Groups in ldap and /etc/group?
e.lania at home.nl
Sun Sep 29 20:56:00 GMT 2002
----- Original Message -----
From: "Mike Brady" <mike.brady at devnull.net.nz>
To: "Eddie Lania" <e.lania at home.nl>
Cc: <samba-technical at lists.samba.org>
Sent: Saturday, September 28, 2002 10:20 PM
Subject: Re: Groups in ldap and /etc/group?
> The answer to this really depends on what it is that you are trying to do
> how you want to manage your site. Which comes back to people and processes
> more than anything else. Strictly speaking Samba use of LDAP and Unix use
> LDAP for user account data have absolutely nothing to do with one another.
> For instance, you could quite easily have Samba data in LDAP and Unix data
> NIS. The tie between the two for users is the username and for groups is
> group_mapping.tdb file.
> The smbldap-tools (we are talking about he Idealx tools right?) assume
> solution design decision has been made to store both Unix and Samba user
> account data in LDAP and do what is necessary to support this.
> If then you are trying to do things the Idealx way (and I currently am)
> use the smbldap-tools package, then you are correct, in that existing Unix
> users in /etc/passwd who also need to use Samba will need to have their
> account data moved to LDAP. I haven't needed to look at doing this
> but here are a couple of ideas.
> 1) Create the user with smbldap-useradd and then use something else to
> the uidNumber attribute (and what ever alse needs changing) to the current
> /etc/passwd values. If you are just testing a few users, use an LDAP
> to do it by hand. I use gq. If you are looking at a lot of users write a
> script to do it. Delete the user from passwd, shadow and group files as
> required when you are ready.
Ok, but what about the user his/her group that normally is the same number
as his/her uid?
Would that then be permanently changed to a Domain Group?
Or should the group also be moved from /etc/group to ldap?
Is it wise to change a unix user his/her group to a different group?
(At this moment I wouldn't know why this should not be possible, but maybe
anyone else has a good reason?)
More information about the samba-technical