Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation. The allocation range must be therefore configured.
To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command net sam provision. To run this command the ldap server must be running, Winbindd must be running and the smb.conf ldap options must be properly configured.
The typical ldap setup used with the yes option is usually sufficient to use yes as well.
An example configuration can be the following:
encrypt passwords = true passdb backend = ldapsam
ldapsam:trusted=yes ldapsam:editposix=yes
ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org
idmap backend = ldap:"ldap://localhost"
idmap uid = 5000-50000 idmap gid = 5000-50000
This configuration assumes a directory layout like described in the following ldif:
dn: dc=samba,dc=org objectClass: top objectClass: dcObject objectClass: organization o: samba.org dc: samba
dn: cn=admin,dc=samba,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret
dn: ou=users,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: users
dn: ou=groups,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: groups
dn: ou=idmap,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: idmap
dn: ou=computers,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: computers

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family


Registry PathSoftware\Policies\Samba\smb_conf\ldapsam:editposix
Value Nameldapsam:editposix
Value TypeREG_SZ
Default Valueno


Administrative Templates (Computers)