[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

[Adam Williams]

> |>Now I notice that despite the fact that there is no root group in my
> |>LDAP db, it is dispalying as root.  The group is actually named admins.
> |>Is this because admins is gidNumber=0 ?
> | Most likely,  if NSS is using files first (almost certainly true, and
> | correct) then the glibc call will return the name from /etc/group rather
> | than the one from LDAP.  It probably doesn't matter in practice, just is
> | a little confusing. You could change /etc/group to read admins instead
> | of root - just so everything reads the same - the gidNumber is actually
> | what matters anyway.
> "files" is indeed first. I'm a little confused about the whole admins
> thing so let me see if I've got this straight.
> 1. I must have a group, let's call it "admins" whose guidNumber is "0"

UNIX must have a group with a gid of 0 for the sake of historical form. 
Samba doesn't care two stiff rat tales what the gidnumber is.  

dn: cn=admins,ou=Groups,o=Morrison Industries, c=US
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 4
memberUid: root
memberUid: steve
memberUid: rhopkins
memberUid: adam
sambaGroupType: 2
displayName: Domain Admins
sambaSID: S-1-5-21-2037442776-3290224752-88127236-512
cn: admins
description: Domain Administrators

I used this group because it was handy, the gidNumber is totally
irrelevant.  Samba cares about the sambaSID, the sambaSID, and only the
sambaSID.  NSS[glibc] uses the gidNumber,  but there doesn't HAVE to be
any relationship whatsoever.

> 2. This "admins" group must be mapped to a "Domain Admins" or
> "Administrators" group (or is that backwards?). (I don't think I need
> both groups do I? Since this is a default/easy/basic setup shouldn't I
> go with the builtin?)

No, the builtin is used in a local security context on an NT (or
whatever) box by a whole bunch of crap that just doesn't exist on a
Samba server.  You want the Domain Admins group so you can do things
like maintain the machine, edit policies, trash the registry, etc...

See http://us1.samba.org/samba/docs/man/groupmapping.html and look in
the "Required" column.

If it helps think of builtins like groups or users that only exist in
"files" but not in "LDAP",  thats really the equivalent.  They only
matter to the physicall machine the OS is running on.  Like every LINUX
box in the world has a -
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
- /etc/passwd entry.  You can publish this user in LDAP - but there
really isn't any point - since every LINUX box in the world as a -
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
- /etc/passwd entry.  AND no one else but the local lpd/cupsd cares at
all what the heck the uidNumber for "lp" is.  When was the last time you
"chown lp {filename}"?  Never!  (Well, unless you really jacked up a
system, like I've done a couple time, but thats another issue).

> 3. Users who are administrative users must belong to either "Domain
> Admins" or "Administrators", which ever is in use.

"Domain Administrators"; or more importantly -> group where sambaSID =
"{SID}-512"