Re: [Samba] samba 3.4.3 DC breaks Windows groups
I consolidated group entries as described in the previous post. By mistake, I initially set same SID for the Domain Users and Domain Guests. So net rpc user info someuser would display the wrong output. I fixed this but had to my Samba 3.0.x BDC to get the update to stick. I also zapped all the *cache*.tdb files on that machine, which may have been a mistake. Initially the Samba 3.0.x BDC would not start. smb.conf had the guest account = nobody entry, which had worked in the past. However, the error logs that nobody no longer existed. I had to create an ldap/samba smb_nobody user and group and update smb.conf for guest account = smb_nobody. At that point samba would start, however, I could not view or access either the samba server in network neighborhood, or access any shares via net use... or smbclient ... For the moment, I have reverted to the earlier smb.conf and disabled samba 3.4.x. My guess is that samba choked on loading groups that did not have a proper SID. I have about 230 unix/ldap groups and didn't want to have to create an explicit group mapping (SID entry) for each group. On 11/25/09 22:42, Gaiseric Vandal wrote: I think I have found the problem: Samba 3.0.x looks for group mappings in the ldap group suffix param. On my systems this is ldap group suffix = ou=smb_groups. Regular unix groups are just in ou=groups. Initially we had used NIS (then LDAP) for unix groups, and had used tdbsam for the samba account backend. Group mappings were also in tdb. When we moved to ldap backend, group mappings were imported into ou=smb_groups. Samba 3.4.x reads thru the entire ldap tree.Since I have both cn=Domain Administrators,ou=smb_groups and cn=smb_domadmins,ou=group both with the same gidNumber, group membership processing fails. Therefore I think the solution will be to consolidate entries. For example, Replace cn=smb_domadmins,ou=group with cn=Domain Administrators,ou=group Copy the sambaSID from cn=Domain Administrators,ou=smb_groups to cn=Domain Administrators,ou=group Repeat for all the other mapped groups Update smb.conf on the 3.0.x servers to use ldap group suffix = ou=group. This is assuming of course that Solaris doesn't have problems with group names with spaces. -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Wednesday, November 25, 2009 10:01 PM To: samba@lists.samba.org Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups I have done the following - Added index for sambaSID and other attributes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory Server) with the 3.2 version - installed samba 3.4.3 packages from sun freeware to replace those I compiled from from source. - Reindexed with dsconf reindex -h ldapserver -t sambaSID o=mydomain.com Unfortunately did not resolve the group membership problem (i.e. a user account only appears to be in its primary group ) Querying the Samba 3.4.x BDC # net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users # Querying the Samba 3.0.x PDC # net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users # As far as I can tell from the comments at the top of each ldif file, the only change was the addition of sambaTrustedDomainPassword objectClasses. On 11/25/09 03:41, Jan Wenzel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gaiseric Vandal schrieb: I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? You're right :) But in some cases like substring search (samba searches i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to get results. I don't know where to configure the indexes exactly in SDS, but I'm sure it is possible. I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap.I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? Samba does not know anything about the configuration details of the LDAP server, it only talks LDAP - so it should instantly show groups when the index is present. I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize I would prefer to use the prebuilt linux packages from ftp.sernet.de (if you have a linux system). Since sun has ldap client support included in the OS I do not have openldap installed.I don't need Active Directory but it makes me suspect that there may
Re: [Samba] samba 3.4.3 DC breaks Windows groups
I added the index. (The Sun DS Admin guide has pretty simple instructions on doing this.) I also added some additional indexes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP Unfortunately did not resolve the problem. It does look like I have the 3.0 schema installed. The samba source directory includes a 3.2 version. examples/LDAP/samba-schema-netscapeds5.x. (The Sun Directory server is derived from the Netscape DS.) I may try updating this off-hours. Thanks On 11/25/09 03:41, Jan Wenzel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gaiseric Vandal schrieb: I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? You're right :) But in some cases like substring search (samba searches i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to get results. I don't know where to configure the indexes exactly in SDS, but I'm sure it is possible. I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap.I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? Samba does not know anything about the configuration details of the LDAP server, it only talks LDAP - so it should instantly show groups when the index is present. I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize I would prefer to use the prebuilt linux packages from ftp.sernet.de (if you have a linux system). Since sun has ldap client support included in the OS I do not have openldap installed.I don't need Active Directory but it makes me suspect that there may be some other ldap compatibility issues when using Sun ldap client vs Openldap client. Thanks HTH Jan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN =4Old -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.3 DC breaks Windows groups
I have done the following - Added index for sambaSID and other attributes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory Server) with the 3.2 version - installed samba 3.4.3 packages from sun freeware to replace those I compiled from from source. - Reindexed with dsconf reindex -h ldapserver -t sambaSID o=mydomain.com Unfortunately did not resolve the group membership problem (i.e. a user account only appears to be in its primary group ) Querying the Samba 3.4.x BDC # net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users # Querying the Samba 3.0.x PDC # net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users # As far as I can tell from the comments at the top of each ldif file, the only change was the addition of sambaTrustedDomainPassword objectClasses. On 11/25/09 03:41, Jan Wenzel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gaiseric Vandal schrieb: I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? You're right :) But in some cases like substring search (samba searches i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to get results. I don't know where to configure the indexes exactly in SDS, but I'm sure it is possible. I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap.I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? Samba does not know anything about the configuration details of the LDAP server, it only talks LDAP - so it should instantly show groups when the index is present. I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize I would prefer to use the prebuilt linux packages from ftp.sernet.de (if you have a linux system). Since sun has ldap client support included in the OS I do not have openldap installed.I don't need Active Directory but it makes me suspect that there may be some other ldap compatibility issues when using Sun ldap client vs Openldap client. Thanks HTH Jan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN =4Old -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.3 DC breaks Windows groups
I think I have found the problem: Samba 3.0.x looks for group mappings in the ldap group suffix param. On my systems this is ldap group suffix = ou=smb_groups. Regular unix groups are just in ou=groups. Initially we had used NIS (then LDAP) for unix groups, and had used tdbsam for the samba account backend. Group mappings were also in tdb. When we moved to ldap backend, group mappings were imported into ou=smb_groups. Samba 3.4.x reads thru the entire ldap tree.Since I have both cn=Domain Administrators,ou=smb_groups and cn=smb_domadmins,ou=group both with the same gidNumber, group membership processing fails. Therefore I think the solution will be to consolidate entries. For example, Replace cn=smb_domadmins,ou=group with cn=Domain Administrators,ou=group Copy the sambaSID from cn=Domain Administrators,ou=smb_groups to cn=Domain Administrators,ou=group Repeat for all the other mapped groups Update smb.conf on the 3.0.x servers to use ldap group suffix = ou=group. This is assuming of course that Solaris doesn't have problems with group names with spaces. -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Wednesday, November 25, 2009 10:01 PM To: samba@lists.samba.org Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups I have done the following - Added index for sambaSID and other attributes as per the following http://wiki.samba.org/index.php/2.0:_Configuring_LDAP - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory Server) with the 3.2 version - installed samba 3.4.3 packages from sun freeware to replace those I compiled from from source. - Reindexed with dsconf reindex -h ldapserver -t sambaSID o=mydomain.com Unfortunately did not resolve the group membership problem (i.e. a user account only appears to be in its primary group ) Querying the Samba 3.4.x BDC # net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users # Querying the Samba 3.0.x PDC # net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users # As far as I can tell from the comments at the top of each ldif file, the only change was the addition of sambaTrustedDomainPassword objectClasses. On 11/25/09 03:41, Jan Wenzel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gaiseric Vandal schrieb: I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? You're right :) But in some cases like substring search (samba searches i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to get results. I don't know where to configure the indexes exactly in SDS, but I'm sure it is possible. I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap.I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? Samba does not know anything about the configuration details of the LDAP server, it only talks LDAP - so it should instantly show groups when the index is present. I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize I would prefer to use the prebuilt linux packages from ftp.sernet.de (if you have a linux system). Since sun has ldap client support included in the OS I do not have openldap installed.I don't need Active Directory but it makes me suspect that there may be some other ldap compatibility issues when using Sun ldap client vs Openldap client. Thanks HTH Jan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN =4Old -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.3 DC breaks Windows groups
I assume an index is not an actual LDAP attribute or object like sambaSID but is more like a database index for optimizing searches? I use Sun's Directory Server (LDAP server) as the backend. I use Apache Directory Studio for managing objects and attributes with in ldap.I should be able to use Sun's web-based console for creating the indexes. Is there something I need to specify in smb.conf to tell Samba to use the index? I also noticed that if I try to compile samba with Active Directory support, configure fails with configure: error: Active Directory support requires ldap_initialize Since sun has ldap client support included in the OS I do not have openldap installed.I don't need Active Directory but it makes me suspect that there may be some other ldap compatibility issues when using Sun ldap client vs Openldap client. Thanks On 11/24/09 04:33, Jan Wenzel wrote: Hi, you have to create a 'sub' index for sambaSID in your LDAP configuration. The way samba searches for groups has been changed with samba 3.2 and above. I think you also need to install the new schema to be able to create a sub index. Greetings Jan Gaiseric Vandal schrieb: On the assumption that Unix systems (solaris and linux) will not like spaces in names, I never created unix groups called Domain Admins and Domain Users etc. Instead I had created smb_domadmins and smb_domusers etc instead. I don't know if Windows systems actually pay attention to the name of the group (e.g. Domain Admins) or just the SID (e.g. S-1-5-21--512.) We would have a similar issue with a group like Human Resources but not with Marketing. On samba 3.0.x, setting ldap group suffix parameter is honored. On Samba 3.4.x it seems to be ignored- instead samba seems to read the entire ldap tree (or at least from the ldap suffix parameter down.) pbedit -Lv Administrator on samba 3.4 will then complain about duplicate entries BDC2# pdbedit -Lv Administrator smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: Administrator ldapsam_getgroup: Duplicate entries for filter ((objectClass=sambaGroupMapping) (gidNumber=512)): count=2 Since in this case if have both of the following objects in ldap dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com objectClass: posixGroup objectClass: sambaGroupMapping objectClass: top cn: Domain Admins description: Domain Admins displayName: Domain Admins gidNumber: 512 sambaGroupType: 2 sambaSID: S-1-5-21-**-512 AND dn: cn=smb_domadmins,ou=group,o=mydomain.com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping objectClass: groupOfUniqueNames cn: domadmins description: domadmins displayName: domadmins gidNumber: 512 memberUid: Administrator . sambaGroupType: 2 sambaSID: ... I also noticed the following Output from pdbedit on samba 3.4.x includes ldapsam_getgroup Output from pdbedit on samba 3.0.x includes init_group_from_ldap I am not sure if that is somehow related. Thanks -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Monday, November 23, 2009 4:41 PM To: samba@lists.samba.org Subject: samba 3.4.3 DC breaks Windows groups I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. On BDC2, users do not appear to be in any groups beyond Domain Users. Group mapping seems OK on each DC. BDC2# net groupmap list Domain Admins (S-1-5-21-x-x-512) - smb_domadmins Domain Users (S-1-5-21-x-x-513) - smb_domusers Domain Guests (S-1-5-21-x-x9-514) - smb_domguests Domain Computers (S-1-5-21-x-x-515) - smb_machines Domain Controllers (S-1-5-21-x-x-516) - smb_dc Domain Certificate Admins (S-1-5-21-x-x-517) - smb_domcertadmins Builtin Admins (S-1-5-21-x-x-544) - smb_admins Builtin users (S-1-5-21-x-x-545) - smb_users Builtin Guests (S-1-5-21-x-x-546) - smb_guests Administrators (S--544) - Users (S--545) - BDC2# The last two in the listing above were automatically created by winbind/idmap for a trusted domain. sub index Unix level group memberships are OK BDC2# groups Administrator smb_domadmins smb_domusers BDC2# Windows/Samba level group memberships are not BDC2# net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users BDC2# BDC2# net rpc user info Administrator -U Administrator -S BDC2 Enter
[Samba] samba 3.4.3 DC breaks Windows groups
I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. On BDC2, users do not appear to be in any groups beyond Domain Users. Group mapping seems OK on each DC. BDC2# net groupmap list Domain Admins (S-1-5-21-x-x-512) - smb_domadmins Domain Users (S-1-5-21-x-x-513) - smb_domusers Domain Guests (S-1-5-21-x-x9-514) - smb_domguests Domain Computers (S-1-5-21-x-x-515) - smb_machines Domain Controllers (S-1-5-21-x-x-516) - smb_dc Domain Certificate Admins (S-1-5-21-x-x-517) - smb_domcertadmins Builtin Admins (S-1-5-21-x-x-544) - smb_admins Builtin users (S-1-5-21-x-x-545) - smb_users Builtin Guests (S-1-5-21-x-x-546) - smb_guests Administrators (S--544) - Users (S--545) - BDC2# The last two in the listing above were automatically created by winbind/idmap for a trusted domain. Unix level group memberships are OK BDC2# groups Administrator smb_domadmins smb_domusers BDC2# Windows/Samba level group memberships are not BDC2# net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users BDC2# BDC2# net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users BDC2# Same deal with regular users Nt. Not all unix groups are mapped to Windows groups. However I believe all required well known windows groups are. Ldap structure includes ou=people ou=group ou=smb_groups (where samba stores group mappings, ldap objectClass=sambaGroupMapping) You can verify machine PDC or BDC is being used by an Windows client with the echo %LOGONSERVER% command. If I logon as Domain Administrator to an XP or Win 2003 machine that is using BDC2, I will not have any Administrator privileges. smb.conf includes ldap group suffix = ou=smb_groups (When I converted from tdb to ldap backend, I already had unix groups in ldap and wasn't sure how stuff would import. I don't think existing groups or group mappings imported so I had to manually retype the net group map commands. ) The Domain Admins sambaGroupMapping does include Administrator as a member. BDC2# net rpc group members Domain Admins -U Administrator -S PDC MYDOMAIN\Administrator MYDOMAIN\jsmith BDC2# net rpc group members Domain Admins -U Administrator -S BDC2 Enter Administrator's password: MYDOMAIN\Administrator MYDOMAIN\jsmith Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.3 DC breaks Windows groups
On the assumption that Unix systems (solaris and linux) will not like spaces in names, I never created unix groups called Domain Admins and Domain Users etc. Instead I had created smb_domadmins and smb_domusers etc instead. I don't know if Windows systems actually pay attention to the name of the group (e.g. Domain Admins) or just the SID (e.g. S-1-5-21--512.) We would have a similar issue with a group like Human Resources but not with Marketing. On samba 3.0.x, setting ldap group suffix parameter is honored. On Samba 3.4.x it seems to be ignored- instead samba seems to read the entire ldap tree (or at least from the ldap suffix parameter down.) pbedit -Lv Administrator on samba 3.4 will then complain about duplicate entries BDC2# pdbedit -Lv Administrator smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: Administrator ldapsam_getgroup: Duplicate entries for filter ((objectClass=sambaGroupMapping) (gidNumber=512)): count=2 Since in this case if have both of the following objects in ldap dn: cn=Domain Admins,ou=smb_groups,o=mydomain.com objectClass: posixGroup objectClass: sambaGroupMapping objectClass: top cn: Domain Admins description: Domain Admins displayName: Domain Admins gidNumber: 512 sambaGroupType: 2 sambaSID: S-1-5-21-**-512 AND dn: cn=smb_domadmins,ou=group,o=mydomain.com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping objectClass: groupOfUniqueNames cn: domadmins description: domadmins displayName: domadmins gidNumber: 512 memberUid: Administrator . sambaGroupType: 2 sambaSID: ... I also noticed the following Output from pdbedit on samba 3.4.x includes ldapsam_getgroup Output from pdbedit on samba 3.0.x includes init_group_from_ldap I am not sure if that is somehow related. Thanks -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Monday, November 23, 2009 4:41 PM To: samba@lists.samba.org Subject: samba 3.4.3 DC breaks Windows groups I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. On BDC2, users do not appear to be in any groups beyond Domain Users. Group mapping seems OK on each DC. BDC2# net groupmap list Domain Admins (S-1-5-21-x-x-512) - smb_domadmins Domain Users (S-1-5-21-x-x-513) - smb_domusers Domain Guests (S-1-5-21-x-x9-514) - smb_domguests Domain Computers (S-1-5-21-x-x-515) - smb_machines Domain Controllers (S-1-5-21-x-x-516) - smb_dc Domain Certificate Admins (S-1-5-21-x-x-517) - smb_domcertadmins Builtin Admins (S-1-5-21-x-x-544) - smb_admins Builtin users (S-1-5-21-x-x-545) - smb_users Builtin Guests (S-1-5-21-x-x-546) - smb_guests Administrators (S--544) - Users (S--545) - BDC2# The last two in the listing above were automatically created by winbind/idmap for a trusted domain. Unix level group memberships are OK BDC2# groups Administrator smb_domadmins smb_domusers BDC2# Windows/Samba level group memberships are not BDC2# net rpc user info Administrator -U Administrator -S PDC Enter Administrator's password: Domain Admins Domain Users BDC2# BDC2# net rpc user info Administrator -U Administrator -S BDC2 Enter Administrator's password: Domain Users BDC2# Same deal with regular users Nt. Not all unix groups are mapped to Windows groups. However I believe all required well known windows groups are. Ldap structure includes ou=people ou=group ou=smb_groups (where samba stores group mappings, ldap objectClass=sambaGroupMapping) You can verify machine PDC or BDC is being used by an Windows client with the echo %LOGONSERVER% command. If I logon as Domain Administrator to an XP or Win 2003 machine that is using BDC2, I will not have any Administrator privileges. smb.conf includes ldap group suffix = ou=smb_groups (When I converted from tdb to ldap backend, I already had unix groups in ldap and wasn't sure how stuff would import. I don't think existing groups or group mappings imported so I had to manually retype the net group map commands. ) The Domain Admins sambaGroupMapping does include Administrator as a member. BDC2# net rpc group members Domain Admins -U Administrator -S PDC MYDOMAIN\Administrator MYDOMAIN\jsmith BDC2# net rpc group members Domain Admins -U Administrator -S BDC2 Enter Administrator's password: MYDOMAIN\Administrator MYDOMAIN\jsmith
