LDAP Directories and Windows Computer Accounts
Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and
configuration of an LDAP directory prior to integration with Samba. A working knowledge
of LDAP makes Samba integration easy, and the lack of a working knowledge of LDAP can make
it a frustrating experience.
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject
to some constraints that are described in this chapter.
The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba.
Thus, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
them. A user account and a machine account are indistinquishable from each other, except that
the machine account ends in a $ character, as do trust accounts.
The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX
UID is a design decision that was made a long way back in the history of Samba development. It
is unlikely that this decision will be reversed or changed during the remaining life of the
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
must refer back to the host operating system on which Samba is running. The NSS is the preferred
mechanism that shields applications (like Samba) from the need to know everything about every
host OS it runs on.
Samba asks the host OS to provide a UID via the “passwd”, “shadow”,
and “group” facilities in the NSS control (configuration) file. The best tool
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
Samba. Samba provides winbindd with its support libraries as one method. It is
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
all account entities can be located in an LDAP directory.
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
is fundamentally an LDAP design question. The information provided on the Samba list and
in the documentation is directed at providing working examples only. The design
of an LDAP directory is a complex subject that is beyond the scope of this documentation.