samba - Oct 2008 - LDAP backend and sambaGroupType for builtin groups

Hi,

I have a question about sambaGroupType attribute on a Samba 3.2 PDC
with LDAP backend (and nss_ldap + nss_winbind).

What should be the value for Administrators builtin group ?

If i use smbldap-populate from smbldap-tools, the value of
sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup
and a sambaGroupMapping).
I've also noticed that "wbinfo -g" doesn't list the group.
"getent
group" displays the group correctly (i guess because of the posixGroup
and nss_ldap) but the domain administrator account is not listed in
that group (no nested group expand).

If i simply start Samba without provisioning the Administrators
builtin group in LDAP, Samba automaticaly creates it:

dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
gidNumber: XXXXXX
structuralObjectClass: sambaSidEntry
sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512

The value of sambaGroupType is 4 (and there is no posixGroup) and
"wbinfo -g" list the group as "BUILTIN\administrators".
"getent group"
works fine (the domain administrator account is listed in the builtin
Administrators group).

Can anyone explains me what the correct value for sambaGroupType
should be in Samba 3.2? I guess "4" but i'm not sure as a lot of
people seems to use the smbldap-tools (which said "5").

Another question, is it ok to add a posixAccount object class in a
builtin local group. If yes, how to avoid having twice the group entry
in "getent group" (one by nss_ldap and one by nss_winbind)?

Thanks!

On Thu, Oct 16, 2008 at 11:32:03AM +0200, S?bastien Prud'homme
wrote:
> Hi,
> 
> I have a question about sambaGroupType attribute on a Samba 3.2 PDC
> with LDAP backend (and nss_ldap + nss_winbind).
> 
> What should be the value for Administrators builtin group ?
> 
> If i use smbldap-populate from smbldap-tools, the value of
> sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup
> and a sambaGroupMapping).
> I've also noticed that "wbinfo -g" doesn't list the
group. "getent
> group" displays the group correctly (i guess because of the posixGroup
> and nss_ldap) but the domain administrator account is not listed in
> that group (no nested group expand).
> 
> If i simply start Samba without provisioning the Administrators
> builtin group in LDAP, Samba automaticaly creates it:
> 
> dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-544
> sambaGroupType: 4
> displayName: Administrators
> gidNumber: XXXXXX
> structuralObjectClass: sambaSidEntry
> sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512
> 
> The value of sambaGroupType is 4 (and there is no posixGroup) and
> "wbinfo -g" list the group as "BUILTIN\administrators".
"getent group"
> works fine (the domain administrator account is listed in the builtin
> Administrators group).
> 
> Can anyone explains me what the correct value for sambaGroupType
> should be in Samba 3.2? I guess "4" but i'm not sure as a lot
of
> people seems to use the smbldap-tools (which said "5").
That's a bug in smbldap-tools, I sent them a patch
for this. See :

https://bugzilla.samba.org/show_bug.cgi?id=5551

for details (and here :

https://bugzilla.samba.org/attachment.cgi?id=3369&action=view

is the patch for smbldap-tools.

Jeremy.