primaryGroupID etc -- Questions concerning samba-2.2.6 and openldap
2.0.23
Andrew Bartlett
abartlet at samba.org
Sat Oct 26 13:02:00 GMT 2002
"Dr. Hansjoerg Maurer" wrote:
>
> Hi,
>
> I installed samba 2.2.6 as pdc with openldap 2.0.23 and most things are
> working.
> Thanks for your great work.
> But I have a few technical questions about details, which I am not sure
> about and a few problems with usrmgr.exe
>
> I took the samba.shema included in 2.2.6 and the ldif from IDEALIX.
> Then I had many Groups in Ldap (Domain Admins, Domain Users etc)
> With the ldif from above, these groups e.g. the Domain Admin group had
> gid's of about 200 to 220.
> I changed it to 512,513 ... because I have heard, that this is the GID
> of Domain Admin , Domain Users ...(I have no posix Unix group in
> /etc/group with this ID).
> Same with Doamin Users (513) Domain guest (514).
> Are these changes necessary?
> Do I need Unix groups with this GID?
Don't confuse RIDs (an NT concept, and shared between all users and all
groups) with unix uids and gids.
> Next question:
> What is the correct primaryGroupID of a Domain-User? 513 or
> 2*gidNumber(Unix)+1001 ?
LDAP in HEAD allows you to specify a fixed RID for a user/group, but
otherwise it uses that algorithm. The 'well known' users/groups need to
keep their 'well known' rids.
> If I want a User to be a Domain Admin can I just put him in the Domain
> Admin Group in ldap?
> I have
> domain admin group = " @"Domain Admins" "
> in smb.conf
> Is an /etc/group entry necessary für this?
> (Background the Server has the Unix groups in ldap too)
>
> Apart from this questions I have some problems with usrmgr.exe, which
> are not serious.
> But I just want to know, if these are limitations or if I did somthing
> wrong.
> First of all, usrmgr is able to show all values in ldap (great).
> If I edit a real name of an user, it works.
> But after saving the changes, I get a message on the windows side:
> "The following error changing properties of user maurer occured: group
> name could not be found" (translated from german)
> But the changes are submitted to ldap correctly.
>
> When I edit the properties of an user (eg real name), during the the
> save values of logofftime, kickofftime,pwdmustchange are changed form
> 2147483647 to 0
> >From this point on, I am unable to change the pwdmustchange settings
> with usmgr.
> I habe to insert a value greater 2000000000 into ldap by hand , to
> deactivate pwdmustchange.
The issues with LDAP and usrmgr are fixed in current HEAD, and should be
merged in to 3.0 shortly.
For once usrmgr actually works pretty well!
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list