Current Samba versions shipped with Red Hat Enterprise Linux 6.3 are not able to fully control the user and group database when using the
back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The
back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new
back end and the new LDAP schema. The
back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide
, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation
for instructions on how to migrate existing setups to the new LDAP schema.
When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using the
ldapsam_compat back end with their existing LDAP setup even when all the above restrictions apply.