primaryGroupID etc -- Questions concerning samba-2.2.6 and openldap 2.0.23

Andrew Bartlett abartlet at samba.org
Sat Oct 26 13:02:00 GMT 2002 

"Dr. Hansjoerg Maurer" wrote:
> 
> Hi,
> 
> I installed samba 2.2.6 as pdc with openldap 2.0.23 and most things are
> working.
> Thanks for your great work.
> But I have a few technical questions about details, which I am not sure
> about and a few problems with usrmgr.exe
> 
> I took the samba.shema included in 2.2.6 and the ldif from IDEALIX.
> Then I had many Groups in Ldap (Domain Admins, Domain Users etc)
> With the ldif from above, these groups e.g. the Domain Admin group had
> gid's of about 200 to 220.
> I changed it to 512,513 ... because I have heard, that this is the GID
> of Domain Admin , Domain Users ...(I have no posix Unix group in
> /etc/group with this ID).
> Same with Doamin Users (513) Domain guest (514).
> Are these changes necessary?
> Do I need Unix groups with this GID?

Don't confuse RIDs (an NT concept, and shared between all users and all
groups) with unix uids and gids.

> Next question:
> What is the correct  primaryGroupID of a Domain-User? 513 or
> 2*gidNumber(Unix)+1001 ?

LDAP in HEAD allows you to specify a fixed RID for a user/group, but
otherwise it uses that algorithm.  The 'well known' users/groups need to
keep their 'well known' rids.

> If I want a User to be a Domain Admin can I just put him in the Domain
> Admin Group in ldap?
> I have
> domain admin group =  " @"Domain Admins" "
> in smb.conf
> Is an  /etc/group entry necessary für this?
> (Background the Server has the Unix groups in ldap too)
> 
> Apart from this questions I have some problems with usrmgr.exe, which
> are not serious.
> But I just want to know, if these are limitations or if I did somthing
> wrong.
> First of all, usrmgr is able to show all values in ldap (great).
> If I edit a real name of an user, it works.
> But after saving the changes, I get a message on the windows side:
> "The following error changing properties of user maurer occured: group
> name could not be found" (translated from german)
> But the changes are submitted to ldap correctly.
> 
> When I edit the properties of an user (eg real name), during the the
> save  values of logofftime, kickofftime,pwdmustchange are changed form
> 2147483647 to 0
> >From this point on, I am unable to change the pwdmustchange settings
> with usmgr.
> I habe to insert a value greater 2000000000 into ldap by hand , to
> deactivate pwdmustchange.

The issues with LDAP and usrmgr are fixed in current HEAD, and should be
merged in to 3.0 shortly.  

For once usrmgr actually works pretty well! 

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list