Samba 2.2.x ldap schemas

20010421.03

Ignacio Coupeau
CTI, University of Navarra

Under _absolute_ construction

Main sections

The initial samba 2.2 schemas I found in the code

Attribute description [toc]

# Samba conf params has a few changes

ldap filter
ldap port
ldap root
ldap root passwd
ldap server
ldap suffix
localhost

---
instead the old 2.1 HEAD:

ldap suffix = "o=SMB-Universidad de Navarra, c=ES"
ldap bind as = "uid=root, o=SMB-Universidad de Navarra, c=ES"
ldap passwd file = /usr/local/etc/samba/private/ldappasswd
ldap server = LDAP-SMB1 LDAP-SMB2
ldap port = 389

# Samba objectClass has been reduced to two object classes:

sambaTrust
sambaAccount

The schema is roughly the same for the two objects:

        if (trust)
        {
                make_a_mod(&mods, ldap_state, "objectclass", "sambaTrust");
                make_a_mod(&mods, ldap_state, "netbiosTrustName", smb_name);
                make_a_mod(&mods, ldap_state, "trustPassword", nthash);
        }
        else
        {
                make_a_mod(&mods, ldap_state, "objectclass", "sambaAccount");
                make_a_mod(&mods, ldap_state, "dBCSPwd", lmhash);
                make_a_mod(&mods, ldap_state, "uid", smb_name);
                make_a_mod(&mods, ldap_state, "unicodePwd", nthash);
        }

The old 2.1 schema had more objects: sambaAccount, sambaGroup, sambaBuiltin, etc. Also, the nextrid and several other objects, has been removed, because the use of the local (PDC) database.

Attribute Role in the AD schema

cn Specify the name of the user object in the directory. This will be the object's relative distinguished name (RDN) within the container where you create the user.

dBCSPwd dBCSPwd roughly maps to lmPassword, but the syntax is different (and will be very different in the final version): lmhash

comment The description property is a single-valued property that contains the description to display for the user.

homeDirectory The homeDirectory property specifies the path of the home directory for the user. The string can be null.
If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form \\server\share\directory. This value can be a null string.
If homeDrive is not set, homeDirectory should be a local path (such as C:\mylocaldir).

homeDrive The homeDrive property specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form:
driveletter:
where driveletter is the letter of the drive to map. For example: "Z:"
If this property is not set, the homeDirectory should be a local path (such as C:\mylocaldir).

kickoffTime ...when the user will be told "you're going to be logged out, soon, or now.

logoffTime ...when the user logged out the last time

logonTime ...when the user loggen on

netbiosTrustName the smb_name in trusted accounts:
if (trust){
      make_a_mod(&mods, ldap_state, "objectclass", "sambaTrust");
      make_a_mod(&mods, ldap_state, "netbiosTrustName", smb_name);
      make_a_mod(&mods, ldap_state, "trustPassword", nthash);
}
else {
      make_a_mod(&mods, ldap_state, "objectclass", "sambaAccount");
      make_a_mod(&mods, ldap_state, "dBCSPwd", lmhash);
      make_a_mod(&mods, ldap_state, "uid", smb_name);
      make_a_mod(&mods, ldap_state, "unicodePwd", nthash)

objectClass May be:
sambaTrust (builtin, security, groups)?

.sambaAccount (user,computer)?

primaryGroupId The primaryGroupID property is a single-valued property containing the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. This property is not used in the context of the Active Directory.
attributetype ( 1.2.840.113556.1.4.98
        NAME 'primaryGroupID'
        SYNTAX '1.3.6.1.4.1.1466.115.121.1.27'
        SINGLE-VALUE )

profilePath The profilePath property specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.

pwdCanChange See: userAccountControl

pwdLastSet The pwdLastSet property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970.
The system uses the value of this property and the maxPwdAge property of the domain containing the user object to calculate the password expiration date (sum of pwdLastSet for the user and maxPwdAge of the user's domain).
controls whether the user must change the password the next time the user logs on.
Default is 0. Zero(0) means the user must change the password at next logon. The value -1 means the user does not need to change the password at next logon. The system sets this value to -1 after user has set the password.

pwdMustChange The pwdLastSet property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970.

rid objectSid req.

scriptPath The scriptPath property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null.

trustPassword A machine trust account is a user account owned by a computer.
The account password acts as the shared secret for secure
communication with the Domain Controller. Hence the reason that
a Windows 9x host is never a true member of a domain because
it does not posses a machine trust account and thus has no shared
secret with the DC.
On a Windows NT PDC, these machine trust account passwords are stored
in the registry. A Samba PDC stores these accounts in he same location
as user LanMan and NT password hashes.

uid Unix UID: the unix user's params will be fetched via getpwnam()
is the local (unix) smb_name

unicodePwd unicodePwd was ntPassword but with different syntax: nthash
The unicodePwd property is the password for the NT user.

userAccountControl userAccountControl replaces the old samba-ldap schemas' acctFlags, but the syntax is different.
The flags are defined in LMACCESS.h, where UF_* was replaced by NTDS_UF_*
The userAccountControl property specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The user object usually has the UF_NORMAL_ACCOUNT set.
NTDS_UF_SCRIPT : The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
NTDS_UF_ACCOUNTDISABLE : The user's account is disabled.
NTDS_UF_HOMEDIR_REQUIRED : The home directory is required. This value is ignored in Windows NT and Windows 2000.
NTDS_UF_LOCKOUT : The account is currently locked out. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account.
NTDS_UF_PASSWD_NOTREQD : No password is required.
NTDS_UF_PASSWD_CANT_CHANGE : The user cannot change the password.
NTDS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
NTDS_UF_TEMP_DUPLICATE_ACCOUNT: This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account.
NTDS_UF_NORMAL_ACCOUNT: This is a default account type that represents a typical user.
NTDS_UF_INTERDOMAIN_TRUST_ACCOUNT : This is a permit to trust account for a Windows NT domain that trusts other domains.
NTDS_UF_WORKSTATION_TRUST_ACCOUNT: This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.
NTDS_UF_SERVER_TRUST_ACCOUNT : This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain.
NTDS_UF_DONT_EXPIRE_PASSWD : Represents the password, which should never expire on the account.
NTDS_UF_MNS_LOGON_ACCOUNT
NTDS_UF_SMARTCARD_REQUIRED
NTDS_UF_TRUSTED_FOR_DELEGATION
NTDS_UF_NOT_DELEGATED
NTDS_UF_USE_DES_KEY_ONLY
NTDS_UF_DONT_REQUIRE_PREAUTH

userFullName Like the MS' displayName, is the name displayed in the address book for a particular user. This is usually the combination of the users first name, middle initial, and last name. DisplayName is a textual description of the user, ie. its full name, dn, instead, is the distinguished name.

userPassword Ldap server users' password: may be required for some special acess

userWorkstations The userWorkstations property is a single-valued property containing the NetBIOS names of the computers running Windows NT Workstation/Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. The NetBIOS name of a computer is the sAMAccountName property of a computer object.
If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the UF_ACCOUNTDISABLE value in userAccountControl property.
This value is defined in LMACCESS.H.

Attribute	Role in the AD schema
`cn`	Specify the name of the user object in the directory. This will be the object's relative distinguished name (RDN) within the container where you create the user.
`dBCSPwd`	`dBCSPwd` roughly maps to `lmPassword`, but the syntax is different (and will be very different in the final version): `lmhash`
`comment`	The description property is a single-valued property that contains the description to display for the user.
`homeDirectory`	The homeDirectory property specifies the path of the home directory for the user. The string can be null. If homeDrive is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC path of the form `\\server\share\directory`. This value can be a null string. If homeDrive is not set, homeDirectory should be a local path (such as C:\mylocaldir).
`homeDrive`	The homeDrive property specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the following form: driveletter: where driveletter is the letter of the drive to map. For example: "Z:" If this property is not set, the homeDirectory should be a local path (such as C:\mylocaldir).
`kickoffTime`	...when the user will be told "you're going to be logged out, soon, or now.
`logoffTime`	...when the user logged out the last time
`logonTime`	...when the user loggen on
`netbiosTrustName`	the smb_name in trusted accounts: `if (trust){` `make_a_mod(&mods, ldap_state, "objectclass", "sambaTrust");` `make_a_mod(&mods, ldap_state, "netbiosTrustName", smb_name);` `make_a_mod(&mods, ldap_state, "trustPassword", nthash);` `}` `else {` `make_a_mod(&mods, ldap_state, "objectclass", "sambaAccount");` `make_a_mod(&mods, ldap_state, "dBCSPwd", lmhash);` `make_a_mod(&mods, ldap_state, "uid", smb_name);` `make_a_mod(&mods, ldap_state, "unicodePwd", nthash)`
`objectClass`	May be: `sambaTrust (builtin, security, groups)?` `.sambaAccount (user,computer)?`
`primaryGroupId`	The primaryGroupID property is a single-valued property containing the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. This property is not used in the context of the Active Directory. `attributetype ( 1.2.840.113556.1.4.98` `NAME 'primaryGroupID'` `SYNTAX '1.3.6.1.4.1.1466.115.121.1.27'` `SINGLE-VALUE )`
`profilePath`	The profilePath property specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
`pwdCanChange`	See: userAccountControl
`pwdLastSet`	The `pwdLastSet` property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970. The system uses the value of this property and the maxPwdAge property of the domain containing the user object to calculate the password expiration date (sum of pwdLastSet for the user and maxPwdAge of the user's domain). controls whether the user must change the password the next time the user logs on. Default is 0. Zero(0) means the user must change the password at next logon. The value -1 means the user does not need to change the password at next logon. The system sets this value to -1 after user has set the password.
`pwdMustChange`	The `pwdLastSet` property specifies when the user last set the password. This value is stored as a large integer that represents the number of seconds elapsed since 00:00:00, January 1, 1970.
`rid`	`objectSid` req.
`scriptPath`	The `scriptPath` property specifies the path of the user's logon script, .`CMD`, .EXE, or .BAT file. The string can be null.
`trustPassword`	A machine trust account is a user account owned by a computer. The account password acts as the shared secret for secure communication with the Domain Controller. Hence the reason that a Windows 9x host is never a true member of a domain because it does not posses a machine trust account and thus has no shared secret with the DC. On a Windows NT PDC, these machine trust account passwords are stored in the registry. A Samba PDC stores these accounts in he same location as user LanMan and NT password hashes.
`uid`	Unix UID: the unix user's params will be fetched via `getpwnam()` is the local (unix) `smb_name`
`unicodePwd`	`unicodePwd` was `ntPassword` but with different syntax: `nthash` The `unicodePwd` property is the password for the NT user.
`userAccountControl`	`userAccountControl` replaces the old samba-ldap schemas' `acctFlags`, but the syntax is different. The flags are defined in `LMACCESS.h, where` `UF_` was replaced by `NTDS_UF_` The userAccountControl property specifies flags that control password, lockout, disable/enable, script, and home directory behavior for the user. This property also contains a flag that indicates the account type of the object. The user object usually has the `UF_NORMAL_ACCOUNT` set. `NTDS_UF_SCRIPT` : The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT. `NTDS_UF_ACCOUNTDISABLE :` The user's account is disabled. `NTDS_UF_HOMEDIR_REQUIRED :` The home directory is required. This value is ignored in Windows NT and Windows 2000. `NTDS_UF_LOCKOUT` : The account is currently locked out. This value can be cleared to unlock a previously locked account. This value cannot be used to lock a previously locked account. `NTDS_UF_PASSWD_NOTREQD` : No password is required. `NTDS_UF_PASSWD_CANT_CHANGE` : The user cannot change the password. `NTDS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED` `NTDS_UF_TEMP_DUPLICATE_ACCOUNT:` This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. The User Manager refers to this account type as a local user account. `NTDS_UF_NORMAL_ACCOUNT:` This is a default account type that represents a typical user. `NTDS_UF_INTERDOMAIN_TRUST_ACCOUNT` : This is a permit to trust account for a Windows NT domain that trusts other domains. `NTDS_UF_WORKSTATION_TRUST_ACCOUNT`: This is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain. `NTDS_UF_SERVER_TRUST_ACCOUNT` : This is a computer account for a Windows NT Backup Domain Controller that is a member of this domain. `NTDS_UF_DONT_EXPIRE_PASSWD` : Represents the password, which should never expire on the account. `NTDS_UF_MNS_LOGON_ACCOUNT` `NTDS_UF_SMARTCARD_REQUIRED` `NTDS_UF_TRUSTED_FOR_DELEGATION` `NTDS_UF_NOT_DELEGATED` `NTDS_UF_USE_DES_KEY_ONLY` `NTDS_UF_DONT_REQUIRE_PREAUTH`
`userFullName`	Like the MS' displayName, is the name displayed in the address book for a particular user. This is usually the combination of the users first name, middle initial, and last name. DisplayName is a textual description of the user, ie. its full name, dn, instead, is the distinguished name.
`userPassword`	`Ldap` server users' password: may be required for some special acess
`userWorkstations`	The userWorkstations property is a single-valued property containing the NetBIOS names of the computers running Windows NT Workstation/Windows 2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. The NetBIOS name of a computer is the sAMAccountName property of a computer object. If there are no values set, it indicates that there is no restriction. To disable logons from all computers running Windows NT Workstation/Windows 2000 Professional to this account, set the `UF_ACCOUNTDISABLE` value in userAccountControl property. This value is defined in LMACCESS.H.

Samba 2.2.x ldap schemas

Main sections

Table of contents

Attribute description [toc]

[toc]