I have spent the last few days attempting to get a Samba3 PDC/BDC setup with an LDAP SAM and need some clarification on exactly what should/can be initialized in the LDAP SAM. As my main sources of information/inspiration I have been using http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. Unfortunately there are inconsistencies that I can not resolve. The short version of the question is - is there a full specification (preferably in the form of an LDIF file) of everything that can/should be initialized in the LDAP SAM? The longer version is: 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for the BUILTIN groups. I found this reference saying that the sambaGroupType should be 4 for BUILTIN groups. http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html Which is correct? 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs, but smbldap-tools has what I think are the correct SID for these groups. Which is correct? e.g. for Account Operators the Wiki has S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has S-1-5-32-548. 3) http://support.microsoft.com/kb/243330 has a long list of the well known SIDs, many of which do not make sense in a Samba domain, but is there a full list of all the ones that do make sense for Samba and what the LDAP SAM should be initialized to to implement them? Thanks Mike ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Quoting Mike Brady <mike.brady at devnull.net.nz>:> I have spent the last few days attempting to get a Samba3 PDC/BDC > setup with an LDAP SAM and need some clarification on exactly what > should/can be initialized in the LDAP SAM. > > As my main sources of information/inspiration I have been using > http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. Unfortunately there are inconsistencies that I can not > resolve. > > The short version of the question is - is there a full specification > (preferably in the form of an LDIF file) of everything that > can/should be initialized in the LDAP SAM? > > The longer version is: > > 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for > the BUILTIN groups. I found this reference saying that the > sambaGroupType should be 4 for BUILTIN groups. > http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html > Which is correct? > > 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs, > but smbldap-tools has what I think are the correct SID for these > groups. Which is correct? > > e.g. for Account Operators the Wiki has > S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has > S-1-5-32-548. > > 3) http://support.microsoft.com/kb/243330 has a long list of the > well known SIDs, many of which do not make sense in a Samba domain, > but is there a full list of all the ones that do make sense for > Samba and what the LDAP SAM should be initialized to to implement > them? > > > Thanks > > Mike > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Further to the above I have used a Centos 5.5 x86_64 system and the Sernet RPMs to set up a PDC with an LDAPSAM. I have used the smbldap SIDs and set the sambaGroupType to 4 and am able to join machines to the domain and logon as domain users, so hopefully my guesses are not too far wrong. I get the following command outputs: [root at ad01 ~]# wbinfo -g domain admins domain users domain guests domain computers [root at ad01 ~]# wbinfo -u nobody root test01 test2 [root at ad01 ~]# net sam list localgroups [root at ad01 ~]# net sam list groups Domain Admins Domain Users Domain Guests Domain Computers [root at ad01 ~]# net sam list builtin Administrators Users Guests Power Users Account Operators Print Operators Backup Operators [root at ad01 ~]# net sam list users nobody root test01 test2 Are these what are expected? I got a Wiki account last night and will update the Wiki if someone in the know can confirm my guess work. Many Thanks Mike ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote:> I have spent the last few days attempting to get a Samba3 PDC/BDC > setup with an LDAP SAM and need some clarification on exactly what > should/can be initialized in the LDAP SAM. > > As my main sources of information/inspiration I have been using > http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. Unfortunately there are inconsistencies that I can not > resolve. > > The short version of the question is - is there a full specification > (preferably in the form of an LDIF file) of everything that can/should > be initialized in the LDAP SAM? > > The longer version is: > > 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for > the BUILTIN groups. I found this reference saying that the > sambaGroupType should be 4 for BUILTIN groups. > http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html > Which is correct? > > 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs, > but smbldap-tools has what I think are the correct SID for these > groups. Which is correct? > > e.g. for Account Operators the Wiki has > S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has > S-1-5-32-548. > > 3) http://support.microsoft.com/kb/243330 has a long list of the well > known SIDs, many of which do not make sense in a Samba domain, but is > there a full list of all the ones that do make sense for Samba and > what the LDAP SAM should be initialized to to implement them? > > > Thanks > > Mike > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > >Mike, Try this from the Official Samba How-To http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html In the section in the section, "Default Users, Groups, and Relative Identifiers". The only three _required_ groups are: Domain Admins, RID=512 Domain Users, RID=513 Domain Guests, RID=514 In addition to these groups I also have the following domain users just for completeness: Domain Administrator, RID=500 Domain Guest, RID=501 The builtin groups (RIDS=544 through 533) are not listed as required, but you can put them in your ldapsam backend. You will have to add them with, sambaGroupType=4, if you want them to show up in usermgr.exe. If I have got the correct understanding, SIDs that start with S-1-2-21 will be domain SIDs and will be followed by the domain sid and then a RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local users and groups) and should be put in a machine local backend (at least when I get the time I will look into putting them into a local tdbsam on the local server). Unfortunately, as you have found, you have to piece together a lot of different sources to find the correct working solution for your specific situation. Although I have a working ldapsam backend I wish I could take the time and recreate and redo my Samba Domain with the knowledge that I have gained over the past three plus years (that I have incorporated LDAP). However, I can find the time to try and normalize my old LDIF files and format them with what I think a "minimal" Samba Domain should contain and send them to you but these will most likely be specific just to a Samba3+LDAP domain (I have no intention of going to Samba4 any time soon). Bob --bs
>> I have spent the last few days attempting to get a Samba3 PDC/BDC >> setup with an LDAP SAM and need some clarification on exactly what >> should/can be initialized in the LDAP SAM. >> >> As my main sources of information/inspiration I have been using >> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP and >the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. >Unfortunately there are inconsistencies that I can not >> resolve. >> >> The short version of the question is - is there a full >> specification (preferably in the form of an LDIF file) of >> everything that can/should be initialized in the LDAP SAM? >> >> The longer version is: >> >> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for >> the BUILTIN groups. I found this reference saying that the >> sambaGroupType should be 4 for BUILTIN groups. >> http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html >> Which is correct? >> >> 2) The Wiki page has all the BUILTIN groups with "full domain" >> SIDs, but smbldap-tools has what I think are the correct SID for >> these groups. Which is correct? >> >> e.g. for Account Operators the Wiki has >> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has >> S-1-5-32-548. >> >> 3) http://support.microsoft.com/kb/243330 has a long list of the >> well known SIDs, many of which do not make sense in a Samba >> domain, but is there a full list of all the ones that do make >> sense for Samba and what the LDAP SAM should be initialized to to >> implement them? >> >> >> Thanks >> >> Mike >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> > > Mike, > > Try this from the Official Samba How-To > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > > In the section in the section, "Default Users, Groups, and Relative > Identifiers". The only three _required_ groups are: Domain Admins, RID=512 > Domain Users, RID=513 > Domain Guests, RID=514 > > In addition to these groups I also have the following domain users just > for completeness: Domain Administrator, RID=500 > Domain Guest, RID=501 > > > The builtin groups (RIDS=544 through 533) are not listed as required, > but you can put them in your ldapsam backend. You will have to add them > with, sambaGroupType=4, if you want them to show up in usermgr.exe. > > If I have got the correct understanding, SIDs that start with S-1-2-21 > will be domain SIDs and will be followed by the domain sid and then a > RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local > users and groups) and should be put in a machine local backend (at least > when I get the time I will look into putting them into a local tdbsam on > the local server). > > Unfortunately, as you have found, you have to piece together a lot of > different sources to find the correct working solution for your specific > situation. Although I have a working ldapsam backend I wish I could take > the time and recreate and redo my Samba Domain with the knowledge that I > have gained over the past three plus years (that I have incorporated > LDAP). However, I can find the time to try and normalize my old LDIF > files and > format them with what I think a "minimal" Samba Domain should contain > and send them to you but these will most likely be specific just to a > Samba3+LDAP domain (I have no intention of going to Samba4 any time > soon). > > Bob > --bsBob Thanks for the thoughts. I had seen the group mapping page and have read it and many others a number of times :-) As you say there is lot of information in different places to piece together and it doesn't help when a lot of it is wrong. But no matter. On wards and upwards. I have an LDIF file that I think is correct based on my knowledge and that gets me a running domain. I will go over it again and tidy it up some more. I am sure that I have some challenges to come still, but I will keep bashing away at it. Thanks Mike ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
usermgr.exe is not function any more in vista and above and xp is announced end of lifetime. Just use an ldap tool for windows to mange the users. ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Robert W. Smith Gesendet: Dienstag, 22. Februar 2011 01:04 An: samba at lists.samba.org Betreff: Re: [Samba] Initializing a Samba3 ldapsam On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote:> I have spent the last few days attempting to get a Samba3 PDC/BDC > setup with an LDAP SAM and need some clarification on exactly what > should/can be initialized in the LDAP SAM. > > As my main sources of information/inspiration I have been using >http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller _and_file_server_using_LDAP and the smbldap-tools source code, but have also been reading "Samba by Example" and the Samba How-tos. Unfortunately there are inconsistencies that I can not> resolve. > > The short version of the question is - is there a full specification > (preferably in the form of an LDIF file) of everything that can/should > be initialized in the LDAP SAM? > > The longer version is: > > 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for > the BUILTIN groups. I found this reference saying that the > sambaGroupType should be 4 for BUILTIN groups. >http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-built in-groups-td2446893.html> Which is correct? > > 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs, > but smbldap-tools has what I think are the correct SID for these > groups. Which is correct? > > e.g. for Account Operators the Wiki has > S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has > S-1-5-32-548. > > 3) http://support.microsoft.com/kb/243330 has a long list of the well > known SIDs, many of which do not make sense in a Samba domain, but is > there a full list of all the ones that do make sense for Samba and > what the LDAP SAM should be initialized to to implement them? > > > Thanks > > Mike > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > >Mike, Try this from the Official Samba How-To http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html In the section in the section, "Default Users, Groups, and Relative Identifiers". The only three _required_ groups are: Domain Admins, RID=512 Domain Users, RID=513 Domain Guests, RID=514 In addition to these groups I also have the following domain users just for completeness: Domain Administrator, RID=500 Domain Guest, RID=501 The builtin groups (RIDS=544 through 533) are not listed as required, but you can put them in your ldapsam backend. You will have to add them with, sambaGroupType=4, if you want them to show up in usermgr.exe. If I have got the correct understanding, SIDs that start with S-1-2-21 will be domain SIDs and will be followed by the domain sid and then a RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local users and groups) and should be put in a machine local backend (at least when I get the time I will look into putting them into a local tdbsam on the local server). Unfortunately, as you have found, you have to piece together a lot of different sources to find the correct working solution for your specific situation. Although I have a working ldapsam backend I wish I could take the time and recreate and redo my Samba Domain with the knowledge that I have gained over the past three plus years (that I have incorporated LDAP). However, I can find the time to try and normalize my old LDIF files and format them with what I think a "minimal" Samba Domain should contain and send them to you but these will most likely be specific just to a Samba3+LDAP domain (I have no intention of going to Samba4 any time soon). Bob --bs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba