I have spent the last few days attempting to get a Samba3 PDC/BDC
setup with an LDAP SAM and need some clarification on exactly what
should/can be initialized in the LDAP SAM.
As my main sources of information/inspiration I have been using
http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and >the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. >Unfortunately there are inconsistencies that I can not
resolve.
The short version of the question is - is there a full
specification (preferably in the form of an LDIF file) of
everything that can/should be initialized in the LDAP SAM?
The longer version is:
1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for
the BUILTIN groups. I found this reference saying that the
sambaGroupType should be 4 for BUILTIN groups.
http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html
Which is correct?
2) The Wiki page has all the BUILTIN groups with "full domain"
SIDs, but smbldap-tools has what I think are the correct SID for
these groups. Which is correct?
e.g. for Account Operators the Wiki has
S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has
S-1-5-32-548.
3) http://support.microsoft.com/kb/243330 has a long list of the
well known SIDs, many of which do not make sense in a Samba
domain, but is there a full list of all the ones that do make
sense for Samba and what the LDAP SAM should be initialized to to
implement them?
Thanks
Mike
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Mike,
Try this from the Official Samba How-To
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html
In the section in the section, "Default Users, Groups, and Relative
Identifiers". The only three _required_ groups are: Domain Admins, RID=512
Domain Users, RID=513
Domain Guests, RID=514
In addition to these groups I also have the following domain users just
for completeness: Domain Administrator, RID=500
Domain Guest, RID=501
The builtin groups (RIDS=544 through 533) are not listed as required,
but you can put them in your ldapsam backend. You will have to add them
with, sambaGroupType=4, if you want them to show up in usermgr.exe.
If I have got the correct understanding, SIDs that start with S-1-2-21
will be domain SIDs and will be followed by the domain sid and then a
RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
users and groups) and should be put in a machine local backend (at least
when I get the time I will look into putting them into a local tdbsam on
the local server).
Unfortunately, as you have found, you have to piece together a lot of
different sources to find the correct working solution for your specific
situation. Although I have a working ldapsam backend I wish I could take
the time and recreate and redo my Samba Domain with the knowledge that I
have gained over the past three plus years (that I have incorporated
LDAP). However, I can find the time to try and normalize my old LDIF
files and
format them with what I think a "minimal" Samba Domain should contain
and send them to you but these will most likely be specific just to a
Samba3+LDAP domain (I have no intention of going to Samba4 any time
soon).
Bob
--bs
Bob
Thanks for the thoughts.
I had seen the group mapping page and have read it and many others a
number of times :-) As you say there is lot of information in
different places to piece together and it doesn't help when a lot of
it is wrong.
But no matter. On wards and upwards. I have an LDIF file that I
think is correct based on my knowledge and that gets me a running
domain. I will go over it again and tidy it up some more. I am sure
that I have some challenges to come still, but I will keep bashing
away at it.
Thanks
Mike
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
