A new object class (sambaSamAccount) has been introduced to replace
the old sambaAccount. This change aids in the renaming of attributes
to prevent clashes with attributes from other vendors. There is a
conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF
file to the new schema.
$ ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
$ convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif
The <DOM SID> can be obtained by running
net getlocalsid <DOMAINNAME>
on the Samba PDC as root.
Under Samba-2.x the domain SID can be obtained by executing:
smbpasswd -S <DOMAINNAME>
sambaAccount schema may still be used by specifying the
passdb backend. However, the sambaAccount and
associated attributes have been moved to the historical section of
the schema file and must be uncommented before use if needed.
The Samba-2.2 object class declaration for a
sambaAccount has not changed
in the Samba-3
Other new object classes and their uses include:
sambaDomain domain information used to allocate RIDs
for users and groups as necessary. The attributes are added
in “ldap suffix” directory entry automatically if
an idmap UID/GID range has been set and the “ldapsam”
passdb backend has been selected.
sambaGroupMapping an object representing the
relationship between a posixGroup and a Windows
group/SID. These entries are stored in the “ldap
group suffix” and managed by the “net groupmap” command.
sambaUNIXIdPool created in the “ldap idmap suffix” entry
automatically and contains the next available “idmap UID” and
sambaIdmapEntry object storing a mapping between a
SID and a UNIX UID/GID. These objects are created by the
idmap_ldap module as needed.