Groups in ldap and /etc/group?

Eddie Lania e.lania at
Sun Sep 29 20:56:00 GMT 2002

----- Original Message -----
From: "Mike Brady" <mike.brady at>
To: "Eddie Lania" <e.lania at>
Cc: <samba-technical at>
Sent: Saturday, September 28, 2002 10:20 PM
Subject: Re: Groups in ldap and /etc/group?

> Eddie
> The answer to this really depends on what it is that you are trying to do
> how you want to manage your site. Which comes back to people and processes
> more than anything else.  Strictly speaking Samba use of LDAP and Unix use
> LDAP for user account data have absolutely nothing to do with one another.
> For instance, you could quite easily have Samba data in LDAP and Unix data
> NIS.  The tie between the two for users is the username and for groups is
> group_mapping.tdb file.
> The smbldap-tools (we are talking about he Idealx tools right?) assume
that a
> solution design decision has been made to store both Unix and Samba user
> account data in LDAP and do what is necessary to support this.
> If then you are  trying to do things the Idealx way (and I currently am)
> use the smbldap-tools package, then you are correct, in that existing Unix
> users in /etc/passwd who also need to use Samba will need to have their
> account data moved to LDAP.  I haven't needed to look at doing this
> but here are a couple of ideas.
> 1) Create the user with smbldap-useradd and then use something else to
> the uidNumber attribute (and what ever alse needs changing) to the current
> /etc/passwd values.  If you are just testing a few users, use an LDAP
> to do it by hand.  I use gq.  If you are looking at a lot of users write a
> script to do it.  Delete the user from passwd, shadow and group files as
> required when you are ready.

Ok, but what about the user his/her group that normally is the same number
as his/her uid?
Would that then be permanently changed to a Domain Group?
Or should the group also be moved from /etc/group to ldap?
Is it wise to change a unix user his/her group to a different group?
(At this moment I wouldn't know why this should not be possible, but maybe
anyone else has a good reason?)


More information about the samba-technical mailing list