Groups with Samba+LDAP PDC: schema, help needed

Charles Owens owensc at enc.edu
Tue Jun 29 18:54:10 GMT 1999 

Kevin Myer wrote:

> On Tue, 29 Jun 1999, Charles Owens wrote:
>
> > Anyone have the sambaGroup LDAP schema handy?  I'm currently trying to
> > figure it out from what the slapd logs are saying... not sure if I'm
> > getting anywhere.
>
> I am not sure how close I am to having the right thing but it sort of kind
> of maybe works for me :)

[good stuff deleted]

> The groups are what I've been able to figure out from looking at the
> source and at Microsoft's documentation for RID's and SID's.  I am sure
> there are areas where I haven't included accounts in a group or made a
> user a member of a group but I've been adding them as I figure it out.

Thanks very much!  I can now see the "default" NT groups!  I was a bit spooked
by them not being around.  ;-)
I was able to add other users to the various groups by adding addtional member
attribute values of the form:

        member: ntuid,rid,1        # any idea what the "1" is for?

Some remaining questions:

   * Adding groups:
        o From the sambaGroup schema and your example LDIF I think it's fairly
          clear what additional group entries would look like.  Are there any
          working automated techniques for adding groups, or am I stuck
          manually tweaking ldap enties?  (I can't seem to use usrmgr.exe to
          actually make changes, just view stuff... what about you?)
        o If I have to do it by hand... I'm guessing that I'll have to look up
          the "nextrid" attribute from the sambaConfig entry to determing the
          rid for the new group, create the group, and then update "nextrid".
          Comments?
   * Unix<->Domain group mapping:
        o I very much liked how the non-LDAP PDC auto mapped Unix groups to
          Domain groups.  Anyway to achieve this with similar ease in the
          with-LDAP PDC context?
        o If not, then what is the proper way to do this?  Do I have to do all
          of the steps listed below?  Seems clumsy. (note, I haven't tried
          this... I'm keeping my expectations low to give you room to surprise
          me with good news :)  Yuck!  So what's the right way?
             + create Unix users (/etc/passwd or NIS... no, I'm not yet
               playing with nss_ldap or pam_ldap, etc.)
             + create corresponding LDAP sambaAccount entries
             + create regular Unix group with appropriate Unix members
             + create corresponding LDAP sambaGroup entries
             + add lines to the Domain Group Map file to associate the Unix
               and Domain groups

This is slowly coming into focus.  I need all of the help I can get... thanks!

BTW, your sambaGroup and sambaBuiltin objectclass definitions were missing a
few attributes.  Here they are again, tweaked enough to get your LDIF to load,
though who knows if they're formally correct...:

objectclass sambaGroup
    requires
        cn,
        rid
    allows
        ntuid,
        description,
        member

objectclass sambaBuiltin
    requires
        cn,
        rid,
        sid
    allows
        ntuid,
        description,
        member


Thanks again!

Charles

---
-------------------------------------------------------------------------
  Charles N. Owens                               Email:  owensc at enc.edu
                                             http://www.enc.edu/~owensc
  Network & Systems Administrator
  Information Technology Services  "Outside of a dog, a book is a man's
  Eastern Nazarene College         best friend.  Inside of a dog it's
                                   too dark to read." - Groucho Marx
-------------------------------------------------------------------------

More information about the samba-ntdom mailing list