAP). 

However, I can find the time to try and normalize my old LDIF files and
format them with what I think a "minimal" Samba Domain should contain
and send them to you but these will most likely be specific just to a
Samba3+LDAP domain (I have no intention of going to Samba4 any time
soon).

Bob
--bs

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list