Or how to migrate to LDAP

© 2011-2013 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later


    1. LDAP setup
      1. Adding the SAMBA schema
    2. Our domain
    3. Groups
    4. Accounts
      1. Devices
      2. People
    5. Default group memberships
    6. Debugging tools
      1. net
    7. Resources

LDAP setup

Adding the SAMBA schema

Copy the samba3.schema to /etc/openldap/schema/

Add to slapd.conf:

# Include samba support
include         /etc/openldap/schema/samba3.schema


# Make sure no-one can read or write the samba password fields,
# except the LDAP manager.
access to attr=sambaLMPassword,sambaNTPassword
        by dn="cn=manager,dc=example,dc=com" write
        by anonymous auth
	by * none


# Create samba indexes
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

Make OpenLDAP work with the new settings:

service ldap stop
service ldap start

Our domain

The NT Domain starts with S-1-5-21. Per domain it has a 96 byte unique RID. das_passgen can be used to create a RID like this:

./das_passgen -c 3 -l 30
If you split this random number like this: 4187449527-7460873736-5306093569, it can act as the domain RID. The complete domain SID will then look like this: S-1-5-21-4187449527-7460873736-5306093569

For the windows networking (NETBIOS) domain we use the name EXAMPLE. Domain names in a Windows NT4 domain, which is what SAMBA 3 provides, can have a maximum of 15 characters. In the root of our LDAP domain we create an object called sambaDomainName=EXAMPLE, which looks like this:

dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE
objectClass: sambaDomain
sambaSID: S-1-5-21-4187449527-7460873736-5306093569
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0


SAMBA uses Unix groups for its objects. This means that groups are mapped, there is thus no such thing as a SAMBA group. There are Unix groups and they are linked with a SID to make it into a group that Windows understands. This also means that if certain Unix users are a member of such a group they are also regarded as members by the Windows operating systems, and they thus need a SID!

According to the RFCs an LDAP server supports the use of multiple CN entries for a single object. This has the benefit that one can give an object in the LDAP tree a Unix and a Windows name. Using this one can create the following LDIF to add the Domain Admins:

dn: cn=domadms,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: domadms
cn: Domain Admins
description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
gidNumber: 512
sambaSID: S-1-5-21-1654374101-3569970681-3921896634-512
sambaGroupType: 2
displayName: Domain Admins
On a Unix system one can use domadms or "Domain Admins". On a Windows system one has the SID for the Domain Admins group. So everybody should be happy. Also lookups for (cn=Domain Admins) should be resolved correctly by our LDAP server.

The description of the object is copied from Well-known security identifiers in Windows operating systems.

The domadms name and the gidNumber are of course completely arbitrary and you can choose something completely different then provided here. For the Unix name I tried to create a name that looks like the Windows name but still fits within the 8 character boundry of older Unix systems.

Builtin groups seem to be the same group type as local groups, and are not needed in our situation.

Another field is the sambaGroupType. SAMBA supports as far as I can tell 3 differnt group types, of which only one is relevant to us.

The defined sambaGroupTypes are:
2Domain group
4Local group (alias)

For SAMBA to function correctly one needs a couple of essential groups to be present. The following table gives an overview of these essential groups and suggests Unix names and GIDs to use:
Unix group name Unix gid number Windows group name RID
domadms 512 Domain Admins 512
domusrs 513 Domain Users 513
domgsts 514 Domain Guests 514

The following groups are non-essential, but might make life easier:
Unix group name Unix gid number Windows group name RID Notes
domdevs 515 Domain Computers 515 Add. You can add computer accounts to this group
domcons 516 Domain Controllers 516

From the BUILTIN (S-1-5-32) domain we need a couple of essential groups to be added to LDAP:
Unix group name Unix gid number Windows group name RID
binadms 544 Administrators 544
binusrs 545 Users 545
bingsts 546 Guests 546


Within a Windows network (Domain) there are two types of accounts: machine and user accounts. The machine accounts are better kown as Computer accounts since they live in the ou=Computers. OpenLDAP uses objectClass=person and objectClass=device for this. Hence the choice for ou=Devices and ou=People in the DIT structure.

There are three ways that one can distinguish a machine account from a user account:

  1. The object class
  2. A machine account ends with a $ e.g. computer01$
  3. The account flags

Accounts have passwords, so persons and devices can have a password associated with the account. SAMBA can work with LanManager passwords and NT passwords. LanManager should not be used anymore, so we will only provide LDIFs with the NT4 password field set.

In LDAP there is an sambaAcctFlags attribute which consists of a [ 11 positions of information or spaces and a ]. A regular user account looks like this: [U           ], while a machine account looks like this: [W           ]. Next to an account type indicator one can also set account settings to for example disable an account. The available options are:
Account types

Regular user account
Workstation Trust Account
Server Trust Account
Domain Trust Account
MNS logon user account; an Majority Node Set (MNS) logon account can configure a multi-node Windows cluster without using a common shared disk.

Account settings

Home directory required
No password required. This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). This will only allow users to log on with no password if the null passwords = yes parameter is set in the smb.conf [global] section.
Password does not expire
Account disabled
Temporary duplicate of other account
The account has been automatically locked


Before a user can log in to a Windows Domain, the workstation has to first built a trust with the domain. To be able to build this trust there needs to be a machine account on the Domain servers. Machines need to be joined to the domain to create this account. The password is generated by the workstation and is changed regularly by the workstation.

The device object class is part of the core schema and requires a cn entry. sambaSamAccount is part of the samba3 schema and requires a UID and a sambaSID. The rest is up to the system administrator (or the workstation) to add.

An LDIF for a machine account in OpenLDAP looks like this:

dn: cn=ws42,ou=devices,dc=examlpe,dc=com
objectClass: top
objectClass: device
objectClass: posixAccount
objectClass: sambaSamAccount
cn: ws42
cn: ws42$
uid: ws42
uid: ws42$
homeDirectory: /dev/null
loginShell: /bin/false
uidNumber: 1042
gidNumber: 515
sambaSID: S-1-5-21-1654374101-3569970681-3921896634-1042
sambaPrimaryGroupSID: S-1-5-21-1654374101-3569970681-3921896634-515
sambaAcctFlags: [W       ]
sambaNTPassword: 895849BF581FB4FECBCBB5FA9B6FAF51

As a primary group we have choosen the SID of the Domain Computers group.


Within the People OU we find the user accounts. The POSIX accounts need a sambaSamAccount object class which requires a sambaSID as an extra attribute in the LDIF. A couple of extra attributes are needed to make to account functional, like sambaNTPassword attribute.

There are two well known accounts in the Windows world that should be present on every system: Administrator and Guest. The local Administrator has a SID of S-1-5-21-machine_RID-500 and the Guest account uses S-1-5-21-machine_RID-501. The "machine_RID" is the same type of number as for a domain. So actually there is a local machine domain, which could be compared to the (local) network on a Unix machine.

On the domain there is a domain Administrator and a domain Guest, which are conveniently called Administrator and Guest and which can only be destinguished by their SID, S-1-5-21-domain_RID-500 and S-1-5-21-domain_RID-501 respectively.

Unix user name Unix uid number Windows user name RID
admin 500 Administrator 500
guest 501 Guest 501
krbtgt 502 KRBTGT 502

Make sure the Guest account is disabled by setting the right account flags.

dn: cn=Administrator,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Administrator
sn: Administrator
uid: Administrator
gidNumber: 1001
uidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-1654374101-3569970681-3921896634-512
sambaSID: S-1-5-21-1654374101-3569970681-3921896634-500
loginShell: /bin/false
homeDirectory: /dev/null
gecos: Administrator
sambaAcctFlags: [U      ]
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 1267280010
shadowLastChange: 14622
sambaPwdLastSet: 1263392010
shadowMax: 45
description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

Default group memberships

Windows makes domain accounts members of local domains by nesting groups. The domain group becomes a member of the local group, effectively placing domain accounts into local groups. Which results in domain accounts having the same rights as the local members of a group.

The domain Administrator (RID: 500) is member of the Domain Admins (RID: 512) group.

The local Administrator (RID: 500, but with a different domain ID then the network Domain) is member of the local Administrators (SID: S-1-5-32-544) group.

When a computer joins a domain, the Domain Admins (RID: 512) group is made a member of the local Administrators (SID: S-1-5-32-544) group.

dn: cn=domadms,ou=Groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: admin

The domain Guest (RID: 502) is member of the Domain Guests (RID: 514) group.

The local Guest (RID: 501, but with a different domain ID then the network Domain) is member of the local Guests (SID: S-1-5-32-546) group.

When a computer joins a domain, the Domain Guest (RID: 514) group is made a member of the local Guests (SID: S-1-5-32-546) group.

dn: cn=domgsts,ou=Groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: guest

Debugging tools


A simple domain overview looks like this:

# net rpc info -U<username>
Domain Name: EXAMPLE
Domain SID: S-1-5-21-1654374101-3569970681-3921896634
Sequence number: 1358151901
Num users: 471
Num domain groups: 91
Num local groups: 0

To gain more information if a machine is connected to an AD domain use:

net ads info -Uadministrator

A tool that comes in handy to check you setup is the net tool supplied by the SAMBA team. If you have a SAMBA server running you can query it for its different objects by using:

net sam list users           List SAM users
net sam list groups          List SAM groups
net sam list localgroups     List SAM local groups
net sam list builtin         List builtin groups
net sam list workstations    List domain member workstations
Use the verbose parameter to get even more info.