Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next


This section outlines the new features effecting Samba/LDAP integration.

New Schema

A new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids in the renaming of attributes to prevent clashes with attributes from other vendors. There is a conversion script (examples/LDAP/convertSambaAccount) to modify an LDIF file to the new schema.


		$ ldapsearch .... -LLL -b "ou=people,dc=..." > old.ldif
		$ convertSambaAccount --sid <DOM SID> --input old.ldif --output new.ldif

The <DOM SID> can be obtained by running


net getlocalsid <DOMAINNAME>

on the Samba PDC as root.

Under Samba-2.x the domain SID can be obtained by executing:


smbpasswd -S <DOMAINNAME>

The old sambaAccount schema may still be used by specifying the ldapsam_compat passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The Samba-2.2 object class declaration for a sambaAccount has not changed in the Samba-3 samba.schema file.

Other new object classes and their uses include:

  • sambaDomain domain information used to allocate RIDs for users and groups as necessary. The attributes are added in “ldap suffix” directory entry automatically if an idmap UID/GID range has been set and the “ldapsam” passdb backend has been selected.

  • sambaGroupMapping an object representing the relationship between a posixGroup and a Windows group/SID. These entries are stored in the “ldap group suffix” and managed by the “net groupmap” command.

  • sambaUNIXIdPool created in the “ldap idmap suffix” entry automatically and contains the next available “idmap UID” and “idmap GID”.

  • sambaIdmapEntry object storing a mapping between a SID and a UNIX UID/GID. These objects are created by the idmap_ldap module as needed.

New Suffix for Searching

The following new smb.conf parameters have been added to aid in directing certain LDAP queries when passdb backend = ldapsam://... has been specified.

  • ldap suffix used to search for user and computer accounts.

  • ldap user suffix used to store user accounts.

  • ldap machine suffix used to store machine trust accounts.

  • ldap group suffix location of posixGroup/sambaGroupMapping entries.

  • ldap idmap suffix location of sambaIdmapEntry objects.

If an ldap suffix is defined, it will be appended to all of the remaining subsuffix parameters. In this case, the order of the suffix listings in smb.conf is important. Always place the ldap suffix first in the list.

Due to a limitation in Samba's smb.conf parsing, you should not surround the domain names with quotation marks.

IdMap LDAP Support

Samba-3 supports an LDAP backend for the idmap subsystem. The following options inform Samba that the idmap table should be stored on the directory server onterose in the ou=Idmap,dc=quenya,dc=org partition.

idmap backend = ldap:ldap://onterose/
ldap idmap suffix = ou=Idmap
idmap uid = 40000-50000
idmap gid = 40000-50000

This configuration allows Winbind installations on multiple servers to share a UID/GID number space, thus avoiding the interoperability problems with NFS that were present in Samba-2.2.

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire