Samba4 wbinfo -i output
steve
steve at steve-ss.com
Sun May 6 14:24:54 MDT 2012
On 05/06/2012 07:58 PM, Gémes Géza wrote:
> On 2012-05-06 18:08, steve wrote:
>> On 05/06/2012 03:58 PM, Gémes Géza wrote:
>>> On 2012-05-06 11:43, steve wrote:
>>>> On 06/05/12 10:10, Gémes Géza wrote:
>>>>> On 2012-05-06 09:43, steve wrote:
>>>>>> On 05/06/2012 09:22 AM, Andrew Bartlett wrote:
>>>>>>> On Sun, 2012-05-06 at 09:06 +0200, steve wrote:
>>>>>>>
>>>> Hi
>>>> Or just store the attributes you need in the directory and forget
>>>> winbind no?
>>>> Cheers,
>>>> Steve
>>> Without winbind you lose the ability to have nested groups.
>>>
>>> Regards
>>>
>>> Geza
>> Hi
>> Does that mean not being able to have a group as a member of another
>> group? If so, what disadvantages does that have? The schema allows me
>> the same with or without winbind doesn't it? Maybe getent would have
>> problems?
>> Cheers,
>> Steve
>>
> I haven't tried it but in theory libnss-ldap and (also untested)
> libnss-ldapd doesn't support recursive lookup for group members. So
> getent group would list only users and first level groups.
>
> Regards
>
> Geza
Hi Geza
No. nss-ldapd does a superb job of AD group mappings as recursively deep
as you want. And very fast. The ldapd dev helped us with the AD
mappings. In fact as of the latest version, we need only 2:
cat /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://sam4dc.polop.site
base dc=polop,dc=site
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
#map group uniqueMember member
sasl_mech GSSAPI
sasl_realm POLOP.SITE
krb5_ccname /tmp/nslcd.tkt
Previous versions needed the commented out mapping too. As of version
0.8, it does into the DN to extract the members as well as members by
primaryGroupID.
e.g.
getent passwd steve2
steve2:*:3000011:20513:steve2:/home2/CACTUS/staff/steve2:/bin/bash
getent group staff
staff:*:21108:lynn2,steve2
dn: CN=steve2,CN=Users,DC=polop,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120505174235.0Z
uSNCreated: 3735
name: steve2
objectGUID: 70cea1cc-2d1a-4301-b80d-695244824f8d
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-216190789-1528428426-2244757706-1107
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at polop.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
pwdLastSet: 129807133550000000
userAccountControl: 512
uidNumber: 3000011
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
profilePath: \\sam4dc\profiles\steve2
homeDrive: Z:
unixHomeDirectory: /home2/CACTUS/staff/steve2
homeDirectory: \\sam4dc\staff\steve2
primaryGroupID: 513
gidNumber: 20513
whenChanged: 20120506190835.0Z
uSNChanged: 3824
memberOf: CN=staff,CN=Users,DC=polop,DC=site
distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site
dn: CN=staff,CN=Users,DC=polop,DC=site
cn: staff
instanceType: 4
whenCreated: 20120505174317.0Z
uSNCreated: 3741
name: staff
objectGUID: a94ceff6-3078-4ef0-a763-67cb79c7eb25
objectSid: S-1-5-21-216190789-1528428426-2244757706-1108
sAMAccountName: staff
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 21108
member: CN=steve2,CN=Users,DC=polop,DC=site
member: CN=lynn2,CN=Users,DC=polop,DC=site
whenChanged: 20120506192028.0Z
uSNChanged: 3828
distinguishedName: CN=staff,CN=Users,DC=polop,DC=site
dn: CN=Domain Users,CN=Users,DC=polop,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120505165503.0Z
uSNCreated: 3540
name: Domain Users
objectGUID: 5fec110b-1b55-4ff8-812f-f4e9d033b9ec
objectSid: S-1-5-21-216190789-1528428426-2244757706-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=polop,DC=site
gidNumber: 20513
objectClass: top
objectClass: posixGroup
objectClass: group
whenChanged: 20120506190833.0Z
uSNChanged: 3821
distinguishedName: CN=Domain Users,CN=Users,DC=polop,DC=site
Note: the primaryGroupID determines the default group. There is
currently a bug in the schema which does not remove the memberOf
attribute when changing primaryGroupID. This is the subject of another
thread here. The workaround is to run samba-tool dbcheck --fix after
changing group ids.
We add 20000 to the rid of the primaryGroup to make it more readable and
to stop it colliding with our local groups. All based upon an idea by
Geza back in December:-) We call it s4bind. Details here:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html
Cheers,
Steve
More information about the samba-technical
mailing list