Supplementry Group Problem on Solaris 9 PDC and LDAP

[Paul Stevens]

Hi,
 
 
I am trying to get samba 2.2.8 (with ldap tools, hacked to get it to
work with IDS)  as a PDC working with suns IDS 5.1 server on Solaris 9.
Everything is working, shares, printers, password sync machine accounts
etc.. except I can not get samba to recognize users secondary groups.
 
If we take the user xpuser on logged in on Solaris all rights work as
expected
 
root at v480 # id -a xpuser
uid=1000(xpuser) gid=1000(tasc) groups=1001(blah),500(nec)
 
However from a windows client (which has joined the domain) the user
xpuser only has rights to files that are public, owned by itself or it's
primary group.  SAMBA does not see that the use is a member of
supplementary groups 1001(blah), 500(nec) when you look at the client
logs on debug level 5.
 
If you assign membership though /etc/group the supplementary groups are
read by samba, however if you add the users Memberuid into a group on
LDAP it is not.
 
Current config in nsswitch.conf is 
 
group:      ldap files
 
smb.conf entries:
 
        # This is the iplanet (ldap config)
 
        ldap suffix = dc=nec,dc=co,dc=nz
        ldap admin dn = cn=Directory Manager
        ldap port = 389
        ldap server = v480.nec.co.nz
        ldap ssl = no
        encrypt passwords = yes
        unix password sync = yes
        passwd program = /usr/local/sbin/ldapchpasswd %u
        passwd chat = *new*password* %n\n *new*password* %n\n
*modifying*
 
The structure of the LDAP entries are:
 
A group:
cn=nec,ou=group,dc=nec,dc=co,dc=nz
 
A user:
Uid=xpuser,ou=people,dc=nec,dc=co,dc=nz
 
I don't subscribe to this particual list so please copy us in.
 
Any idea's would be appreciated.  Thanks,  
 
Cheers.
  
Paul.
 <http://www.nec.co.nz/>