[Samba] Samba 4, where is wbinfo 'info' stored?

steve steve at steve-ss.com
Tue Feb 14 08:02:51 MST 2012

On 14/02/12 10:50, steve wrote:
> On 02/14/2012 06:47 AM, Gémes Géza wrote:
>> Hi
>>> On 02/13/2012 07:53 PM, Gémes Géza wrote:
>>>> Hi,
>>>> See comments/questions below:
>>>>> Hi
>>>>> When I type this:
>>>>> getent passwd steve6
>>>>> steve6:*:3000015:3000016:steve6:/home/CACTUS/steve6:/bin/bash
>>>>> I can see that the info is coming from LDAP by looking at the ldif 
>>>>> for
>>>>> cn=steve6
>>>> What is your /etc/nsswitch.conf file like?
>>> passwd files ldap
>>> group files ldap
>>>>> When I type this:
>>>>> wbinfo -i steve6
>>>>> CACTUS\steve6:*:3000015:3000016::/home/CACTUS/steve6:/bin/false
>>>> Is this on the samba4 box?
>>>> wbinfo is the samba4 wbinfo or a samba3 one?
>>> samba4 box
>>> wbinfo = samba4 No s3 installed on this box.
>>>>> Where is the info coming from now?
>>>>> Thanks,
>>>>> Steve
>> Samba4 stores idmap information under an idmap.ldb named ldb file which
>> is NOT exported to AD. So you could modify things by ldbediting it 
>> directly.
> Geza, I'm really struggling with ldbsearch. The doco is almost non 
> existent.
> As you suggest, the primaryGroupID attribute I'm looking for must be 
> in idmap.ldb as I can't find it using ldapsearch until _after_ I add a 
> user to my posix group using dsa.msc in windows. Afterwards, I see 
> that the primaryGroupID attribute has been added to the user. What i 
> want to do is find out what that primaryGroupID is _before_ I run my 
> posix script so I can add the attribute myself without having to do it 
> from windows.
> All I can find on ldapsearch is:
> ldbsearch [-h] [-s base|one|sub] [-b basedn] [-i] [-H LDB-URL] 
> [expression] [attributes]
> 1. Could you help me with the ldbsearch syntax to have a look inside 
> idmap.ldb?
> 2. Which database am I consulting when I run ldapsearch?
> Thanks,
> Steve
I got into /usr/local/samba/private/idmap.ldb by rtfm'ing on ldbsearch 

There I and found the group to sid mappings. Turns out we don't need it.
Looking at this:
samba-tool group add suseusers
wbinfo --group-info=suseusers
I then posixify the group and then:

wbinfo --gid-to-sid=3000028

Doing a ldbsearch on 'cn=steve6'
primaryGroupID: 513

Conclusion: to set the primaryGroupID without using windows, I need to 
replace the 513 with my posix group, 1134

So I chop off the end using cut and ldbmodify it.

For some reason, ldbmodify will not let me do that in one stage. I had 
to separate the writes into 2 stages:
1. add the posix attributes
2. modify the primaryGroupID

I've automated the script a bit more it ooks like this:
  cat s4user
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
add: uidnumber
uidnumber: $uid
add: gidnumber
gidnumber: $gid
unixhomedirectory: /home/CACTUS/$1
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown $1:$2 /home/$strwg/$1
rm /tmp/$1
echo $1 "rfc2307-ified"

It's still a bit of a mess, no error checking, no user friendly stuff etc.
Any suggestions for tidying up the script?
Any ideas why ldbmodify will not take the add and replace in one go? My 
slow laptop?

Cheers and thanks again for your help.

More information about the samba mailing list